MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e07ed824686ab14225bec681819b2844d512eb9d78b7884f30a79adef5bab43. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	8e07ed824686ab14225bec681819b2844d512eb9d78b7884f30a79adef5bab43
SHA3-384 hash:	ae565bb4ed7e226bd598c25c3f2e68da97123926a8420500273c7cd42d79b7dfa1b2f66b3c4f9de6446c3b39121b592f
SHA1 hash:	8a8ba271c5f969060764110b130149675d88f512
MD5 hash:	75d1affc8c3a971ba2cf24924349b5f8
humanhash:	network-skylark-comet-kilo
File name:	SecuriteInfo.com.Trojan.Mardom.MN.15.2808.18342
Download:	download sample
Signature	Formbook Create hunting rule
File size:	494'080 bytes
First seen:	2021-10-08 06:10:31 UTC
Last seen:	2021-10-08 06:52:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:2EpIG0TV7yoLC88N7zy7ybB1eCkWA0GqruDyL9pD3:J0Dj8Nvy7ybBIIAdqru+L7D
Threatray	10'056 similar samples on MalwareBazaar
TLSH	T15EB4F2202BE1AB25E5FA4F33BDF502A0667D6D0D9E3AD31D0AD035EE39B27594110B27
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

206

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Trojan.Mardom.MN.15.2808.18342

Verdict:

Malicious activity

Analysis date:

2021-10-08 06:12:39 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/0cab273e-1be1-4eed-ab3b-19bf202176e1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/196046/

Detection(s):

SecuriteInfo.com.Trojan.Mardom.MN.15.2808.18342.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file in the %temp% directory

Delayed writing of the file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

keylogger monero obfuscated packed

Link:

https://www.filescan.io/uploads/615fe0f798a6280f39344360/reports/97cbd44c-7f82-4ed1-b3cb-1f7e35737be6/overview

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ab208696-1291-4c13-b5cb-c39cfceae79c

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/866887

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/8e07ed824686ab14225bec681819b2844d512eb9d78b7884f30a79adef5bab43/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-10-08 04:54:40 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 27 (92.59%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ryd63asgq2vriis35rubqgnsqrgvclvz26fxrbhtbj423323vnbq._file

Verdict:

malicious

Label(s):

formbook

Formbook

73db754f5e709731e9c07c230fa6512ee75e07184c367e3f80b1bf646e7b72da

Formbook

74c957dc1c72edda17a97da08e96d10cee7ad0bae2d1ef0ed904e92f458cf8dc

Formbook

8a95ac711537aeb1c93c61e541077005f5226e4150c2669742d1b612cfc25788

Formbook

9c558e9f026119bab2580c1e38533870d351b1e01e65341427194504e2cdf490

Formbook

b32448dbeec13e1eb23e55a57ffc06f9dfc8fd44687e19fc0be1c4fbabc10abb

Formbook

bf8bfab0557ff010ee03db046d493da9b0deeaa5e5fb55d9e5750f280a0289ac

Formbook

d3c68ebad6229b1da92061291639f9b48e3f76fd4c524a9850b4fbb311e180f8

Formbook

f836093baf3255830126881722dc2edd86fd615fc922f86d177b0ccb0e3d2941

Formbook

fbaf103427e20432a3dcf19733b5f447bb6f0b2e5c700c76df55c2d977d080ae

Formbook

+ 10'046 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:huve loader rat

Link:

https://tria.ge/reports/211008-gxlp6adecq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.thethomasgrouphomes.com/huve/

Unpacked files

SH256 hash:

8c625b5630814017aa4d9645c2af6697614e3ff1e87b122e88fb24a462bdc962

MD5 hash:

142b9b0c80bda86b4ae258a1799fd538

SHA1 hash:

e89261ca56a78959dffa41da3dda85b0d0433e6c

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/138c7630-b2ea-48b7-a523-8a630660ee17/

Parent samples :

8e07ed824686ab14225bec681819b2844d512eb9d78b7884f30a79adef5bab43
8c813fa41f5f1341dac70ff4c3473d6447c0bd0eb6c87cf77ab62a864dcd2674
260472d8397219a6a202a4168b806c0879be49c60cca08fda308adccdd5cb809
3817ce74e0428b78c0394a0f603fb30c01e30e3be4d93909ddd5397e43813881

SH256 hash:

d434e7cb4105d7e760a39a1a8a1306338b00fbd6507025d53e4c44ede73d3788

MD5 hash:

6613b992e916924c3f38a179bb9866ab

SHA1 hash:

cd5741f4d0a4685c5fd9c9e2e708bbf33ec1691a

Link:

https://www.unpac.me/results/138c7630-b2ea-48b7-a523-8a630660ee17/

SH256 hash:

f86c2b6db329a74b10b1fc575ed15a617df6cfb12d1441e8d80699c3c28868a2

MD5 hash:

2b221a091ad2bcece905b0ae3540a2fd

SHA1 hash:

6bab34da0d19a5d1636cf221f78220a4436e86c8

Link:

https://www.unpac.me/results/138c7630-b2ea-48b7-a523-8a630660ee17/

SH256 hash:

8e07ed824686ab14225bec681819b2844d512eb9d78b7884f30a79adef5bab43

MD5 hash:

75d1affc8c3a971ba2cf24924349b5f8

SHA1 hash:

8a8ba271c5f969060764110b130149675d88f512

Link:

https://www.unpac.me/results/138c7630-b2ea-48b7-a523-8a630660ee17/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/8e07ed824686ab14225bec681819b2844d512eb9d78b7884f30a79adef5bab43

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/196046/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample