MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80e474faeb69b9a9081d7f4b6add139d22fb9dcd0aac8bba44dc222d254c8f67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 80e474faeb69b9a9081d7f4b6add139d22fb9dcd0aac8bba44dc222d254c8f67
SHA3-384 hash: 3ccba70d76f7f88524f90fec08378e7c78f8d5786a0a055a76601f8568db63c6d02145d9ce46762ff518fdecfbf323b0
SHA1 hash: ec01ff4c9be3b695098ed20635263a401cefb7fe
MD5 hash: 8844e06f443a571d2c8f414e56ef37d0
humanhash: leopard-blue-california-black
File name:8844e06f443a571d2c8f414e56ef37d0.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'390'592 bytes
First seen:2022-03-04 07:12:44 UTC
Last seen:2022-03-04 08:46:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 24576:zWUj67+16njDxtu6aitk3INxYbJJ6bmuZEcV4bF/PUs0COM2WohzLAB:zWUjh6nfM3IL+TImuZEcV4bF/PUs0CO7
TLSH T1BC550101EDED6403E37D8AFC61A3203057275E7B183F86464678A29815836FB5E3A7F6
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/247255/
Detection(s):
SecuriteInfo.com.Suspicious.Win32.Save.a.9540.19510.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Adding an access-denied ACE
Using the Windows Management Instrumentation requests
Launching a process
Сreating synchronization primitives
Creating a file
Launching cmd.exe command interpreter
DNS request
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4476592a-87ad-47a6-ba8c-5ca0bd948cd7
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/950592
Signature
Contains functionality to hide user accounts
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Yara detected AntiVM3
Yara detected FormBook
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/80e474faeb69b9a9081d7f4b6add139d22fb9dcd0aac8bba44dc222d254c8f67/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-04 07:13:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qdshj6xlng42sca5p5fwvxitturpxhonbkwixose3qrc2jkmr5tq._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:arh2 evasion loader rat
Link:
https://tria.ge/reports/220304-h1392sdhd6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Xloader Payload
Xloader
Unpacked files
SH256 hash:
119fc9a427feb301ad703a670652eea8507d7a9f428a2417bdcb5abe03e67c1f
MD5 hash:
15c76bd113ddca925a8855bc2baaca55
SHA1 hash:
dd35f5409822dd9ef861e6fcff868b9f0245bd50
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/72670773-082d-4ebb-8cd3-469efedbbd9e/
SH256 hash:
bd2dbef0f5d9c0c5df2d654ae2a3986ace459d0153050760dc82ac66970baa29
MD5 hash:
a7913055e4a3c134fa545d808604f6b3
SHA1 hash:
9bb3a22258a2bcafc1640ed6e39708d7902072b8
Link:
https://www.unpac.me/results/72670773-082d-4ebb-8cd3-469efedbbd9e/
SH256 hash:
ea7d0f17e823e6f4c25a712b27ad1ad65fa65fa115251c799887dfde33d70c06
MD5 hash:
648824565f630f773c3c72e10ed79087
SHA1 hash:
30711cb296d41407582488ba59a4b28ac0f67fdf
Link:
https://www.unpac.me/results/72670773-082d-4ebb-8cd3-469efedbbd9e/
SH256 hash:
70b785e5cb5b2e61c0f5da4a71ab0bbd14d9a0849387f037e0d75cc1ffe0a082
MD5 hash:
5951b52c9b4d11ca7f4f33e5a3fb2c31
SHA1 hash:
0bc54fd699fff7b93e5c447a141c0d904924ab0d
Link:
https://www.unpac.me/results/72670773-082d-4ebb-8cd3-469efedbbd9e/
SH256 hash:
80e474faeb69b9a9081d7f4b6add139d22fb9dcd0aac8bba44dc222d254c8f67
MD5 hash:
8844e06f443a571d2c8f414e56ef37d0
SHA1 hash:
ec01ff4c9be3b695098ed20635263a401cefb7fe
Link:
https://www.unpac.me/results/72670773-082d-4ebb-8cd3-469efedbbd9e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/80e474faeb69b9a9081d7f4b6add139d22fb9dcd0aac8bba44dc222d254c8f67

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 80e474faeb69b9a9081d7f4b6add139d22fb9dcd0aac8bba44dc222d254c8f67

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2073570/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/247255/

Comments