MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 98a634da7b379b6369d5b7445c7aeb5a58aa195c8f088bf11c84c77ba2c972fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 98a634da7b379b6369d5b7445c7aeb5a58aa195c8f088bf11c84c77ba2c972fd
SHA3-384 hash: 6b65de33727cee501dcdfa9d62219a657a317c15cd06d595cad05f9a9816e4ab1153ebf85cb3acc1bbf760b0817d8f54
SHA1 hash: 3383b7a9dd515561c6febf0450b079bc5fa01180
MD5 hash: f04d2a73e6cbfa7448cddc8a720e8b7d
humanhash: indigo-table-florida-saturn
File name:SecuriteInfo.com.W32.Injector.AFV.genEldorado.24087.16389
Download: download sample
Signature Formbook
Create hunting rule
File size:217'600 bytes
First seen:2021-03-30 10:47:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:nAPpDdteXz3u9TJdAuQFB1EKXwWP+W9pKDGP6c:MDdJJizFP+W9pKyP6c
Threatray 4'433 similar samples on MalwareBazaar
TLSH AF24124A39FA4853E55A447016AACF3AFBBBF11432904E2B1FFC5F7A4E05182DA1178D
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
invoice bank.xlsx
Verdict:
Malicious activity
Analysis date:
2021-03-30 06:14:50 UTC
Tags:
encrypted exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/1d49ae2d-c3bc-4b45-98ef-4e8900c70fc3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/127961/
Detection(s):
SecuriteInfo.com.W32.Injector.AFV.genEldorado.24087.16389.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Unauthorized injection to a recently created process
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/658248
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/98a634da7b379b6369d5b7445c7aeb5a58aa195c8f088bf11c84c77ba2c972fd/
Threat name:
Win32.Trojan.Spynoon
Create hunting rule
Status:
Malicious
First seen:
2021-03-30 07:32:25 UTC
AV detection:
13 of 43 (30.23%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
14f42edbf19d11d2fadaa10586ccecbfa285f53ad10e494fb94f03091f93e261
Formbook
258415509125973a00bf2a625e5156afe82433c1c7f91f18a646fe91bc1543a9
Formbook
4bc0559cbf4ec33e38c556bc91fca79005454ec4b72e1101638fc4e2bfcbbb70
Formbook
61b36d9d2e055b9e7be872cd42f44e78e9abfd505e5bc4e719d5b9801200d99e
Formbook
86071c5800d553ea0cac697f9188a7b592aa9336bf59302545b14aed8b13ce11
Formbook
8d96cdba8c8ac7896773c03f0ab27a5cebe912d9cc6614fda1e149191fc6a7c7
Formbook
9681746b0d72e882c0949fcbdd3005b15720d66b4a8795b9d7c8c98a59048582
Formbook
9ab3bb93a6d39ab709c9b2369cde749ccbe7f3796c7c3e2fc39aa4715c3bb0fd
Formbook
c58abe9cc2eda9f80841417a5e8dd7c75416cf0183a6fda6b616a2c312450ab5
Formbook
d3a729cac68f5147eb5b7a4e288196b37d0e7a02305529c591b060bcd36a843d
Formbook
+ 4'423 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210330-hxz6nnmfm6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.stone-master.info/aqu2/
Unpacked files
SH256 hash:
1f35bb6728237483c779005fc227e69fef51b0bafd32d15855d483948a337078
MD5 hash:
eef9e469e8a30717974499f277d97e2a
SHA1 hash:
2d33c25984ebd9116beeb55cdde4c5c86c023e5d
Link:
https://www.unpac.me/results/e6131513-f7cc-4155-86bf-c93b3ff9318a/
SH256 hash:
7b2eea4237568e9218cf344a37ede29c3273bbde754203bd50ff2f111d551f93
MD5 hash:
bf27e2d54c306fe919974cce18b97a18
SHA1 hash:
abb429df58f0d05c4c9eb911e59cb072e7e7547e
Link:
https://www.unpac.me/results/e6131513-f7cc-4155-86bf-c93b3ff9318a/
SH256 hash:
98a634da7b379b6369d5b7445c7aeb5a58aa195c8f088bf11c84c77ba2c972fd
MD5 hash:
f04d2a73e6cbfa7448cddc8a720e8b7d
SHA1 hash:
3383b7a9dd515561c6febf0450b079bc5fa01180
Link:
https://www.unpac.me/results/e6131513-f7cc-4155-86bf-c93b3ff9318a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/98a634da7b379b6369d5b7445c7aeb5a58aa195c8f088bf11c84c77ba2c972fd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 98a634da7b379b6369d5b7445c7aeb5a58aa195c8f088bf11c84c77ba2c972fd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1099106/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/127961/

Comments