MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 982e727a53a27d2bfbaea608209b315bc892947a1ef954033f1b29c687b6e001. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 982e727a53a27d2bfbaea608209b315bc892947a1ef954033f1b29c687b6e001
SHA3-384 hash: ebbb7796d61c7508b83bd1849ce3b33253901c075c1de1b1e966194052545099db0cd616ebde2add91c63a5ddf60362d
SHA1 hash: 43bb31c71c84de912fbc4b2df45df445e0fd5de4
MD5 hash: b8c17d08c78f88e49edd77c35b47e851
humanhash: bluebird-colorado-alpha-bulldog
File name:b8c17d08c78f88e49edd77c35b47e851
Download: download sample
Signature Formbook
Create hunting rule
File size:906'752 bytes
First seen:2022-02-24 08:45:11 UTC
Last seen:2022-02-24 08:54:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:C1apH3333333PfJ55555555CaqaF0qMgmxd0C66baBTn0huT/pWygoptzU6Lm/GD:/X6TgCd05BTtpWDoDzU6LmO7SlEZLx
Threatray 14'198 similar samples on MalwareBazaar
TLSH T1E315AEA2739315E0F72AC7B8442937112FB070AB69C6D76D5FA614FC99B1F926804F0B
File icon (PE):PE icon
dhash icon 89a096b2b2b2ccf0 (1 x Formbook)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/244151/
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe finger.exe obfuscated packed remote.exe update.exe
Link:
https://www.filescan.io/uploads/621745d52fde1a619800e964/reports/361e39c4-700e-4f07-9190-12ff30d306b0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3b7d892b-6afb-4ae2-8e55-b47c91be6bf1
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/945502
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 577980 Sample: eWoqcTKlEQ Startdate: 24/02/2022 Architecture: WINDOWS Score: 100 31 www.verifiedpaypal.net 2->31 33 www.lifesongcounselling.com 2->33 35 4 other IPs or domains 2->35 37 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->37 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 8 other signatures 2->43 11 eWoqcTKlEQ.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\eWoqcTKlEQ.exe.log, ASCII 11->29 dropped 49 Tries to detect virtualization through RDTSC time measurements 11->49 51 Injects a PE file into a foreign processes 11->51 15 eWoqcTKlEQ.exe 11->15         started        18 eWoqcTKlEQ.exe 11->18         started        signatures6 process7 signatures8 53 Modifies the context of a thread in another process (thread injection) 15->53 55 Maps a DLL or memory area into another process 15->55 57 Sample uses process hollowing technique 15->57 59 Queues an APC in another process (thread injection) 15->59 20 explorer.exe 15->20 injected process9 process10 22 chkdsk.exe 20->22         started        signatures11 45 Self deletion via cmd delete 22->45 47 Tries to detect virtualization through RDTSC time measurements 22->47 25 cmd.exe 1 22->25         started        process12 process13 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/982e727a53a27d2bfbaea608209b315bc892947a1ef954033f1b29c687b6e001/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-02-24 08:46:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
17 of 28 (60.71%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0aeac649d2d859f9f98e5545017913ed1e3270ba4d46602c2cac3adbe03dea40
Formbook
1a77fe43c21c77b47c1ea009c8a7c082eb11abcfb48ff4375cce7edc0925e9c6
Formbook
335fa8671bb1ef8659247de4bed05898512fb3a056ef6deb31849eefef8a4743
Formbook
502303edd5a9de57b3667146e84f15fc4957242ca2ef8f75f5e503946c452ee2
Formbook
52b3b8d10c143dd7b6dfc186bf1e1e0e3c47c3f995dec4e1e4f5f569075d9a38
Formbook
652385ecfc8acbe450ec14e301e3f4067cd1e2da0d5675c589c393949febc58a
Formbook
75772375acbcfb6cb668fc2449671a6a83afe1434184ac7c01fd895825fcf5e6
Formbook
ae96332ca43b0c594a1c8c81d26c14742eca1c15c290901772bc4ae29c530f29
Formbook
d11763e5e7a68e1ebd3c8094630dd0d1e184e08eeb9a9d5e3f8200e7aeb9aea9
Formbook
+ 14'188 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:uit2 loader rat
Link:
https://tria.ge/reports/220224-kpavgacea4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
6f98f6aafefd85742a1e89c980f85320061cd039d3de615cf99f9782e21d2385
MD5 hash:
3ececefab2d2bf7d86151f4ecc21bf75
SHA1 hash:
120c059212b8f20fab31606c6da185c3f8779d00
Link:
https://www.unpac.me/results/0f11ceda-c156-4a48-a221-2ebae9778565/
SH256 hash:
5680c529ee9d94d831df983fb4eeeaa8fd7f89902881b57750fd3e0c5e0ee11b
MD5 hash:
3b4b7b8eec5ecca5344fae8319d8c3a5
SHA1 hash:
2748f4b64d51f4c072abaa11301b2767b0e38191
Link:
https://www.unpac.me/results/0f11ceda-c156-4a48-a221-2ebae9778565/
SH256 hash:
b4d2925cd5af4e72522be7bf13b9c842914ab97388d2e3ddf553abe3c40f2efe
MD5 hash:
b54d8659c6ea5a42a2a9bb420f21e4b5
SHA1 hash:
78edb3fa48e5ea19015572de00547a787f30ce0e
Link:
https://www.unpac.me/results/0f11ceda-c156-4a48-a221-2ebae9778565/
SH256 hash:
5aadcc2d4fb0a2dff305a635f69432f1878ac3e45a2ff67cd70b18aba257eac4
MD5 hash:
8172995a52b500a7a85e7f3e613b3b72
SHA1 hash:
6681c2b106be022b091d8de8c52940119510b091
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/0f11ceda-c156-4a48-a221-2ebae9778565/
Parent samples :
982e727a53a27d2bfbaea608209b315bc892947a1ef954033f1b29c687b6e001
d67265883ffb3f3129132bfe1dad4a828c887266a0a005e814bcda58c525625b
f440de2871ef2d9b24f7e2d4323841b5a01e7730e33910ad712627580282af45
SH256 hash:
982e727a53a27d2bfbaea608209b315bc892947a1ef954033f1b29c687b6e001
MD5 hash:
b8c17d08c78f88e49edd77c35b47e851
SHA1 hash:
43bb31c71c84de912fbc4b2df45df445e0fd5de4
Link:
https://www.unpac.me/results/0f11ceda-c156-4a48-a221-2ebae9778565/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/982e727a53a27d2bfbaea608209b315bc892947a1ef954033f1b29c687b6e001

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 982e727a53a27d2bfbaea608209b315bc892947a1ef954033f1b29c687b6e001

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2057411/
Cape
Cape
https://www.capesandbox.com/analysis/244151/

Comments


Avatar
zbet commented on 2022-02-24 08:45:14 UTC

url : hxxps://florafawnamusic.com/j8/ylY6.exe