MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7dfac85dbd9ce80d656f5cd2b657705975023c370a3f9ddd4fd63cb244862c40. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7dfac85dbd9ce80d656f5cd2b657705975023c370a3f9ddd4fd63cb244862c40
SHA3-384 hash: facfdf78e5c3a9b457ac7ca25f24b1462fdff19935b5f149c00b1832a5569829b2c2e0ef7594590c5572eaee137a0a6b
SHA1 hash: 04441b6a52530284bdeaa3c4ac4504d71c14101c
MD5 hash: b85c005de5b04c0ba376f72cc932f26b
humanhash: summer-four-arkansas-river
File name:b85c005de5b04c0ba376f72cc932f26b
Download: download sample
Signature Formbook
Create hunting rule
File size:920'383 bytes
First seen:2021-12-16 10:11:12 UTC
Last seen:2021-12-16 14:35:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 12288:ufJ8iuXxfprfmx1Vyxgyh0WPkpt0wKPx7j2gWLYhw2mJRGUlX2TFsiWWEd5t:aJ8iufrOcxgR2WShjxthZHUlX2RuD
Threatray 12'640 similar samples on MalwareBazaar
TLSH T18D156D3CAFEFF90FC0E368F467A6D55DC85915680D290D23E76B683860B46EA739D240
File icon (PE):PE icon
dhash icon 94e498e8e8f8f0f0 (1 x Formbook)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
163
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/214561/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61bb10f98541392eb4ea5723/reports/0d809e7e-e8e8-4cea-945a-90b1624a6970/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/de23566f-54b5-4de2-adca-dbcdfd712cc5
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/908430
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 540904 Sample: QL8vBespsj Startdate: 16/12/2021 Architecture: WINDOWS Score: 100 32 Multi AV Scanner detection for domain / URL 2->32 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 3 other signatures 2->38 10 QL8vBespsj.exe 17 2->10         started        process3 file4 30 C:\Users\user\AppData\Local\...\ptinspeue.dll, PE32 10->30 dropped 48 Tries to detect virtualization through RDTSC time measurements 10->48 50 Injects a PE file into a foreign processes 10->50 14 QL8vBespsj.exe 10->14         started        signatures5 process6 signatures7 52 Modifies the context of a thread in another process (thread injection) 14->52 54 Maps a DLL or memory area into another process 14->54 56 Sample uses process hollowing technique 14->56 58 Queues an APC in another process (thread injection) 14->58 17 explorer.exe 14->17 injected process8 process9 19 help.exe 17->19         started        signatures10 40 Self deletion via cmd delete 19->40 42 Modifies the context of a thread in another process (thread injection) 19->42 44 Maps a DLL or memory area into another process 19->44 46 Tries to detect virtualization through RDTSC time measurements 19->46 22 cmd.exe 1 19->22         started        24 explorer.exe 1 156 19->24         started        26 explorer.exe 146 19->26         started        process11 process12 28 conhost.exe 22->28         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7dfac85dbd9ce80d656f5cd2b657705975023c370a3f9ddd4fd63cb244862c40/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2021-12-16 10:12:13 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1aac9a73533b5745a863e565e556ecc624619b3cecb917c9e8aee7b141976bb2
Formbook
5ce12b1abf4c0139a9022d549dafff88c441fbc7127d240cc78ecbd0608d2328
Formbook
7bfabb3e53f70e2ad39155a8af8d7e27a07ec01b0ba8faed52cb569e4f78142f
Formbook
8a0fb297baf6f3affb73e0c20116dec0bbbae0292fcbffc3948051555df5099d
Formbook
8e405b6451c62462b5df1a0490175f4b9712ee1b1ab25a52f7e3a1f736400439
Formbook
99ce2e68255b2f3b1ee1934af1eacd280a096adaedcaa2df1f03e8d9ee01e860
Formbook
b9829a5660b2dcf188de5595741b42380f091c30bb3be299e131b61171d7b513
Formbook
c1657f01ccef85f3f46740a96704bc5dccfb4cf8fc9ac09abcfd7aa6660448f7
Formbook
cd1a6d25a6ecd13b937b860ddbe024fa1927d9ca766121d54eac046c5511cad4
Formbook
ce5ef050cbfe862b46edb70c1d3ee90b1fc3940ef93ee7fffe642589673d331b
Formbook
+ 12'630 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ea0r loader rat
Link:
https://tria.ge/reports/211216-l8hvvscedk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Xloader Payload
Xloader
Unpacked files
SH256 hash:
7dfac85dbd9ce80d656f5cd2b657705975023c370a3f9ddd4fd63cb244862c40
MD5 hash:
b85c005de5b04c0ba376f72cc932f26b
SHA1 hash:
04441b6a52530284bdeaa3c4ac4504d71c14101c
Link:
https://www.unpac.me/results/4eb345be-f1ed-4727-bd40-c5434d388b7b/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7dfac85dbd9c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.33
Link:
https://yomi.yoroi.company/submissions/7dfac85dbd9ce80d656f5cd2b657705975023c370a3f9ddd4fd63cb244862c40

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 7dfac85dbd9ce80d656f5cd2b657705975023c370a3f9ddd4fd63cb244862c40

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1890072/
Cape
Cape
https://www.capesandbox.com/analysis/214561/

Comments


Avatar
zbet commented on 2021-12-16 10:11:13 UTC

url : hxxp://107.173.143.36/100/vbc.exe