MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21
SHA3-384 hash: 288c21c6c46739c768ba80a363de37fa53697b69a443e5c12638ef4f0dfd7867f1e5d606c43d9fd36d0fca9b03806743
SHA1 hash: d0b573aafe0ae84468027929ca77f3013e8edeee
MD5 hash: 41ab78eba18f74db196c3876f49179a8
humanhash: helium-mississippi-blue-fillet
File name:0x000700000002322d-215
Download: download sample
Signature Formbook
Create hunting rule
File size:8'073'216 bytes
First seen:2023-12-30 10:55:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 98304:vXYJ3MN/dOFAjqbqLSRlFNjZUlzCCgOU4dcRTzJ1dX/jC7PYxg5N0arG2sD0+9h0:AJcbvq+SrVXCJUs+TzJLLpILrXs
Threatray 220 similar samples on MalwareBazaar
TLSH T1D286F2E4443D67EBCA41532FA0EEE358C06989DB60E885EF3A125216877DF916FDF840
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter e24111111111111
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
291
Origin country :
GR GR
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
c7bd91207ac565f362c9a9702bcf5cb278b414e8a5489087431a448011d32f47.exe
Verdict:
Malicious activity
Analysis date:
2023-12-30 11:33:52 UTC
Tags:
evasion asyncrat xworm
Link:
https://app.any.run/tasks/3c9adc9f-ceac-49cb-a648-f46f8bcacb5e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Creating a process from a recently created file
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a file in the Windows directory
Sending a custom TCP request
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a window
Searching for the window
Running batch commands
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/658ff743b290743934f02d6b/reports/c5418411-43bf-4a0c-be61-f77c13737061/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fe741e01-f2ff-434b-99a2-93c780eb431c
Result
Threat name:
AsyncRAT, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1368233
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Drops PE files with benign system names
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Protects its processes via BreakOnTermination flag
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Generic Downloader
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1368233 Sample: 0x000700000002322d-215.exe Startdate: 30/12/2023 Architecture: WINDOWS Score: 100 62 ip-api.com 2->62 64 fviatool.com 2->64 66 fvia.app 2->66 78 Multi AV Scanner detection for domain / URL 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 Antivirus detection for URL or domain 2->82 84 12 other signatures 2->84 11 0x000700000002322d-215.exe 3 2->11         started        signatures3 process4 file5 52 C:\ProgramData\tab.exe, PE32 11->52 dropped 14 tab.exe 5 11->14         started        process6 file7 54 C:\Users\user\AppData\...\WindowsSecurity.exe, PE32 14->54 dropped 56 C:\Users\user\AppData\Roaming\Seting.exe, PE32 14->56 dropped 58 C:\Users\user\...\SecurityHealthSystray.exe, PE32 14->58 dropped 60 C:\Users\user\AppData\Roaming\Protected.exe, PE32 14->60 dropped 116 Multi AV Scanner detection for dropped file 14->116 118 Machine Learning detection for dropped file 14->118 120 Encrypted powershell cmdline option found 14->120 122 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->122 18 Protected.exe 3 14->18         started        22 Seting.exe 1 14->22         started        24 SecurityHealthSystray.exe 1 14->24         started        26 2 other processes 14->26 signatures8 process9 dnsIp10 48 C:\Users\user\AppData\Roaming\splwow64.exe, PE32 18->48 dropped 86 Antivirus detection for dropped file 18->86 88 Multi AV Scanner detection for dropped file 18->88 90 Detected unpacking (changes PE section rights) 18->90 92 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 18->92 29 splwow64.exe 18->29         started        94 Machine Learning detection for dropped file 22->94 96 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 22->96 98 Writes to foreign memory regions 22->98 100 Injects a PE file into a foreign processes 22->100 33 RegAsm.exe 22->33         started        35 RegAsm.exe 22->35         started        50 C:\Windows\svchost.exe, PE32 24->50 dropped 102 Drops PE files with benign system names 24->102 68 ip-api.com 208.95.112.1, 49706, 80 TUT-ASUS United States 26->68 104 Potential dropper URLs found in powershell memory 26->104 37 conhost.exe 26->37         started        39 WerFault.exe 26->39         started        file11 signatures12 process13 dnsIp14 70 171.247.47.66, 4444, 49721, 49724 VIETEL-AS-APViettelGroupVN Viet Nam 29->70 72 fvia.app 104.21.34.141, 443, 49709, 49720 CLOUDFLARENETUS United States 29->72 108 Antivirus detection for dropped file 29->108 110 Multi AV Scanner detection for dropped file 29->110 112 Detected unpacking (changes PE section rights) 29->112 114 3 other signatures 29->114 74 171.247.57.232, 4444 VIETEL-AS-APViettelGroupVN Viet Nam 33->74 76 fviatool.com 104.21.77.198, 443, 49707, 49718 CLOUDFLARENETUS United States 33->76 41 cmd.exe 33->41         started        signatures15 process16 signatures17 106 Uses schtasks.exe or at.exe to add and modify task schedules 41->106 44 conhost.exe 41->44         started        46 schtasks.exe 41->46         started        process18
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21
Detection:
dcrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21/
Threat name:
ByteCode-MSIL.Dropper.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2023-05-26 11:20:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
22 of 37 (59.46%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qder5svlnjvgu6umwppupmir6ay6uqn6vopyxa4g6ta3zdiy74qq._file
Verdict:
malicious
Similar samples:
6179a69d0e85480eba50e73b18cea33da9a88d5e36c590d525a7b0474e7c2e07
Formbook
6e2078661766da4dc4a1f8cdb2a222791ae1382af3fc6527e1053104ce5c543d
Formbook
bfd9809a1fd4485f2590bb784d5e4ccc249f04b4e7211bc9728a0fe3c88f2b78
Formbook
d9048e7e5185fca63822a536674effaf47f434fd8bcd74018e5da09b5a7c1469
Formbook
e69ad684b9ce869c919a006405130fb0eb918d38ec2372d0fc69372438d62551
Formbook
ec6a6aa9a75e81c6069edc6bd5e246062ae923348d7c2221eb5f8fa3f59b63a8
Formbook
+ 210 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:xworm rat trojan
Link:
https://tria.ge/reports/231230-m1p5msddbm/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Async RAT payload
AsyncRat
Detect Xworm Payload
Xworm
Unpacked files
SH256 hash:
b331392128a9d24386eb4eaa7c69629d2f89a26f8f970b85a39dcd756dbc25b6
MD5 hash:
0625a199f879f35b747581ca94315f20
SHA1 hash:
c18470702decc08354ad95c5fe56fc1971531e55
Detections:
DCRat
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DcRatBy
Create hunting rule
Link:
https://www.unpac.me/results/6f1e1ebd-a823-4d21-bb65-f934b5d0068b/
SH256 hash:
7bbe722f16c30b98a23901e3ce0b39600c2620983084f2e7c4f05506abad2971
MD5 hash:
2812210571ec21dfed8c1f9277020d4f
SHA1 hash:
363e645b3dae1774f0349182bc0453249ae1a64c
Link:
https://www.unpac.me/results/6f1e1ebd-a823-4d21-bb65-f934b5d0068b/
SH256 hash:
dd0dc7ad62d2a66b164ba36dc395ab67466fcd519ceaffd62ccebf5ddb60a340
MD5 hash:
ea35b0859a343c66e692a216e3f64835
SHA1 hash:
7d67cf9ab7f48aa349e92bfef3dce7fc960ee7ad
Detections:
DCRat
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
SUSP_NET_NAME_ConfuserEx
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DcRatBy
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_B64_Artifacts
Create hunting rule
Link:
https://www.unpac.me/results/6f1e1ebd-a823-4d21-bb65-f934b5d0068b/
Parent samples :
dd0dc7ad62d2a66b164ba36dc395ab67466fcd519ceaffd62ccebf5ddb60a340
d0d8566e5537f7d1c749632eafdd9475e89ca672376dba56055815538d80f2aa
80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21
994ea35144e43c0074f6d60ccff844cc70d0a2b34ad9b583a7316e17aec94e2f
SH256 hash:
d0d8566e5537f7d1c749632eafdd9475e89ca672376dba56055815538d80f2aa
MD5 hash:
82b237983c744cf8c87ecb771cb6712c
SHA1 hash:
f02619183210ebcfbeef9fb36bc05bb60f8525f4
Link:
https://www.unpac.me/results/6f1e1ebd-a823-4d21-bb65-f934b5d0068b/
SH256 hash:
0e3b7bce0fb97f6860d6dd9142648188dce14573725d400174882e600e64bdbd
MD5 hash:
9c19d058a894e35cad64a0dab5f5a56f
SHA1 hash:
c41047677b50f5225eea3eb94df73bb99e43e076
Detections:
APT_ArtraDownloader2_Aug19_1
Create hunting rule
Link:
https://www.unpac.me/results/6f1e1ebd-a823-4d21-bb65-f934b5d0068b/
Parent samples :
72ae820b13a8e8f73da2770b9c0bd9d0a6a42e2ba3dcaf1279359e2b2b221b12
80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21
994ea35144e43c0074f6d60ccff844cc70d0a2b34ad9b583a7316e17aec94e2f
SH256 hash:
5d717d35b913ff6d13c408f294d899ca58bb321598426eca2bea71b9e6edd9ce
MD5 hash:
216ef921adac2bbb51ff6331f61b19e7
SHA1 hash:
90c3cfc3b78daa2bfa12d26dbd765fbfd4bc510d
Detections:
XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
Link:
https://www.unpac.me/results/6f1e1ebd-a823-4d21-bb65-f934b5d0068b/
Parent samples :
72ae820b13a8e8f73da2770b9c0bd9d0a6a42e2ba3dcaf1279359e2b2b221b12
80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21
994ea35144e43c0074f6d60ccff844cc70d0a2b34ad9b583a7316e17aec94e2f
8d11ec5c3f5b3d5eb57e75469ffc10721aee94ae56b3d432fafdee189bb0d6e8
c8dd8464008d24fe02938509eb3163f09749e1c76bff6dcfd25b1d3193357419
SH256 hash:
f5018f1b2138789f3f1c383992dcffac97017b0aeaaeb464b93ba0753277ae4a
MD5 hash:
d3fd42977e077b8c52c5bc5f65f8b64c
SHA1 hash:
74b1f0beb92ecf86a529bfba1cd961afa08a6d9b
Link:
https://www.unpac.me/results/6f1e1ebd-a823-4d21-bb65-f934b5d0068b/
SH256 hash:
78afc634736b67ac434819e5fa7c27870eb2da7046366402a99de391c1ab6ec2
MD5 hash:
292f33d4599eea0451c1e11db998ddbb
SHA1 hash:
a44c67cdf15bfdf17ca877dca1de7de8dd431ef1
Detections:
DCRat
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
SUSP_NET_NAME_ConfuserEx
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DcRatBy
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_B64_Artifacts
Create hunting rule
Link:
https://www.unpac.me/results/6f1e1ebd-a823-4d21-bb65-f934b5d0068b/
Parent samples :
80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21
994ea35144e43c0074f6d60ccff844cc70d0a2b34ad9b583a7316e17aec94e2f
8d11ec5c3f5b3d5eb57e75469ffc10721aee94ae56b3d432fafdee189bb0d6e8
SH256 hash:
86d0a698bf78752dd92271afc1d109ed61b9a0941f0c017a6fb8df0b0a62ba1a
MD5 hash:
5b8a51aa0bdb65691de6ab707e4275f8
SHA1 hash:
66b523e68cc36d06e62aeeac380810327aac576c
Link:
https://www.unpac.me/results/6f1e1ebd-a823-4d21-bb65-f934b5d0068b/
SH256 hash:
80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21
MD5 hash:
41ab78eba18f74db196c3876f49179a8
SHA1 hash:
d0b573aafe0ae84468027929ca77f3013e8edeee
Link:
https://www.unpac.me/results/6f1e1ebd-a823-4d21-bb65-f934b5d0068b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/80c91ecaab6a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AcRat
Create hunting rule
Author:Nikos 'n0t' Totosis
Description:AcRat Payload (based on AsyncRat)
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_SUSPICIOUS_EXE_B64_Artifacts
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Rule name:INDICATOR_SUSPICIOUS_EXE_DcRatBy
Create hunting rule
Author:ditekSHen
Description:Detects executables containing the string DcRatBy
Rule name:INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Author:ditekSHen
Description:Detects executables attemping to enumerate video devices using WMI
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments