MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d11ec5c3f5b3d5eb57e75469ffc10721aee94ae56b3d432fafdee189bb0d6e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d11ec5c3f5b3d5eb57e75469ffc10721aee94ae56b3d432fafdee189bb0d6e8
SHA3-384 hash: 93ea6548eb9f330a1fe7d056ce62d437d713fb1596db6adca5a0dd6e7d69b125ce3ae1a94173fc936fd4135af25fde6e
SHA1 hash: a52d1db5b170f9b4348db470d156f0832b811055
MD5 hash: d7d3911e9323382a426c62b1c1bbd566
humanhash: comet-wolfram-sodium-two
File name:0x0008000000023235-262
Download: download sample
Signature Formbook
Create hunting rule
File size:12'080'128 bytes
First seen:2023-12-30 10:57:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 196608:zVWN8/FOaXGnh/kmfYPwOJ0FfmPLSthztav8ejn3pEAeUjV4In0+CSS:p+YXGnh8ESPWFfmP8hQvj5n71d
TLSH T10AC63352F8C0FEE9F6804B347ABE572918E9DCD8523A88CAF2C5969343250DE55D4FE0
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter e24111111111111
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
300
Origin country :
GR GR
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
c7bd91207ac565f362c9a9702bcf5cb278b414e8a5489087431a448011d32f47.exe
Verdict:
Malicious activity
Analysis date:
2023-12-30 11:33:52 UTC
Tags:
evasion asyncrat xworm
Link:
https://app.any.run/tasks/3c9adc9f-ceac-49cb-a648-f46f8bcacb5e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file in the Windows directory
Creating a file in the %temp% directory
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Searching for synchronization primitives
Creating a window
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Running batch commands
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
coinminer packed
Link:
https://www.filescan.io/uploads/658ff7bd6b1c246046102511/reports/a206f1e5-1310-41e2-8464-e28300afc0a8/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/8d11ec5c3f5b3d5eb57e75469ffc10721aee94ae56b3d432fafdee189bb0d6e8
Result
Verdict:
MALICIOUS
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b39450f7-919a-436d-b3ad-373433a3d912
Result
Threat name:
AsyncRAT, DcRat, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1368241
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Drops PE files with benign system names
Encrypted powershell cmdline option found
Found evasive API chain (may stop execution after checking mutex)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Protects its processes via BreakOnTermination flag
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected DcRat
Yara detected Generic Downloader
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1368241 Sample: 0x0008000000023235-262.exe Startdate: 30/12/2023 Architecture: WINDOWS Score: 100 82 ip-api.com 2->82 84 fviatool.com 2->84 86 fvia.app 2->86 114 Multi AV Scanner detection for domain / URL 2->114 116 Malicious sample detected (through community Yara rule) 2->116 118 Antivirus detection for URL or domain 2->118 120 13 other signatures 2->120 11 0x0008000000023235-262.exe 13 2->11         started        signatures3 process4 file5 62 C:\Users\user\AppData\Roaming\tab.exe, PE32 11->62 dropped 64 C:\Users\user\AppData\Roaming\ship.exe, PE32 11->64 dropped 66 C:\Users\user\AppData\...\WindowsSecurity.exe, PE32 11->66 dropped 68 6 other malicious files 11->68 dropped 140 Encrypted powershell cmdline option found 11->140 142 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->142 15 tab.exe 11->15         started        19 Simple.exe 3 11->19         started        21 SecurityHealthSystray.exe 1 11->21         started        23 7 other processes 11->23 signatures6 process7 dnsIp8 70 C:\Users\user\AppData\Roaming\Seting.exe, PE32 15->70 dropped 72 C:\Users\user\AppData\Roaming\Protected.exe, PE32 15->72 dropped 94 Multi AV Scanner detection for dropped file 15->94 96 Machine Learning detection for dropped file 15->96 98 Encrypted powershell cmdline option found 15->98 26 Seting.exe 15->26         started        29 Protected.exe 15->29         started        31 powershell.exe 15->31         started        42 2 other processes 15->42 74 C:\Users\user\AppData\Roaming\splwow64.exe, PE32 19->74 dropped 100 Antivirus detection for dropped file 19->100 33 splwow64.exe 19->33         started        76 C:\Windows\svchost.exe, PE32 21->76 dropped 102 Found evasive API chain (may stop execution after checking mutex) 21->102 104 Drops PE files with benign system names 21->104 88 ip-api.com 208.95.112.1, 49705, 80 TUT-ASUS United States 23->88 106 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 23->106 108 Writes to foreign memory regions 23->108 110 Allocates memory in foreign processes 23->110 112 3 other signatures 23->112 36 RegAsm.exe 23->36         started        38 conhost.exe 23->38         started        40 WerFault.exe 23->40         started        file9 signatures10 process11 dnsIp12 124 Antivirus detection for dropped file 26->124 126 Multi AV Scanner detection for dropped file 26->126 128 Machine Learning detection for dropped file 26->128 138 2 other signatures 26->138 44 RegAsm.exe 26->44         started        47 RegAsm.exe 26->47         started        49 RegAsm.exe 26->49         started        51 RegAsm.exe 26->51         started        130 Potential dropper URLs found in powershell memory 31->130 53 conhost.exe 31->53         started        78 171.247.47.66, 4444, 49720, 49722 VIETEL-AS-APViettelGroupVN Viet Nam 33->78 80 fvia.app 172.67.161.173, 443, 49706, 49708 CLOUDFLARENETUS United States 33->80 132 Detected unpacking (changes PE section rights) 33->132 134 Protects its processes via BreakOnTermination flag 33->134 136 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 33->136 signatures13 process14 dnsIp15 90 171.247.57.232, 4444 VIETEL-AS-APViettelGroupVN Viet Nam 44->90 92 fviatool.com 104.21.77.198, 443, 49715, 49723 CLOUDFLARENETUS United States 44->92 55 cmd.exe 44->55         started        process16 signatures17 122 Uses schtasks.exe or at.exe to add and modify task schedules 55->122 58 conhost.exe 55->58         started        60 schtasks.exe 55->60         started        process18
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8d11ec5c3f5b3d5eb57e75469ffc10721aee94ae56b3d432fafdee189bb0d6e8
Detection:
dcrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8d11ec5c3f5b3d5eb57e75469ffc10721aee94ae56b3d432fafdee189bb0d6e8/
Threat name:
ByteCode-MSIL.Trojan.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2023-05-26 11:18:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
23 of 37 (62.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rui6yxb7lm6v5nl6ovdj77aqoino5ffok2z5imx27xxbrg5q23ua._file
Verdict:
malicious
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:xworm botnet:default rat trojan
Link:
https://tria.ge/reports/231230-m2vfradefn/
Behaviour
Creates scheduled task(s)
Enumerates physical storage devices
Looks up external IP address via web service
Async RAT payload
AsyncRat
Detect Xworm Payload
Xworm
Unpacked files
SH256 hash:
d0d8566e5537f7d1c749632eafdd9475e89ca672376dba56055815538d80f2aa
MD5 hash:
82b237983c744cf8c87ecb771cb6712c
SHA1 hash:
f02619183210ebcfbeef9fb36bc05bb60f8525f4
Link:
https://www.unpac.me/results/6303a492-567d-4b3d-8759-f2dd895d47e5/
SH256 hash:
f5018f1b2138789f3f1c383992dcffac97017b0aeaaeb464b93ba0753277ae4a
MD5 hash:
d3fd42977e077b8c52c5bc5f65f8b64c
SHA1 hash:
74b1f0beb92ecf86a529bfba1cd961afa08a6d9b
Link:
https://www.unpac.me/results/6303a492-567d-4b3d-8759-f2dd895d47e5/
SH256 hash:
5d717d35b913ff6d13c408f294d899ca58bb321598426eca2bea71b9e6edd9ce
MD5 hash:
216ef921adac2bbb51ff6331f61b19e7
SHA1 hash:
90c3cfc3b78daa2bfa12d26dbd765fbfd4bc510d
Detections:
XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
Link:
https://www.unpac.me/results/6303a492-567d-4b3d-8759-f2dd895d47e5/
Parent samples :
72ae820b13a8e8f73da2770b9c0bd9d0a6a42e2ba3dcaf1279359e2b2b221b12
80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21
994ea35144e43c0074f6d60ccff844cc70d0a2b34ad9b583a7316e17aec94e2f
8d11ec5c3f5b3d5eb57e75469ffc10721aee94ae56b3d432fafdee189bb0d6e8
c8dd8464008d24fe02938509eb3163f09749e1c76bff6dcfd25b1d3193357419
SH256 hash:
f3f62182a3b1c755106f7236bbef4d8bb73bbb5bc27249e78ff4125456cffc36
MD5 hash:
e6faba99be34ad76ebbc82f84e4c41d9
SHA1 hash:
c6df820b7fff507b53235baf4212a5c5b5b44105
Detections:
APT_ArtraDownloader2_Aug19_1
Create hunting rule
Link:
https://www.unpac.me/results/6303a492-567d-4b3d-8759-f2dd895d47e5/
SH256 hash:
d1e12364ad93863e6576dcb96474554baf2e0e6129c5e5d76d7bea7337e8c33c
MD5 hash:
e019d6d9792c99957475bf3ccef837fd
SHA1 hash:
8a381739f49cbeb0e1a66f0a1bade63e9a92bfb9
Link:
https://www.unpac.me/results/6303a492-567d-4b3d-8759-f2dd895d47e5/
SH256 hash:
7fb5791c4d46989bb721eb3686eba86440f99cac5dd21dfacf9ed010ecdb99a5
MD5 hash:
7dec290d3726113d520cab686b8898ee
SHA1 hash:
5b7e01df807a6eae0ad0f5b071f9dae904c03126
Detections:
DCRat
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DcRatBy
Create hunting rule
Link:
https://www.unpac.me/results/6303a492-567d-4b3d-8759-f2dd895d47e5/
SH256 hash:
86d0a698bf78752dd92271afc1d109ed61b9a0941f0c017a6fb8df0b0a62ba1a
MD5 hash:
5b8a51aa0bdb65691de6ab707e4275f8
SHA1 hash:
66b523e68cc36d06e62aeeac380810327aac576c
Link:
https://www.unpac.me/results/6303a492-567d-4b3d-8759-f2dd895d47e5/
SH256 hash:
78afc634736b67ac434819e5fa7c27870eb2da7046366402a99de391c1ab6ec2
MD5 hash:
292f33d4599eea0451c1e11db998ddbb
SHA1 hash:
a44c67cdf15bfdf17ca877dca1de7de8dd431ef1
Detections:
DCRat
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
SUSP_NET_NAME_ConfuserEx
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DcRatBy
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_B64_Artifacts
Create hunting rule
Link:
https://www.unpac.me/results/6303a492-567d-4b3d-8759-f2dd895d47e5/
Parent samples :
80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21
994ea35144e43c0074f6d60ccff844cc70d0a2b34ad9b583a7316e17aec94e2f
8d11ec5c3f5b3d5eb57e75469ffc10721aee94ae56b3d432fafdee189bb0d6e8
SH256 hash:
8d11ec5c3f5b3d5eb57e75469ffc10721aee94ae56b3d432fafdee189bb0d6e8
MD5 hash:
d7d3911e9323382a426c62b1c1bbd566
SHA1 hash:
a52d1db5b170f9b4348db470d156f0832b811055
Link:
https://www.unpac.me/results/6303a492-567d-4b3d-8759-f2dd895d47e5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8d11ec5c3f5b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8d11ec5c3f5b3d5eb57e75469ffc10721aee94ae56b3d432fafdee189bb0d6e8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments