MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 979a8054b45d09d2c01a9e888e836a4452f4435dce06dd03be67e2b2ff30926d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 979a8054b45d09d2c01a9e888e836a4452f4435dce06dd03be67e2b2ff30926d
SHA3-384 hash: a441aff30e35d3cde17da18a14a7f09e34b4c0039b0191a1d83996059b06fd6e6cc922aa16c22fd88e0239fb7ccbf508
SHA1 hash: c793ca00c74365c3bfe2fef70e42777aa4b52d84
MD5 hash: d55fbb68cccfc67b3af7b345bdeefda4
humanhash: venus-violet-pennsylvania-river
File name:SecuriteInfo.com.W32.AIDetectNet.01.27999.10274
Download: download sample
Signature Formbook
Create hunting rule
File size:479'232 bytes
First seen:2022-05-12 20:52:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:0OKbdc8jE6eR2OrrZDaM71SDeJ58ElMu3HYfbVoVdO2bVpDB7gbTuVedjd/2J93x:sjE6K2OrFDz1YeJ2Ju34fyVdpNxMuVe
Threatray 15'952 similar samples on MalwareBazaar
TLSH T16CA4605C7EA10A76FD4D913856030A08BB538F336B4EDAC127DB2DE887DE1D91D85C8A
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 83a9ac8e96e381a5 (6 x Formbook, 4 x AveMariaRAT)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
298
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/270227/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Running batch commands
Launching a process
Creating a file in the %AppData% subdirectories
Creating a file
Creating a process from a recently created file
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd.exe obfuscated packed
Link:
https://www.filescan.io/uploads/627d73b2804c0977d3e788f5/reports/2655c6b4-39f6-46cf-8178-ce26078992ab/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/645901ad-1f48-4613-938c-a10af8562f0d
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/993170
Signature
Binary or sample is protected by dotNetProtector
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 625666 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 12/05/2022 Architecture: WINDOWS Score: 100 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Multi AV Scanner detection for dropped file 2->57 59 7 other signatures 2->59 7 SecuriteInfo.com.W32.AIDetectNet.01.27999.exe 4 2->7         started        11 windows defender.exe 3 2->11         started        13 windows defender.exe 2 2->13         started        process3 file4 45 SecuriteInfo.com.W...et.01.27999.exe.log, ASCII 7->45 dropped 63 Injects a PE file into a foreign processes 7->63 15 cmd.exe 3 7->15         started        18 cmd.exe 1 7->18         started        21 SecuriteInfo.com.W32.AIDetectNet.01.27999.exe 7->21         started        47 C:\Users\user\...\windows defender.exe.log, ASCII 11->47 dropped 23 cmd.exe 1 11->23         started        25 cmd.exe 1 11->25         started        27 windows defender.exe 11->27         started        signatures5 process6 file7 49 C:\Users\user\...\windows defender.exe, PE32 15->49 dropped 51 C:\...\windows defender.exe:Zone.Identifier, ASCII 15->51 dropped 29 conhost.exe 15->29         started        61 Uses schtasks.exe or at.exe to add and modify task schedules 18->61 31 conhost.exe 18->31         started        33 schtasks.exe 1 18->33         started        35 WerFault.exe 23 9 21->35         started        37 conhost.exe 23->37         started        39 schtasks.exe 1 23->39         started        41 conhost.exe 25->41         started        43 WerFault.exe 19 9 27->43         started        signatures8 process9
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/979a8054b45d09d2c01a9e888e836a4452f4435dce06dd03be67e2b2ff30926d/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-05-12 16:58:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s6niavfulue5fqa2t2ei5a3kirjpiq25zydn2a56m7rlf7zqsjwq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
070264132f92fc5cb01521385e73bf36954d4093da205c59821e844abed68b5f
Formbook
2a4415721925c12ce8a80719697ffbda5daf88fe34804b0549bc5d5605790cdb
Formbook
2d79a5c2368aba8773c00aa3dcfaa0eaf9fe2f80f15bdda080abeb4988940e1b
Formbook
75b2135da8f94b2601c6758aba7bfba10907e85ec7d98852b74442c21d8b3b16
Formbook
842a75ab92773e52741160c011f7265b489d57d82bdb8e1e6a5582b8852d8f3d
Formbook
93da913f4b899003071cf8743f4a06f14464397cdb135638e2e76072a283f970
Formbook
9d2383ab12abb52a372d372a049ae4cd6f17f6952930c5e76a7e9618e2c7b43c
Formbook
d56e8522cf147e2b964a5a03e51a17d24d4cb3a4a20f36ef3fd3caeda0b105f3
Formbook
de4f5d7be84c3a10afa75bd2463a7c2958afc54300f88962f8e069d121752796
Formbook
+ 15'942 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:mrw6 loader rat
Link:
https://tria.ge/reports/220512-zn91hadbfr/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Executes dropped EXE
Xloader Payload
Xloader
Unpacked files
SH256 hash:
b8178155c3917908387f5b2b9a5312f8222bc02824c433425d289c28195263bb
MD5 hash:
b783cfeb62a934e06ca18e8c55aa1c71
SHA1 hash:
c975e408a3c3906898cea818ffd93cd499197504
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/ec0ce128-993c-4f1b-a613-ded717d611f5/
Parent samples :
de4f5d7be84c3a10afa75bd2463a7c2958afc54300f88962f8e069d121752796
01395e90d0c8ad1f209e098302edb7f9082529b52208bbd08eb78a6a09760c73
979a8054b45d09d2c01a9e888e836a4452f4435dce06dd03be67e2b2ff30926d
b85f6d4936a285f58b3902ada91915d91652aa45fd2fa774ce73f8f8e48f0ede
33689ab240c55ef3eb149bd364c2e1c0e655b35ffcca42363033ca3e492b5f32
SH256 hash:
979a8054b45d09d2c01a9e888e836a4452f4435dce06dd03be67e2b2ff30926d
MD5 hash:
d55fbb68cccfc67b3af7b345bdeefda4
SHA1 hash:
c793ca00c74365c3bfe2fef70e42777aa4b52d84
Link:
https://www.unpac.me/results/ec0ce128-993c-4f1b-a613-ded717d611f5/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/979a8054b45d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/979a8054b45d09d2c01a9e888e836a4452f4435dce06dd03be67e2b2ff30926d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Babel
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Babel
Rule name:INDICATOR_EXE_Packed_Dotfuscator
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Dotfuscator
Rule name:INDICATOR_EXE_Packed_dotNetProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with dotNetProtector
Rule name:INDICATOR_EXE_Packed_Goliath
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Goliath
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/270227/

Comments