MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a10e17372d6f0d1216481058f73b83733ffbdd61ccb4a92ac7543b0308bc5ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	8a10e17372d6f0d1216481058f73b83733ffbdd61ccb4a92ac7543b0308bc5ce
SHA3-384 hash:	5f178a07cff5c0b21d35e3f6a5d94f949e40fa8a744fc95d99e6ca935d7e33f16ad7d204ac96402d4a7168e7d75ab9b7
SHA1 hash:	d1a84c7342ee2654cc41a48a3c8e0581336d8cd6
MD5 hash:	955e4e99156906c0feb34239ede1e942
humanhash:	mississippi-potato-oscar-nevada
File name:	955e4e99156906c0feb34239ede1e942.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	197'759 bytes
First seen:	2021-07-02 10:39:30 UTC
Last seen:	2021-07-02 11:50:31 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep	6144:iqjIK8MYl9vxY5qE6JlIgbxMO+A6TbJg+YmbqzqhzTP:zpiW5qE6rI++A6TdgIT5P
TLSH	FC1402696760C8B3D77153315A2683979FF6DA112948530BB7808FBFFE135E28E4B242
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

141

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

955e4e99156906c0feb34239ede1e942.exe

Verdict:

Suspicious activity

Analysis date:

2021-07-02 10:48:09 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/02b13ccd-fb72-4c5b-88ff-4605e700c55d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/169324/

Detection(s):

SecuriteInfo.com.Zum.Androm.1.24409.31201.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3cc5e723-a8c7-4740-96a9-029851a7866a

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/811026

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/8a10e17372d6f0d1216481058f73b83733ffbdd61ccb4a92ac7543b0308bc5ce/

Threat name:

Win32.Trojan.Wacatac

Status:

Malicious

First seen:

2021-07-02 10:40:16 UTC

AV detection:

19 of 28 (67.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=riioc43s23yncileqecy645yg4z77powdtfuvevmovb3amelyxha._file

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader loader rat

Link:

https://tria.ge/reports/210702-88rpr8pazx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Loads dropped DLL

Xloader Payload

Xloader

Unpacked files

SH256 hash:

5ff15cb9a8d67710a630867ef622b6bff24f3ee52ee6844c9027b0455a71e2fb

MD5 hash:

c8a9188528db8956650b728924c2e513

SHA1 hash:

d3c6cb5fa7ad84cf1b41ff56ea6e2843beb11642

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/aa48c938-33bc-4a00-b2d0-51810e63e0e4/

Parent samples :

0fdda8d99fa4bec3e24b20ace57759d6af0f643d835be41c1be0e93ebfc2970d
8b39bf75ce8ca2ecadafeb01a2ff33fc07419198e5b222bf20385ecbf2da0ff4
35d5ace8383b8bbf1b4f1846b8f4c852899bad23312c02a1fa413c4d913e8603
0269bbd8953a859b8f56784a8321414cb8e51f74a8c95d9121c7fa484db2e34e
968e33752d87dc19ca806c2debcf125a50f6223b5732eb3191b9d9c9db9cf4dc
b21e4b93bd73868c7dcd13384c55c8c9b562abd7d858497a45f8a804ff639866
8a10e17372d6f0d1216481058f73b83733ffbdd61ccb4a92ac7543b0308bc5ce
c92701cd811149250de5cf99296d191459a85dd7776088394ea3e31e6beb26b9
df008aace52827a15e0dbf8e6eb1f4febdd6fafcdbcbafe16ff27b7526594be0
0cf80c8f64e7d607ee9088aaae888815ef75788f4f425b8fed868f0b057abdee
d8dcaea8f4111f3d9f443de90a88ecc27e9e3a878d86d923738059a6c0bafe7c
9a2b8fc3a21d660a2d8526bd1816b1304d60046e26c6d33553701d3883a6d31c
1a222b6d3a94cd1c8447b52f150e6d7dc20842da0d2e81ccbd0d6ecd5d01f59a
39d6d6751f8690fc26a41d18d14f076fce5cdffeceecdd1738d731e4ce7ddda5
11d84c7f9c579c2e58f4acc04d488d5f1c6cc0439609099eabec42444f5ef952
a0c7b3d44a5cfcda917fc80c099da5ab3de582ff7c24f1373b4bd25f88d61e52
b764504a2998416edbba85e1495c8311f8cc94f5775ce3413b8d3cbd5acf03d7
b0a684c7dfc5a94e3dd2edcb1c706eae088ff9d701ec55f0adb1ae977e5e9081
47084efc1f6a0205db28ae519b750bb03bbfb310609f9924e999e47bd99838dd
3759a4136f3ab450b1c26121511bdfea101baf948b580af60516c8c2d5c7b900
537a1b1e9a633875a74664967b2e62803f01b619fb26df9b4762b6795ee1b0ec
ab101d01bcc79b6835eeeae5c3e89b0857fdd3b32e007b15ec5541a5f4aa9e00
ef925865b194ddd0d59233fec99f8e3608a623c3d4f7eaaf34b9af57f9bb0a82
f51f764b6ee4051c097c29478b9fe1bea52df1be495c236bfc622477533e5ccf
84679ca59603f405a5096114188af75d5dcc3680ef795e446bd358f48cf12046
56037f063f73db6d972501996ef47add6b861c01140c3d8d51cc08de64b3d73a
b840f470d0cb4edaa85663b15f539593e3c31d81cec9e9ed1bb1c2539fc8d20c
56d6f10098e58e9b99da5ac5a8ed3c9a1f37eff6b2361907316cf3222f8652ec
a456a011d3554d95939f148a5bd1e46c5fc13cdf3e35e76da3d9117903bf89b5
368b6977de3879f6399b1199a740aea7457cbdc53aac44823d3d3f704fac1d7f
273f8137fbe63ffef8f64fa9efad27fac451ffec71edaf1a4a7769a277a2379f

SH256 hash:

5cc30650b5abfadd01e6d056c988557b1bdb4fc5d204cca901d7a41ccad79dec

MD5 hash:

1c26e4e9a1ddbf89fc5b7c771dd087e9

SHA1 hash:

7b2af36cf08aedc7e66d7888f222335fc5211ec8

Link:

https://www.unpac.me/results/aa48c938-33bc-4a00-b2d0-51810e63e0e4/

SH256 hash:

f213e1c8da546aaf0478b2695265adbc5a8a4e6d34ed0eff9c2fbaa0a00c20ac

MD5 hash:

4c4275923db59593bc468f048ccf11f3

SHA1 hash:

52a6f3f370ce3e33cebc4b22690aa4573703b9cc

Link:

https://www.unpac.me/results/aa48c938-33bc-4a00-b2d0-51810e63e0e4/

SH256 hash:

8a10e17372d6f0d1216481058f73b83733ffbdd61ccb4a92ac7543b0308bc5ce

MD5 hash:

955e4e99156906c0feb34239ede1e942

SHA1 hash:

d1a84c7342ee2654cc41a48a3c8e0581336d8cd6

Link:

https://www.unpac.me/results/aa48c938-33bc-4a00-b2d0-51810e63e0e4/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.67

Link:

https://yomi.yoroi.company/submissions/8a10e17372d6f0d1216481058f73b83733ffbdd61ccb4a92ac7543b0308bc5ce

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 8a10e17372d6f0d1216481058f73b83733ffbdd61ccb4a92ac7543b0308bc5ce

(this sample)

Cape

https://www.capesandbox.com/analysis/169324/

URLhaus

https://urlhaus.abuse.ch/url/1335110/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample