MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77a065555ec0a5c4dfbae72cdb035af45edf7997b1859fa75a158c40f119a020. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	77a065555ec0a5c4dfbae72cdb035af45edf7997b1859fa75a158c40f119a020
SHA3-384 hash:	8c61a0c10f65bf10d50d9e689da0fcd7f60c9e58e8df6e271887335e78a219eb82996dcd2060add6d1c839bb446e9c11
SHA1 hash:	5a6a124d73391b021ffb15b5fe0bef53882e9d9b
MD5 hash:	33d849675e66bf8332b4bb2e4a1d923f
humanhash:	blue-table-india-venus
File name:	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	843'264 bytes
First seen:	2021-05-10 07:12:11 UTC
Last seen:	2021-05-10 08:08:36 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep	12288:Z70hHwq6oGbWgW4nVV2aiGnCqlAkS6cGfRxyFkpHbsM:h0hQDoG66nVOjab7s
Threatray	5'020 similar samples on MalwareBazaar
TLSH	4E050750B1439ADDC83D76F4D39CDC7852E1ECE24E20E668EEA932694739F4E01ED621
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

121

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/153781/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.624-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/779620

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/77a065555ec0a5c4dfbae72cdb035af45edf7997b1859fa75a158c40f119a020/

Threat name:

ByteCode-MSIL.Infostealer.Coins

Status:

Malicious

First seen:

2021-05-09 22:43:26 UTC

AV detection:

11 of 28 (39.29%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=o6qgkvk6ycs4jx5244wnwa226rpn66mxwgcz7j22cwgeb4izuaqa._file

Verdict:

malicious

Label(s):

formbook

Formbook

4cced354a0867338e39875526796861c483e8475bdacd117dd34ad1c2d89ec63

Formbook

5c8301f5ec2ae8cca6eb7aca8cd2578811019bcc261e16fe84f1bf7231676805

Formbook

6733d0ce3ad0c63755f82e7c05a815f2420cccd7f7775dd9227732f59e7fafff

Formbook

786e182e324b83c59ad1b095f7d520598a1b72cfce239b4274d462c7ba45bf18

Formbook

7d803e44c98cd23b971f692182f8d1d508fe82fb0fd6b681e7896c552d88411a

Formbook

7f30f6235ede3ca640a27c640c291228e74c1699b460147d5c18bddc3795bd8b

Formbook

b9ecf814b7f31a8ee1445d0256ba7a74f46d3e8f0bb588d10c54cd7f7f0fc202

Formbook

ed6b9ae0e3a62d8c24788b8d5b9ffcb9317861746bfc7864777db86369a3def4

Formbook

f86b0f3ec06d574080bd86e2980c7d04c29d4093d025fe592a567b5767031d2b

Formbook

+ 5'010 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader loader rat

Link:

https://tria.ge/reports/210510-2xfpnetsja/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.rogegalmish.com/a8si/

Unpacked files

SH256 hash:

bdf79e57b5574f9bafb56f6d0592f5ee429df7eb0ad536fbdb4f2956aae36f87

MD5 hash:

826b29e2a141b055a5491c9d7dc6eea7

SHA1 hash:

af4201362b8603bf7e4b6e2ead1cfb610dd7c0a9

Link:

https://www.unpac.me/results/1e31132e-a111-43cd-b5b9-e3c2193e29fa/

SH256 hash:

77a065555ec0a5c4dfbae72cdb035af45edf7997b1859fa75a158c40f119a020

MD5 hash:

33d849675e66bf8332b4bb2e4a1d923f

SHA1 hash:

5a6a124d73391b021ffb15b5fe0bef53882e9d9b

Link:

https://www.unpac.me/results/1e31132e-a111-43cd-b5b9-e3c2193e29fa/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/77a065555ec0a5c4dfbae72cdb035af45edf7997b1859fa75a158c40f119a020

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/153781/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample