MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b72de010ebd70d5fea76372b2984d99c0b844205c56a9379778b771db47ce1e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b72de010ebd70d5fea76372b2984d99c0b844205c56a9379778b771db47ce1e
SHA3-384 hash: b53357ff5b857a5f9ecc58f320362862c519a7a1181eabfb4e56181c4e0542a07ee857fa25879635d26448a51cee9c30
SHA1 hash: 79184f6f10c9d97a684b3c49027d7a948a05da29
MD5 hash: 96056398cc00cc9bcfc26f12cb79c42d
humanhash: december-queen-mexico-ink
File name:96056398cc00cc9bcfc26f12cb79c42d
Download: download sample
Signature Formbook
Create hunting rule
File size:516'608 bytes
First seen:2021-12-22 00:55:18 UTC
Last seen:2021-12-22 03:00:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:axcBuSK314bWc3ZHLTkwbPvA4OqN6ptKE8nJ:aCUSK31iW+kwbPEqAtEJ
Threatray 12'348 similar samples on MalwareBazaar
TLSH T193B4CE4272AC5B26E77CB7F929B8934077B0BC766823E24D5EC971CA1472B814D30E67
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
96056398cc00cc9bcfc26f12cb79c42d
Verdict:
Suspicious activity
Analysis date:
2021-12-22 00:57:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/75c73441-9766-41ee-94ca-9a84084d70cb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/215719/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1140.974.21682.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit obfuscated packed wacatac
Link:
https://www.filescan.io/uploads/61c277a4ec6c6c14a9e8c8ec/reports/7e4ba4d5-7805-459c-9fc5-78ef29ef6bf1/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/56cfddde-7fd3-4b4b-b72f-dc9e506d4493
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/911297
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 543775 Sample: VOK2i28Ij9 Startdate: 22/12/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 5 other signatures 2->42 10 VOK2i28Ij9.exe 3 2->10         started        process3 file4 34 C:\Users\user\AppData\...\VOK2i28Ij9.exe.log, ASCII 10->34 dropped 52 Tries to detect virtualization through RDTSC time measurements 10->52 54 Injects a PE file into a foreign processes 10->54 14 VOK2i28Ij9.exe 10->14         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 14->17 injected process8 process9 19 wlanext.exe 17->19         started        22 autofmt.exe 17->22         started        24 autofmt.exe 17->24         started        signatures10 44 Self deletion via cmd delete 19->44 46 Modifies the context of a thread in another process (thread injection) 19->46 48 Maps a DLL or memory area into another process 19->48 50 Tries to detect virtualization through RDTSC time measurements 19->50 26 cmd.exe 1 19->26         started        28 explorer.exe 2 162 19->28         started        30 explorer.exe 114 19->30         started        process11 process12 32 conhost.exe 26->32         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8b72de010ebd70d5fea76372b2984d99c0b844205c56a9379778b771db47ce1e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-22 00:56:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
586e65df6337c02078f617bdcbad67cc055c79df2f1c57899789cec1d65a7939
Formbook
5d407049f81d3b75bf2d9eb7dc14662f533b1ca37d283e5ef50e001a7ac1f758
Formbook
5ec2107b1399b50f3ed23e72228f1a74ab9898191a23431c8a4cbff7b73af998
Formbook
7206a2aa27d3bb73daca20e7327a3e4cc2f66940e27cda04d3e8440450617596
Formbook
7f4888239060a411b5a521d19e88bb1158189634f764383c2c2fc0bb84e01169
Formbook
86df15ac78abc1d224a4249db72d29dcb2979fd0669a15c0d291e47648dc0c1c
Formbook
89dd90006d6cd58559565a7ccebc2147780e2a3ae084b5d114b2077c2ae341d7
Formbook
9acecc34e744fe02c1f5453d9ac6f4bab205fba7dfa13bd1396065888b083033
Formbook
a22a77a96c3e15bc6f91c9973a3aaba9cb16932c5360b04c1ec3038e1e758ad6
Formbook
+ 12'338 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:g2n4 loader rat
Link:
https://tria.ge/reports/211222-bacwvaffak/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
aac52a5d9eae86185278ac498078006ecf3c50786563d82a97835982be813abf
MD5 hash:
539acef09ba2a71305ec00055168a896
SHA1 hash:
98b1792fb289ce215e5eda68af3edbd08083284e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/3707b544-5277-4d0f-a588-df4f1e0ba77d/
SH256 hash:
0412dc7ec357b6e45d7fd31e17f007e5d1e39a16898cdf3bc98bb108cadac80b
MD5 hash:
7a15eb24c4cd0b744785bc5684db8351
SHA1 hash:
1e2a4d63b5bc487ff8b985df9905954594fc53aa
Link:
https://www.unpac.me/results/3707b544-5277-4d0f-a588-df4f1e0ba77d/
SH256 hash:
9f5763966bacdc6de3944a6e06a49b05869c38f2e98b32cb93b483a480a6ffff
MD5 hash:
3418c620c4b9dd4533a88f1ba5ec3ff1
SHA1 hash:
12f6aaf1c90030c4063d42a27b2e7000a08b6e74
Link:
https://www.unpac.me/results/3707b544-5277-4d0f-a588-df4f1e0ba77d/
SH256 hash:
8b72de010ebd70d5fea76372b2984d99c0b844205c56a9379778b771db47ce1e
MD5 hash:
96056398cc00cc9bcfc26f12cb79c42d
SHA1 hash:
79184f6f10c9d97a684b3c49027d7a948a05da29
Link:
https://www.unpac.me/results/3707b544-5277-4d0f-a588-df4f1e0ba77d/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8b72de010ebd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/8b72de010ebd70d5fea76372b2984d99c0b844205c56a9379778b771db47ce1e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 8b72de010ebd70d5fea76372b2984d99c0b844205c56a9379778b771db47ce1e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1908595/
Cape
Cape
https://www.capesandbox.com/analysis/215719/

Comments


Avatar
zbet commented on 2021-12-22 00:55:20 UTC

url : hxxp://mikron33.ru/XPP.exe