MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 776a5c20a347e729fd9fa02388673f3769a4a5aa7d4e44f579c581c9a928e097. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	776a5c20a347e729fd9fa02388673f3769a4a5aa7d4e44f579c581c9a928e097
SHA3-384 hash:	6890b0f6b0d5670bf191ed317e5f0bdecafc07edf58aa690b25b86afe7c071db7eefdcbfb48ff445d3bff6343b6bf819
SHA1 hash:	645111b29a544379ee7c15b44ec11fef103158f3
MD5 hash:	a4830938aeb704c9b11b2261efdef1fc
humanhash:	football-apart-equal-alanine
File name:	PO-NOV20211115.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	4'839'424 bytes
First seen:	2021-11-15 13:38:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:O/5zNQG89I8GhMTGS8AA+Mr7mGwNrUKSzdokAJYAxvD:8QG4I8JzA+MGbNr78dokAJYE
Threatray	9'369 similar samples on MalwareBazaar
TLSH	T114267302663CE9C7F45C2D7254DC8B6C2EE06C5C4936941EFA93B6EAD43F143D9222E6
File icon (PE):
dhash icon	308a8a8c8c8a8a30 (6 x AgentTesla, 3 x Formbook, 2 x a310Logger)
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

103

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/205940/

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Connection attempt

Sending a custom TCP request

Creating a window

Sending a UDP request

Creating a file in the %temp% directory

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Creating a file

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a recently created process

Enabling autorun by creating a file

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated

Link:

https://www.filescan.io/uploads/619262f7a00afa9663a85ac0/reports/c870536f-856d-4bf0-b37d-029ff1bd4ab8/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8ad142e9-2306-49f6-95f1-6801251f63c3

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/776a5c20a347e729fd9fa02388673f3769a4a5aa7d4e44f579c581c9a928e097/

Threat name:

ByteCode-MSIL.Trojan.Bingoml

Status:

Malicious

First seen:

2021-11-15 10:52:18 UTC

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=o5vfyifdi7tst7m7uaryqzz7g5u2jjnkpvhej5lzywa4tkji4clq._file

Verdict:

malicious

Label(s):

formbook

Formbook

2585845349d420cec529b285a268b989ba28f135aa5332d3ce9122bbf53b5ce4

Formbook

26506e7d3f4821066fc1989a5c79afb4d1a316aa428f9e4a920644d93a80b495

Formbook

9e433f562c623ddfcc0248f72a1c721916fc93ad56d18c4eb7ef6e60f8d7c1f2

Formbook

b3bc74c1f3673da08a95775af5f39dd116a249d8a7e597fcd8bb56e07ae3bcd2

Formbook

c51d71a9a012a15d2c68395435c84694ad58dd37987e6286ef31d2625cf14721

Formbook

c6106fc0a5a8a0fb4a2245bd159b22ed22ec40840826b51b585f78f97f860be8

Formbook

d78094f3b6eac87e2d4249671bdc4e044afb31e2e78aac8f2db7186c6d5b6db1

Formbook

f8d9fbcef6907460baa7c91e53d1a40865901bb50906b5519cba440fdbc65032

Formbook

+ 9'359 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:re6p agilenet loader rat suricata

Link:

https://tria.ge/reports/211115-qxyt6afdhm/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Drops startup file

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Executes dropped EXE

Xloader Payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Malware Config

C2 Extraction:

http://www.workwithmarym.com/re6p/

Unpacked files

SH256 hash:

776a5c20a347e729fd9fa02388673f3769a4a5aa7d4e44f579c581c9a928e097

MD5 hash:

a4830938aeb704c9b11b2261efdef1fc

SHA1 hash:

645111b29a544379ee7c15b44ec11fef103158f3

Link:

https://www.unpac.me/results/67a61ad7-e918-45fb-ac00-b1fe88e68fa3/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/776a5c20a347/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/776a5c20a347e729fd9fa02388673f3769a4a5aa7d4e44f579c581c9a928e097

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/205940/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample