MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89a5384b284e44d23891f6b22590f0194c4ac0b2b6507bb51fa678ede6d6069a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 89a5384b284e44d23891f6b22590f0194c4ac0b2b6507bb51fa678ede6d6069a
SHA3-384 hash: 506558045f39fdc2363f30f283358e3928fd6e6c37c07f1d2ff61b3b1e29a27a70e72814b3883ca0f396285640e2328b
SHA1 hash: 7a2c6caf667483e57b9c183935e83c435ff5efd4
MD5 hash: fe1b3c933234d3a68d7b0722a177ba07
humanhash: pip-pluto-helium-magnesium
File name:fe1b3c933234d3a68d7b0722a177ba07.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:256'442 bytes
First seen:2022-01-31 07:48:23 UTC
Last seen:2022-01-31 13:53:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 6144:ow38qXVTL9hNN8ZEqspBLWWuzxpZcUgcWmATFr:t1hNm+pBipZcgKt
Threatray 13'165 similar samples on MalwareBazaar
TLSH T15744125E20D2D8F7D9036E729CB76FCCD779A3002F6019871B684FBA3CA5086994E359
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
193
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Lod4.xlsx
Verdict:
Malicious activity
Analysis date:
2022-01-31 04:54:48 UTC
Tags:
encrypted trojan opendir exploit CVE-2017-11882 loader formbook stealer
Link:
https://app.any.run/tasks/c741251c-8f5c-4faf-b774-9449c8e66d8c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/228346/
Detection(s):
SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/61f79471fc92af0d80a78126/reports/e128514a-7efd-4b20-8fc4-cd8df69204ce/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a14b88a6-e491-45f4-bc72-729b22362105
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/930657
Behaviour
Behavior Graph:
n/a
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/89a5384b284e44d23891f6b22590f0194c4ac0b2b6507bb51fa678ede6d6069a/
Threat name:
Win32.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2022-01-31 07:56:24 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rgstqszijzcneoer62zclehqdfgevqfswzihxni7uz4o3zwwa2na._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
32202111654172f16eab4a33849af61e651680218d44e657b719b56789976561
Formbook
39cc0c369b8ce6f0570864f4ac0019abed40383a582aae1a13c34e2de08a7168
Formbook
41baa5cad8fb3ecbaa97116421042ba41a024823638e9b7608c5ac2e2a339525
Formbook
5111f4fa05b89a9d727c4686485acedc16553a7715fd36776c68972acf8e5382
Formbook
64c7583a94ab474b9cd3509e8ca73eb7a19e70ffc2c4fa4582ccd7fd3f10c5ec
Formbook
6bd5fda97afe76f3d6cc66ffac1350e77256315e151364355af9ee6d56be8ebf
Formbook
9e6a92df11bb23b335d5bbf85731a1ea96f6c4038a24c2e4edb28e2169804c30
Formbook
9f35e751b58fdca3b7156eba1bf2a56c88d3d5ce5e35de6b2797e6c8ba6ec0d8
Formbook
adbb0a2d948271b626589d5e305bdda36bad62e00b58847d0a7dae3688d5c376
Formbook
da99d68a728c3a14d186c03c30b551914fe57073f231d334be7955131cb5f921
Formbook
+ 13'155 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ndf8 loader rat
Link:
https://tria.ge/reports/220131-jnpfsshdf8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Xloader Payload
Xloader
Unpacked files
SH256 hash:
89a5384b284e44d23891f6b22590f0194c4ac0b2b6507bb51fa678ede6d6069a
MD5 hash:
fe1b3c933234d3a68d7b0722a177ba07
SHA1 hash:
7a2c6caf667483e57b9c183935e83c435ff5efd4
Link:
https://www.unpac.me/results/233e243a-a991-4592-97f6-6f2ef512dc8a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.33
Link:
https://yomi.yoroi.company/submissions/89a5384b284e44d23891f6b22590f0194c4ac0b2b6507bb51fa678ede6d6069a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 89a5384b284e44d23891f6b22590f0194c4ac0b2b6507bb51fa678ede6d6069a

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/228346/
  
URLhaus
https://urlhaus.abuse.ch/url/2004815/
  
Delivery method
Distributed via web download

Comments