MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 805a169b8f08ee6d903d5ea86178a1e50e65ae3c51a91085227b0e77c04efbea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	805a169b8f08ee6d903d5ea86178a1e50e65ae3c51a91085227b0e77c04efbea
SHA3-384 hash:	1ef1220014bc999a4378fa86e8006092b14067f2a3d2a56f1d1508c4b00aa7968affbac396da05101b90fa611bf748eb
SHA1 hash:	901248bad47c7e4d39252aa9b95a32459100ec89
MD5 hash:	b4b1cf97819486dbd0c0c0e0f38baf5c
humanhash:	georgia-apart-mountain-salami
File name:	newest payment.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'099'264 bytes
First seen:	2022-03-25 10:34:06 UTC
Last seen:	2024-07-24 18:06:03 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	cca1320226e806cf0d983ee82566105c (5 x RemcosRAT, 3 x Formbook, 1 x NetWire)
ssdeep	24576:+TLmKxzGyM4qG2AakO6fjPViDl1JPdCLHbW:kl4JbsjIzPdCLb
TLSH	T142355B6DB2D0D436C02206385D167FB997F56E50DD389846AEECFDD88E32EA03B25253
File icon (PE):
dhash icon	10808a8c8c8a8010 (77 x Formbook, 51 x AgentTesla, 44 x RemcosRAT)
Reporter	FORMALITYDE
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

227

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/257663/

Detection(s):

SecuriteInfo.com.ArtemisB4B1CF978194.29466.14590.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

DNS request

Sending a custom TCP request

Creating a file

Launching a process

Searching for synchronization primitives

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/11354/overview

Behaviour

MalwareBazaar

CheckScreenResolution

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control.exe keylogger replace.exe

Link:

https://www.filescan.io/uploads/623d9aa59253b276b76b485a/reports/6e01fbb6-af1b-4edf-89a3-9ea728727875/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/acc0ea7e-c33a-4103-87cf-c1a43502e4e3

Result

Threat name:

DBatLoader FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/964478

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Drops PE files to the user root directory

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sigma detected: Execution from Suspicious Folder

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Suspicious Program Location with Network Connections

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected DBatLoader

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/805a169b8f08ee6d903d5ea86178a1e50e65ae3c51a91085227b0e77c04efbea/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2022-03-25 10:34:18 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qbnbng4pbdxg3eb5l2ugc6fb4uhgllr4kgurbbjcpmhhpqco7pva._file

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:u55j loader persistence rat suricata

Link:

https://tria.ge/reports/220325-ml6h3sbdar/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Adds Run key to start application

Xloader Payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Unpacked files

SH256 hash:

8430bd48e860a79e49184929a78d6357c3cebd3fdf659e68c8795395215f9573

MD5 hash:

5356b4ae62eb9ed6f3dce6eba74217df

SHA1 hash:

d833a61a99f33b79b7359a2d3d47b08df78bfbd8

Link:

https://www.unpac.me/results/9d6a03ed-b4b3-4e67-8749-27c13eb17fa3/

SH256 hash:

ca2ce40cb878ee57a487ee26e86a6d5be9996171f32d8eea12f19f974bd6dcb8

MD5 hash:

1f2c2df0c24a74f49c5b37a45a92f826

SHA1 hash:

915f340b525a5e4cd5f3aa380c747a925ad1732d

Detections:

win_dbatloader_w0

Link:

https://www.unpac.me/results/9d6a03ed-b4b3-4e67-8749-27c13eb17fa3/

Parent samples :

8f6c3613cdccfdb0d7fd02b33e0afc8c13c640d305b2fdc3319135a18e3ca73c
496a9fb5d6f7b03a1dff59806fe6b74faf6755a903e82d99980769d0890f2730
6171e04c14e21039e5d518ea5b1129a09ac09d23f8c8169da89ba5fc7e816a35
fb8a339c0426e7443a8a557a8db6745d4510abe1086a0ecad45493bbcab97fca
4ed75b8466a537951e39fcf6a8a024701d41c6ff3be98153dcc81dbff6a75756
f443e1a292f282bb4eefcb9072d2ad429fd5d10983732f8c0b23b1f607e63314
1359549cb60ef5ca5fca53dcc5a47d9552fd5e24afe09ef563f18051417fc4ac
df451e4553398ff8f82e6f516f7bd9b04fb8ea925612f2ab95b98284abb228f7
63f565a5108d757c36e565bd6f4d2ea6410445569d0ecbc70b9c33ba4115f0f8
00d73f1d61efc0d907030191c3953dd239de9aded5c6cc4029262127ce1e209e
fc2cebcda95cb3a39ad6b08289fe3764635bf8bd69a372c05f0140665b57b55a
566804eeaa9725faf35958d6bd0c12ec0715950881d260b6815618fc399f74c5
10cec299494a6aa98989e015fb80ffa0262912a4c2f52d57222fd4e9277e59cb
4860d96e25e9ffa5a288ee4ab81dbda67a521786b2abd2b7a91a3b37e863fe58
a1e618daaaa3133d466df43f3b43ff6b095deb8d2c010f5e35e592800eebc87b
f58399e122dc517bb6594d46903c8ea5f3a913feab06e3038f4a78760bb63ce6
88f2a0b582807e7cb8dce67a8bd81760c0f7f2e6329062c256cb7fe7ec7f3221
a6ccc05556ccbb60a723a57a8a584cc150e2f4819ef7b11c76e947e84dff0e10
a9a86b379236a699c4a6da12df755787d31a8c318e0fb79bfd240896a61f2a51
ba08e639ff6481a49493f7b2c7f5e56500960a32970e29cfdcec98689a3e3451
f29af471bd6ae227e1937769b3bc2341a5906732374a25137ab6d8715bedc874
6a870d79774d97f41d243d912d16c0079b923c64931ad7a93fbf303b0427ee36
4e4e661714c95139dea6c17509411aabe685fa5feada011a232fef5c04244aaf
a6bafb2bb8dc44d9fff66e3301c27fe77c36dde8d0a8a5c95779b2b8770c33f8
fb67e8ad570d57edca0baa8f47ce75a50eedb5df3af97cd141aeb508b8409f3e
a0d70aef1803b9aad25507304eaba337c45d2474dcddd5e52bcb1095087775c7
8f5f58b0b0e95605ad5e5324a75277d25590a13dd9b4e0fb05505b815833a2db
805a169b8f08ee6d903d5ea86178a1e50e65ae3c51a91085227b0e77c04efbea
cb8a598ca7d108efe4e56865bd748cb586b06c2667e5118ffbc22dff3f741648
f4a406b6b21db8b516e579643929b753453ebb4604cc799ec69f712fd7ba42d9
8dfee94c273148e304ce65b2174c1bcf211e31b9fb7074bb03069c831a4b119a
db5a12184d9b6acdf484a88b3e65aa9435f8a9d7eda48418aef2d028b98913d4
54ca735ff5fee6b29cc940ecb074e3b58c24ad834fee7cfbe56e78a04aa8e085
1521b3679443397b8a953666ff6e81b4650a4c3e731bd0ae5c057a29cd238332
e9e0c366653836804dbd66fa13dc4909cb186a2117764679e1e46f29dc9500bc
bf7843608d1b1c3fee60bf8fd4a9410047c8ef059ed1e55e018da081670159c5
01e55c453fc19c5df2c53fa3e1ddf9bc8f8af5ed23d361f3bc30df2e913072a1
a3792b703dde1aa5a935183c6696ce91cdea54579e9045b55848df91e6b312f9
d3bc2b767f795b5fc0859a8a5d3efacb8150a9c272d89701c164d3f703e15ba1
63fef1355c2426329defba3c5fc037b68085c45196ab8bd7ff2991b5dcfc80c0
1e7717a2d798ca288276e378b76ee35a7cdd11e0d32ed32f33670163a08c390c
9d42b1b9280301d54b45752d046405be7e1a632de78723aa46cb20c1cc43c801
204e96b879210c8e42455d3670b69e7c2408bb65324b8243346803ef24af6f9d
1755742f318f26db4bd9a258426cf22e90b27c2dd67e67fcf662659bce8847f0
927dde2c104b2a0d38a5d8c01f2aa5a16a049a19ce3e644a5adedfd670286e57
464fb0b39e6e803f8e032a0380fa66babe20032affda8b5dbf0f8fd687526443
e2c591e76cb0e5c7e5883a4180c2d7286a4a80a5c3c83c062a8f666e0764c1dd
66be852b20b6210134ace4c51802bc9fe3aba2ef95ecb31940066a11dfe57c34
e11e9572f2bc772cb5858c427326c4408520d1eb0f62ed2c9069c3c3dc710a01
f94b77c7de3e47949556c797e2fac84ada108a52ea67a57d9658fe9cc149b148
9380f842781eeb483f61572a8a327221cddc6402ce15807dd6746c31d40c3bb4
56958cbd9007cf88fbf7bbe0ab8cdd745af7c3cb43f495cf12ef37cace388bcb
710092a3d3733568c12c36e742da685e70ac3aeb9a851974c6b07a3d5f1d74c7
b90122d45b3e426cdf4343cc47fd486e67d4d2fe861f6a686f4d29919a327ed3
ed26cf7c1e212b911017851bdd62dbddd9ebeaabc1a7c39a85780cfe2159a66b
15a3f360c7768d11c783c454207c4a278c0855091901dbc985074a8e3b0c68b7
652eb4b75ead907220dc496b91ae07adbbe0e542f6765dfb57c802cdf4ecf23c
6458542795cc0a40d4ab238e2be5fb15546d5ca38e52d1f9c7d4157dca27679a
736a64dd3a9f74117c2e3ed828599c5aa5844146cf75b3a67d7c775bee0df90c
8a032d84d6da1a5b4afb83c4b9cd9be1fbebb29f3933a09eedc5955c899b1fbf
c16b9319edf591f4b75c3b69e09451de772816ed5a7915c9112bb8dd14e4aea3
e9b9b1c8e972c4882a540641d04979d3c7d6c762ee64707a1a2b147d06a43326
bff9f8e4fb678a405e05a729c9649fb5097ecb4c4a02a87ace28401ad22072fc
ab6089eaf0b6e157fd74eb677bdd1e457cbbe9cc1b97699dc7e8dab7989eab2b
99e39ef9a5267ed9790fbef614fa3a0054025c1cb866295e9e320bc95b128280

SH256 hash:

805a169b8f08ee6d903d5ea86178a1e50e65ae3c51a91085227b0e77c04efbea

MD5 hash:

b4b1cf97819486dbd0c0c0e0f38baf5c

SHA1 hash:

901248bad47c7e4d39252aa9b95a32459100ec89

Link:

https://www.unpac.me/results/9d6a03ed-b4b3-4e67-8749-27c13eb17fa3/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.16

Link:

https://yomi.yoroi.company/submissions/805a169b8f08ee6d903d5ea86178a1e50e65ae3c51a91085227b0e77c04efbea

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 805a169b8f08ee6d903d5ea86178a1e50e65ae3c51a91085227b0e77c04efbea

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/257663/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample