MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b5c683c8f9571d55f21bdd73cec4b0f39a169265e58c5877ca94203e61548af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b5c683c8f9571d55f21bdd73cec4b0f39a169265e58c5877ca94203e61548af
SHA3-384 hash: f21ec141bc58a20f96852d26c882b76f0bb1b78c00688323e6e4ccc8b004f95d26ebac9d91cb9de7cbd6daddf3ff7bf9
SHA1 hash: 782d70219eda646b7b134e26bd41ac71b90800f2
MD5 hash: 24f9d7832d2ec8673c62aea51e58717e
humanhash: sodium-magnesium-moon-magnesium
File name:24f9d7832d2ec8673c62aea51e58717e.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:912'896 bytes
First seen:2021-01-19 12:12:50 UTC
Last seen:2021-01-19 19:55:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:r1gYUGwyfYfQfiE1aIUMZNYAao40LhmSSEO:r1gYUnM11ZNY9o4
Threatray 3'530 similar samples on MalwareBazaar
TLSH 7A15CEA62E08EE40C17D9AB6D82A68F473FEAD40DA51C40B6CD5FEBE3333A15151D136
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
24f9d7832d2ec8673c62aea51e58717e.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-19 12:17:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f9af9158-88c7-48c1-ba77-ad2603d1e3d0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/112861/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.6634.8213.381.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
n/a
Score:
22 / 100
Link:
https://www.joesandbox.com/analysis/584941
Signature
Machine Learning detection for sample
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7b5c683c8f9571d55f21bdd73cec4b0f39a169265e58c5877ca94203e61548af/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-01-19 12:13:21 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pnogqpepsvy5kxzbxxltz3clb442c2jglzmmlb34vfbahzqvjcxq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
319795a056019b583b556b445052ec4c33446a75b7310af85bf15be00b2cf94e
Formbook
3571d3ca49f3c593d4b34f2d7bd9aa8ab2b0bfb99111a2a2561a0d25d494fa2f
Formbook
3579fdebe1647aa6a9172a2d808fa43b66a9ebc0e09aba02e1ed70d74dad67e2
Formbook
750292519a4b694e981556bdaec9c5b568ac54f1b9cb52fc1f740cd45b2748ec
Formbook
7cea909eb4fef13fdeee846b808200826a8de0292ba555bcc4fefdde642dbb55
Formbook
90f2c4a6ef44f74b478893cdd505c759dbe924f984daf87726ba7e64edd091c4
Formbook
9335b040e7823155fcde32d1cfd5268db42e2f9c191e2144269800adb2a820d8
Formbook
b96e65c2c4d2cdbe32d98e9f24a1e5f1d74bdaa0f47088cc70d48f4be730dc55
Formbook
bda9b47b8a3ca85a643a426750e309fe77d948e2d6f704a8a56ba452dd1531ae
Formbook
debe2f7e0f2e18dff0c54f3809c66256f5741b5cf9e13e065593c005db9c22de
Formbook
+ 3'520 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/210119-nk54pz2f1x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.rizrvd.com/bw82/
Unpacked files
SH256 hash:
0741117b2fafba8a3a8ae382fc10786bb2529a8432ce0577c6935e8526ddac5b
MD5 hash:
68636a5ff4233a2c2eb38ff504bc0433
SHA1 hash:
de4bb3f7abdfdcb03af952cae091d98ed8ed6f71
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/6abd0c6e-fe3e-4ed0-a94e-2e8295ab0c9b/
Parent samples :
0110a52c51d060db8c4b9f3d654340fdf954bd7ceb47956e235ebe5921a57df4
7cea909eb4fef13fdeee846b808200826a8de0292ba555bcc4fefdde642dbb55
38a0bf5c98a42c67d5612b0b377c51725caedc64b19f9c4d20f0ebc6fe972c0d
cd1cdd19d3500f9947de10caa28d3fad75bc207faa10b7f9f7aab88c720dea1b
8ec223664a9b73308e2fdd73bcaa525d4a152a0b9ab799889539d98efcc07c09
bda9b47b8a3ca85a643a426750e309fe77d948e2d6f704a8a56ba452dd1531ae
6c953b93cf75e79db29a1ae424ee8da08962cbda1ec84a49281cccb51013594b
9335b040e7823155fcde32d1cfd5268db42e2f9c191e2144269800adb2a820d8
4924681f7988a37fccc12475b5cf9fa0013fb00d1a8da2dfc4c4e25236b35d7d
3579fdebe1647aa6a9172a2d808fa43b66a9ebc0e09aba02e1ed70d74dad67e2
ba2963b7da8a1df3e40441825654972ce2a5903c9f27bc081e42795c296c80eb
b96e65c2c4d2cdbe32d98e9f24a1e5f1d74bdaa0f47088cc70d48f4be730dc55
204cd2ef2cb64300f46ba8ce7dae3507b6861cd9225e3bae6fc2303360585ef4
38f7338384d3c8576e23aa876f7819c1f201e027bb586900aca0411ea665f07a
750292519a4b694e981556bdaec9c5b568ac54f1b9cb52fc1f740cd45b2748ec
7b5c683c8f9571d55f21bdd73cec4b0f39a169265e58c5877ca94203e61548af
2ad7e15e59c05d71f2682a81f2bf2872eb4421b343a4c4b96748a31064445494
ed035bd3cdab82c607f296fd966c4064f0f04c9011d9e7744ca3e7739ed7269b
27196c6c79c8cdb02b4ee6b1028ec11aa38bbeea6d94d956a22ab1228c65b733
1e0ffffac4a1077450af5cd08414d45c275605cdedd7a3138a863b96ea3624ab
31f4d8bb8797649e9de2f8adc7b7e679775784d33d686d7c76429c4fe97a7c07
b073ef66058998fc6ee7c61fb6eeaffe28a816f36dda995edcd1a6e893deedd3
73acf08c9a3ee5b8208b8e21f1c88d9820b6bfc58ddbf1d7eee2029b7626d271
40acc1cfe1986fee292469e21c175d68bed0502f46af424d0cd8ec42e0ead72d
2938b38c785f109befe2eb2768082aea672c27e978e52998a4bca8526b1a669f
d63c5bbfea14e5cbfc013e0df1c94ff9eb0ea87d95bcd3fb8ff9047cd58dc8aa
9ba1b16e84be57d419e0a19248f13f186bcf9a2d98e97936e16d1fceb0357b97
7dfb2d60095157148fcb26bdfc4270ce6d5e3678c60628b8f683c4e1adbd8043
ebbcc767acc5337309a6f0770c52236b131cbcffb3e843e4bf132489cb2001cc
5d85f149c5450263866d98fadff08504e1a05837cdead5792f291303dfa3438d
0a818e0d6e682be8b8b7a4ec2becdb2de6c05d5503c6f397a63d18ccf0fa9b0f
958cedb2b814c4f1e6c4cb514d5b3eff4a816777baa9533f67f3106b4e18920a
8a432739f45c70d580007c9e4586d826507821bd978c192a5f99c51e85444e6c
e2f640f8cdc89a54ecd8d1a0c8d4b8a4d1e6560f086fd82d05e0010d95a1d9e9
2389280eef390b0fc6e10447d91e265c3c9fb0de749707a8aeeb1a72de2269c4
SH256 hash:
43ca2a793cb20e964dfae73acebac0b40ea217a693dba9b33869eff67dea2ff8
MD5 hash:
234ed26c3f8d83f319eddcabac7605a9
SHA1 hash:
d971047e28eb2fed4e231f726bb5d5c847cbced4
Link:
https://www.unpac.me/results/6abd0c6e-fe3e-4ed0-a94e-2e8295ab0c9b/
SH256 hash:
49d0f9d7cfb2ecfe3bdb839f6bd1a3d1571bdeed6b8ba21043addde870533e73
MD5 hash:
4080a7b12c956e07a74aef27c8049dd4
SHA1 hash:
01b843eb1914a81e357b55cb273c16ce7f802106
Link:
https://www.unpac.me/results/6abd0c6e-fe3e-4ed0-a94e-2e8295ab0c9b/
SH256 hash:
7b5c683c8f9571d55f21bdd73cec4b0f39a169265e58c5877ca94203e61548af
MD5 hash:
24f9d7832d2ec8673c62aea51e58717e
SHA1 hash:
782d70219eda646b7b134e26bd41ac71b90800f2
Link:
https://www.unpac.me/results/6abd0c6e-fe3e-4ed0-a94e-2e8295ab0c9b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7b5c683c8f9571d55f21bdd73cec4b0f39a169265e58c5877ca94203e61548af

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 7b5c683c8f9571d55f21bdd73cec4b0f39a169265e58c5877ca94203e61548af

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/970632/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/112861/
  
URLhaus
https://urlhaus.abuse.ch/url/971751/

Comments