MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8bad1870cc1ed1ea03923d7b427c31ed9e0266a0b8d0fea1cf6e6190c94ce46c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	8bad1870cc1ed1ea03923d7b427c31ed9e0266a0b8d0fea1cf6e6190c94ce46c
SHA3-384 hash:	3c904fe37a6790be9c5106dd5e18929b92043fd310af955f20069f8be4ca96710ba55f546367cce1b91450cee5c775e0
SHA1 hash:	50647036426a23d3d45f38fbb1389328bcb29476
MD5 hash:	94a403332793f2b8ab589bc40c0cb9e4
humanhash:	oregon-double-july-high
File name:	Bank Payment Report.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	382'000 bytes
First seen:	2022-01-20 13:35:33 UTC
Last seen:	2022-01-20 15:58:20 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	1536:a7PvzvDyfSNbzhU47FEdSGVS9ZID9khfC3+bLrub+DukyVAB3Zfcpn+1MVoyJPkh:a7PvzWuXFEdSAeSD9jIVDuk/5GfqPmG
Threatray	12'783 similar samples on MalwareBazaar
TLSH	T14484FDF9E7E35293F8315A36CB91433461327EC9A4E45DF645C8BA2C4E302DE921E96C
File icon (PE):
dhash icon	31f0c0b2b2c0f071 (8 x Formbook, 7 x AgentTesla, 4 x AsyncRAT)
Reporter	cocaman
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

175

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/221097/

Detection(s):

SecuriteInfo.com.Artemis94A403332793.13487.28216.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Launching a process

Creating a file

Launching cmd.exe command interpreter

Searching for synchronization primitives

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control.exe obfuscated overlay packed

Link:

https://www.filescan.io/uploads/61e96546f81da814af92b436/reports/0981fb78-504c-4f37-b384-130d03274fcd/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Gathering data

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/924378

Signature

.NET source code contains potential unpacker

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Executable has a suspicious name (potential lure to open the executable)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8bad1870cc1ed1ea03923d7b427c31ed9e0266a0b8d0fea1cf6e6190c94ce46c/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-01-20 08:56:39 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

17 of 28 (60.71%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rowrq4gmd3i6ua4shv5ue7br5wpaezvaxdip5iopnzqzbskm4rwa._file

Verdict:

malicious

Label(s):

formbook

Formbook

194eecb866b404241cc14abfccf3ece512927dafff1e64248e1b1fb4e4acbd26

Formbook

57037671020fbbcf7e45114c351297ed8ccf818410c36aa4030434bc41ce86b3

Formbook

75e51d5e7662ad2c7ee23822ebf5246ce2d3257734ef87883f57bbcffe13c5d2

Formbook

c0904a36e97e50225bc8ab11f7a9c588ebc758b1dc624d39d94da1f5268b847e

Formbook

d36d73e78b048c34b8ed4b2c1035f27c0c1857ae8eb5f1167942981139138b35

Formbook

d89ceaf1e34dd42cef063ecb6b8e219479f276c6cc30e2ab6ae8c881a8d60633

Formbook

f75fa96a8fe88dc2fffd64208705d26fb980db33afff6b872f34e1f9034e0363

Formbook

f80dd0bf7402bebd03d303c97c8dd3f921d3e923a2521f4a2af2e4bf3c288aa1

Formbook

+ 12'773 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:geur loader persistence rat

Link:

https://tria.ge/reports/220120-qv8xcaabe3/

Behaviour

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Sets service image path in registry

Xloader Payload

Xloader

Unpacked files

SH256 hash:

8bad1870cc1ed1ea03923d7b427c31ed9e0266a0b8d0fea1cf6e6190c94ce46c

MD5 hash:

94a403332793f2b8ab589bc40c0cb9e4

SHA1 hash:

50647036426a23d3d45f38fbb1389328bcb29476

Link:

https://www.unpac.me/results/40ad815d-af27-4fae-9bf5-a1c5c923b40d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/8bad1870cc1ed1ea03923d7b427c31ed9e0266a0b8d0fea1cf6e6190c94ce46c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_KB_CERT_65628c146ace93037fc58659f14bd35f Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates