MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7811bd14cb7fe9de30afeb44ca4d2f009e0e5f0488ad07f282ad0327b4ecd0b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7811bd14cb7fe9de30afeb44ca4d2f009e0e5f0488ad07f282ad0327b4ecd0b5
SHA3-384 hash: 3ef1729a4c065013baee440fed2d79ca75052e8922643960012f646c7481bd78d572479001097810d7a3157362c27ec9
SHA1 hash: 2b327374dfb4e49ba276598c27be4d6d4cba2d2a
MD5 hash: 93f117ea1f6e392f15d38b9968b3ce74
humanhash: fifteen-neptune-bulldog-early
File name:2T65434568--9876543457890-87654.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:346'456 bytes
First seen:2021-09-20 11:04:30 UTC
Last seen:2021-09-20 11:51:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:78LxBAz+3meeKNf59pCoappIO+QUUM+lFLGeeWFS7bvI2TGWJkvLDXT:mmeeKr95yO6zDWI2TGkkT
Threatray 9'514 similar samples on MalwareBazaar
TLSH T13974BFC67BB05852DE04D63DC32E6F15A92B2F746BE0A10BD6417873ABF36CD0817A25
File icon (PE):PE icon
dhash icon 8b13396969336921 (9 x Formbook, 7 x AgentTesla, 4 x SnakeKeylogger)
Reporter GovCERT_CH
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
2
# of downloads :
209
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2T65434568--9876543457890-87654.exe
Verdict:
Malicious activity
Analysis date:
2021-09-20 11:06:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2a187e70-f9f2-4240-95d8-4a924af2f769

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189399/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.24563.28926.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6577bc3d-0e00-4bc9-8e89-8b5826d9add8
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853962
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7811bd14cb7fe9de30afeb44ca4d2f009e0e5f0488ad07f282ad0327b4ecd0b5/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 11:05:08 UTC
AV detection:
16 of 45 (35.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pai32fglp7u54mfp5ncmutjpacpa4xyercwqp4ucvubspnhm2c2q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
04e127c5bdf94f075639d7f44badd25223f3ebeede44258367413d8463505020
Formbook
2dc07e970dd5581d1bd22d69e454dceda70d8f87cc84757f86c094b2fdb7f985
Formbook
3dd5fcdaf3b5e646b350d90bd538f6a175fa38834d4737252d038ffd0413412b
Formbook
49217eb71ec8276e6fdb8573c02691fa5b9de9cb14be7b82c4ec6570f78fcfdf
Formbook
4b4efdb81c426d5bfcd3ec8f3c34e573a97bf9644bd6524b0e87baa0931775f8
Formbook
64b444c4fd6497754e7dc344133bcbd5bd7601fb8e3c632cbda728169ef418ec
Formbook
7edea6fe44458e087954bd189d33214f74cdb0d25dc3ea598554a9b2e3808abc
Formbook
9ecedea13dc027095e79edab82e3988f028dfda3ea5b5469351a52a82a60ff7f
Formbook
b2697b1c939e346a4adcf8ed2cb4a0e493f2390a54a0457c95fea5485c2fa19b
Formbook
cc7a7c9a7d4982106d3e95696f31b1f6ead94851e95aba651709d957b6f333d4
Formbook
+ 9'504 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:di4c loader rat
Link:
https://tria.ge/reports/210920-m6vbjsdge5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.dropadsmedia.com/di4c/
Unpacked files
SH256 hash:
fc195d09ce60ed75d7d6b58b9d750fee17c9f81bb2e22161dc46646dd582a1fb
MD5 hash:
0b27829e2ff4f71f9b99262d83ee90d4
SHA1 hash:
a084ea6e9f28dac20d44d8114426e339b947798c
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/74694863-707d-47cd-9129-38aff533e930/
Parent samples :
7edea6fe44458e087954bd189d33214f74cdb0d25dc3ea598554a9b2e3808abc
7811bd14cb7fe9de30afeb44ca4d2f009e0e5f0488ad07f282ad0327b4ecd0b5
SH256 hash:
77ac88700f073d795ea0471110387159e6085f020ddfd01704ba578fc2f22590
MD5 hash:
d19b585f76ec02639363803c83d19cc7
SHA1 hash:
b54e0a76b3d521b237014a90479ec18e9ab0ead9
Link:
https://www.unpac.me/results/74694863-707d-47cd-9129-38aff533e930/
SH256 hash:
7811bd14cb7fe9de30afeb44ca4d2f009e0e5f0488ad07f282ad0327b4ecd0b5
MD5 hash:
93f117ea1f6e392f15d38b9968b3ce74
SHA1 hash:
2b327374dfb4e49ba276598c27be4d6d4cba2d2a
Link:
https://www.unpac.me/results/74694863-707d-47cd-9129-38aff533e930/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.47
Link:
https://yomi.yoroi.company/submissions/7811bd14cb7fe9de30afeb44ca4d2f009e0e5f0488ad07f282ad0327b4ecd0b5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 7811bd14cb7fe9de30afeb44ca4d2f009e0e5f0488ad07f282ad0327b4ecd0b5

(this sample)

  
Dropped by
xloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/189399/

Comments