MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c7116c6a0f1e06e4c252ea45668b85c1fdf3f35216097be1208e14be4066b36. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	7c7116c6a0f1e06e4c252ea45668b85c1fdf3f35216097be1208e14be4066b36
SHA3-384 hash:	ecfdb6a386cc7a8bb54191bb6c7218abb153b6852167c5e5a873448bf5a25705483758a96704731ed88c038ad19f09b3
SHA1 hash:	3c966215bc0ff8699571877c68cfbe8d67c14986
MD5 hash:	b571593463de571f5728c9f53847716f
humanhash:	alanine-echo-ohio-avocado
File name:	BANK SLIP.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	788'992 bytes
First seen:	2022-02-07 17:03:10 UTC
Last seen:	2022-02-08 20:07:55 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:5rkPJHrEvaTQE7fEjyPwfS3CyDlhSfnrpcd+kFo5EjdLTdNN14XRWJJSUBr94l/a:5A1zQWBPwfS3NDlhUnF6+kFo5EV4h
Threatray	13'155 similar samples on MalwareBazaar
TLSH	T194F4D0AC725179EFC81BC97299683C60AA3030B787CFD6039167169C9E8DA97DF044E7
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

148

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/236200/

Detection(s):

SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Searching for synchronization primitives

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

evasive obfuscated packed

Link:

https://www.filescan.io/uploads/620151064077c8b9a01c1465/reports/3cfaadf4-0663-4819-805c-e69d4b2c2375/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Gathering data

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/935382

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7c7116c6a0f1e06e4c252ea45668b85c1fdf3f35216097be1208e14be4066b36/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2022-02-07 09:21:43 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 27 (81.48%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pryrnrva6hqg4tbff2sfm2fylqp56pzvefqjppqsbdquxzagnm3a._file

Verdict:

malicious

Label(s):

formbook

Formbook

34fc8a270fda2856448cb455e3dca4d8210f5e83f25f1fa8339d8f428a449466

Formbook

5da4b57909cb661822c8814842892c6ac54d9c259befd24241e16a8cb1d33ced

Formbook

60c6a4f46c95a47e3014a222cb92c5f85fd099d31da0b07910894cb2324d2d44

Formbook

8bad1870cc1ed1ea03923d7b427c31ed9e0266a0b8d0fea1cf6e6190c94ce46c

Formbook

d5f77ba2b2ad58cfad5ae3111994ad0f889967e6d4f67ecb9cedf1b8f10a6149

Formbook

dfbeb8125b12783be186e19392ac1f5a0dd449f826f50eceb786bd158a956dfd

Formbook

f777ad0feb1db2da7abb7c793515f7af49d06a7b4fc5904a9da436ccbd59ddc3

Formbook

+ 13'145 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:geur loader rat

Link:

https://tria.ge/reports/220207-vlbygaehg5/

Behaviour

Checks processor information in registry

Gathers network information

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Suspicious use of SetThreadContext

Deletes itself

Xloader Payload

Xloader

Unpacked files

SH256 hash:

9a5de2c679591144b02305c23e6a6a978ce200a5a4899c728f5fd8189f5a2769

MD5 hash:

0893a7e7d2a714bb9fd51a94d563d103

SHA1 hash:

d1b3b2cbc7e2bd36eacea7922747b605127e89ec

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/10de364b-d623-403e-94c0-6b9e9f6fd303/

Parent samples :

646292b0c5583d53f10119240466a74dedb0cb233d9c2b5052b90d8dd33660ca
2d9eaf3f28e001ea0dc52d3e01c415bde135493c0289437499b4e2669a1cb07c
60c6a4f46c95a47e3014a222cb92c5f85fd099d31da0b07910894cb2324d2d44
7c7116c6a0f1e06e4c252ea45668b85c1fdf3f35216097be1208e14be4066b36
640ac0fcf97c0474f805fdf150d7c539650a833e1cbb47393e188da5a1f5f5c3

SH256 hash:

0cc119786b104cf0aa261a208bf38802b339774ff3d7a42afcd8329d2d7d21c9

MD5 hash:

263b5190f7ac42d83c756dcdf38147bb

SHA1 hash:

78f419fe3936ed7d603706c47230cd3e6ff79ffe

Link:

https://www.unpac.me/results/10de364b-d623-403e-94c0-6b9e9f6fd303/

SH256 hash:

888279859042c22bcd35b80879e943b237b273afba322f261e133d35db543b3d

MD5 hash:

3a08b2aa8f57cdd9b5f9a22c2bc5c2ce

SHA1 hash:

106a8be5f1ababde736836f6f154e68bcf4187e4

Link:

https://www.unpac.me/results/10de364b-d623-403e-94c0-6b9e9f6fd303/

SH256 hash:

7c7116c6a0f1e06e4c252ea45668b85c1fdf3f35216097be1208e14be4066b36

MD5 hash:

b571593463de571f5728c9f53847716f

SHA1 hash:

3c966215bc0ff8699571877c68cfbe8d67c14986

Link:

https://www.unpac.me/results/10de364b-d623-403e-94c0-6b9e9f6fd303/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/7c7116c6a0f1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/236200/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample