MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ecfcfe4b4c8d6f50a38131f50bb86329510a038d22abf1d556d45552b5c06cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA File information Comments

SHA256 hash:	7ecfcfe4b4c8d6f50a38131f50bb86329510a038d22abf1d556d45552b5c06cd
SHA3-384 hash:	150f5d5416b57b2f250851a5a2b97cb5183cb12e2131f3c75e05a4d2d2081459d9d7a065d295cb01198cd3c43c873796
SHA1 hash:	aa7f9ceb70674caaef64c7ab05ac936201925f7d
MD5 hash:	9114cb5e17bf09326c9a699d0c14b6ef
humanhash:	sierra-idaho-five-mountain
File name:	SecuriteInfo.com.Suspicious.Win32.Save.a.23767.5913
Download:	download sample
Signature	Formbook Create hunting rule
File size:	314'501 bytes
First seen:	2022-04-04 15:00:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	56a78d55f3f7af51443e58e0ce2fb5f6 (719 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep	6144:RNeZlOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOF:RNIOOOOOOOOOOOOOOOOOOOOOOOOOOOOV
TLSH	T1B364E04123DCA093CCD6C9B40D95C6B48EAFFE264D788107619CBAD9EC3B19B45587E3
File icon (PE):
dhash icon	c486aaaaaa86d81c (4 x Formbook)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

232

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/260629/

Detection(s):

SecuriteInfo.com.Suspicious.Win32.Save.a.23767.5913.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Сreating synchronization primitives

Launching a process

Launching cmd.exe command interpreter

Searching for synchronization primitives

DNS request

Sending an HTTP GET request

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/12560/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control.exe overlay packed python shell32.dll threat

Link:

https://www.filescan.io/uploads/624b0832aa7e43c6a6b71703/reports/08767b76-bc0c-400d-ab52-eb1be50e9022/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7f5b0573-7648-4aba-997e-96a813200d07

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/970175

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/7ecfcfe4b4c8d6f50a38131f50bb86329510a038d22abf1d556d45552b5c06cd/

Threat name:

Win32.Trojan.NSISInject

Status:

Malicious

First seen:

2022-04-04 15:01:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=p3h47zfuzdlpkcrycmpvbo4ggkkrbiby2ivl6hkvnvcvkk24a3gq._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:op53 loader rat

Link:

https://tria.ge/reports/220404-sdb76agah2/

Behaviour

Gathers network information

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

Xloader Payload

Xloader

Unpacked files

SH256 hash:

0d37038858fe778955c3bb5953ac4ebded1fe5193401adb0fb03bd141e8d015b

MD5 hash:

63b6d2698fe76698c0e352d22b7173b0

SHA1 hash:

dfdf58820584e7d4df4cc574d5ec389aeacd6e06

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/8db8e9c8-8a86-4f6f-b601-aa440539bb29/

Parent samples :

0068d2689ad7ece35e2ff64c617f602046573a7f1c3af13efbbb45990dc17aea
04464b5872e342d59c8f4c85443fb3198a35544a9844d9a20618b7808f649464
d03f00ecce22cef615ed1cc86894e3b57dad4e78ef7a34af16f7479be9f84cf1
69785e004f3bf684c91c8f188058022933f954154f42d4dc41047be3713397ea
37b1b8d180f05d9be7c5a9821e9313993e5becaf03a5e46f4dc9711ad44ceaaf
7ecfcfe4b4c8d6f50a38131f50bb86329510a038d22abf1d556d45552b5c06cd
6f297bb4016558a90be2eacf5707f91010ae324f55ca20ec983c32c853389458
93147c02e1b23c567066353a89bf3ed2dcf0b1e7e2e1ee3c435cdd3b085d4f9b

SH256 hash:

9c37afe9b4dc78ab7c82f207ad9ee2bceab77f8afef03acf32e456b4cd7856c8

MD5 hash:

9d02ae8f97b2adcb1d0d26769112fca7

SHA1 hash:

46c855949f325f1b7ae5352779d2a1f3d539f0db

Link:

https://www.unpac.me/results/8db8e9c8-8a86-4f6f-b601-aa440539bb29/

SH256 hash:

7ecfcfe4b4c8d6f50a38131f50bb86329510a038d22abf1d556d45552b5c06cd

MD5 hash:

9114cb5e17bf09326c9a699d0c14b6ef

SHA1 hash:

aa7f9ceb70674caaef64c7ab05ac936201925f7d

Link:

https://www.unpac.me/results/8db8e9c8-8a86-4f6f-b601-aa440539bb29/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/7ecfcfe4b4c8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7ecfcfe4b4c8d6f50a38131f50bb86329510a038d22abf1d556d45552b5c06cd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/260629/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample