MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a4de78c5eed937a8aa4e3149fac38d38fd0275ddc45b2a481f266c421230e5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a4de78c5eed937a8aa4e3149fac38d38fd0275ddc45b2a481f266c421230e5d
SHA3-384 hash: 4d79e5cebf57120b95c2ba9f2282de34844b7e295cb8da393ba80b9ddfbc135f7606c1dec86d0d5f6d95915e7b6a87ca
SHA1 hash: 7917f09e2940b51aa7e5e23026a9ef97e9679710
MD5 hash: 80c6396c022d1af34979e7b42ee7797f
humanhash: apart-alabama-oxygen-magnesium
File name:80c6396c022d1af34979e7b42ee7797f.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:763'392 bytes
First seen:2021-03-31 12:55:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:JUueD0fgoYIhkrSIACFJUSMB1A/j3i4MECyJxDxbNIlw0j0DVHgtplr72BWzaEq:JUFD0fDBhEStCFJpw1AW4MEzJxD5NS8A
Threatray 4'577 similar samples on MalwareBazaar
TLSH 9EF4D015721ABD51E07E8BF100DC0B41A7F357C4871AE97DBC94D1889EE32C6BADA6C2
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/129285/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.576-2.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/660304
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 379089 Sample: TNUiVpymgH.exe Startdate: 31/03/2021 Architecture: WINDOWS Score: 100 33 www.paintersdistrictcouncil.com 2->33 35 www.cabinhealthy.com 2->35 37 www.4018398.com 2->37 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 6 other signatures 2->47 9 TNUiVpymgH.exe 3 2->9         started        signatures3 process4 file5 25 C:\Users\user\AppData\...\TNUiVpymgH.exe.log, ASCII 9->25 dropped 55 Tries to detect virtualization through RDTSC time measurements 9->55 57 Injects a PE file into a foreign processes 9->57 13 TNUiVpymgH.exe 9->13         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 13->59 61 Maps a DLL or memory area into another process 13->61 63 Sample uses process hollowing technique 13->63 65 Queues an APC in another process (thread injection) 13->65 16 explorer.exe 13->16 injected process9 dnsIp10 27 shops.myshopify.com 23.227.38.74, 49726, 49733, 80 CLOUDFLARENETUS Canada 16->27 29 longdoggy.net 192.0.78.24, 49727, 80 AUTOMATTICUS United States 16->29 31 20 other IPs or domains 16->31 39 System process connects to network (likely due to code injection or exploit) 16->39 20 wlanext.exe 16->20         started        23 autochk.exe 16->23         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 20->49 51 Maps a DLL or memory area into another process 20->51 53 Tries to detect virtualization through RDTSC time measurements 20->53
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a4de78c5eed937a8aa4e3149fac38d38fd0275ddc45b2a481f266c421230e5d/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-03-31 12:56:17 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pjg6pdc65wjxvcve4mkj7lby2oh5aj253rc3fjeb6jtmiijdbzoq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
01c5ac824171a164473d92187f8031f2bc7103397fe534f56771d8e9589445e0
Formbook
22a6bcf4a037a4ce39127fdb0cb4f8995f647e26318d857939978679342e9494
Formbook
2bec4da3283f4d9329b155c12e5ee6f5f8943bb43d9e66c1767b877b89a19063
Formbook
4136247829572b4210102e01bef684b8e5cbc8ebd9d8dc6a87de79ca62a51630
Formbook
41d1baa905b28a22e738f7379125e26301e240815e85ef0492b6061432cfe139
Formbook
452534ffdab7839250b44f52865d7e4e60d13deec5e13637514dd614ad46539c
Formbook
4d345d3e9341f12df8e933686d66efde41d0ba682e67b8a3d23064b35b400429
Formbook
5399fb6324cc620d69fd08e7975f69703e4c754ccb38e19b4e8088d8e9bc2569
Formbook
ddaa3b6f19f3e7b9a6e8ebe8188ceea0d1bb0c285a0b2d783c8d0cc7005e37a6
Formbook
f7dc24b214db050895707a8e89d730f2230d3b235eb5d19b65807139a82c49b1
Formbook
+ 4'567 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210331-ghc1nms9m6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.paintersdistrictcouncil.com/vu9b/
Unpacked files
SH256 hash:
d436034270fb2d5380e4fcecc1ee6c821a1701aed96045fa13f597da16be08fb
MD5 hash:
00cbf73d8b9f03417a3a32957ec64ed4
SHA1 hash:
b862eff1cf240a5ad5325fd258892e534484a6e8
Link:
https://www.unpac.me/results/b2a94259-5640-4c72-aa02-2e6da1ac7fe4/
SH256 hash:
7a4de78c5eed937a8aa4e3149fac38d38fd0275ddc45b2a481f266c421230e5d
MD5 hash:
80c6396c022d1af34979e7b42ee7797f
SHA1 hash:
7917f09e2940b51aa7e5e23026a9ef97e9679710
Link:
https://www.unpac.me/results/b2a94259-5640-4c72-aa02-2e6da1ac7fe4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a4de78c5eed937a8aa4e3149fac38d38fd0275ddc45b2a481f266c421230e5d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 7a4de78c5eed937a8aa4e3149fac38d38fd0275ddc45b2a481f266c421230e5d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1090615/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/129285/

Comments