MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 98f3a321eecbb419352f9ecbf3ef45a404ee280d18aa148c4e1dc80867cc09a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	98f3a321eecbb419352f9ecbf3ef45a404ee280d18aa148c4e1dc80867cc09a2
SHA3-384 hash:	fc9bb707383c0ec336ef2679628cdc3fc6c43a24a712f939edbda919ca2cdf27759c59ee4f1445cd991db13f7e7cc318
SHA1 hash:	7a840a7e4e8357d2833ff017826b507dc2fb22ac
MD5 hash:	2c03b32751ced3d481f98dc5bc2d74e6
humanhash:	idaho-potato-uncle-moon
File name:	SecuriteInfo.com.Trojan.GenericFCA.Agent.40057.14588.28564
Download:	download sample
Signature	Formbook Create hunting rule
File size:	772'608 bytes
First seen:	2022-06-06 21:29:58 UTC
Last seen:	2022-06-06 22:30:32 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	12288:p4HwEOvLga9OqnDf8a2JhNc3sXQjNMS3FDdpbSKz6pJuo9dAc2DvdUtQaUHrAHMr:aHwEOvLga9OqnDf8a2JhNc3WS1Hbf6TB
TLSH	T197F4DF3036ABA14CC86A4F720C7459C117767677BF09CA1E685A139CEC67A838F127B7
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	10c0e0bc90909000 (12 x AgentTesla, 12 x Formbook, 7 x SnakeKeylogger)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

383

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Trojan.GenericFCA.Agent.40057.14588.28564

Verdict:

Malicious activity

Analysis date:

2022-06-06 21:45:46 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/42213512-3b2c-4283-aad0-0b6c988085e0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/277145/

Detection(s):

SecuriteInfo.com.Trojan.GenericFCA.Agent.40057.14588.28564.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe obfuscated packed replace.exe

Link:

https://www.filescan.io/uploads/629e71f94c4e28fcf3b8deb1/reports/13c49008-0646-4f52-9e67-c6280b07287d/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/869e5f63-a738-4393-bbf7-3d0861ba88f6

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1007707

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/98f3a321eecbb419352f9ecbf3ef45a404ee280d18aa148c4e1dc80867cc09a2/

Threat name:

ByteCode-MSIL.Trojan.XLoader

Status:

Malicious

First seen:

2022-06-06 13:09:48 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tdz2gipozo2bsnjpt3f7h32fuqco4kandcvbjdcodxeaqz6mbgra._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:a2es loader rat

Link:

https://tria.ge/reports/220606-1cf4qacbg7/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Unpacked files

SH256 hash:

ae5dd0a7fc20901973744dacd5ca578abf254cd8d8641b9a0e24826db97f953f

MD5 hash:

582a38cd558a01e3c0b65c405430e5af

SHA1 hash:

d76316fd02714d58f2d5628622e344acdd721215

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/db2a0f02-87cd-4972-b6a1-66b39831fb90/

Parent samples :

b138102457454a3101f17bba4da29d991c4330f387df3d0db2165aaabee608d2
0793dfe009772f771270e113edc94fc7a19fa5d7f53a3e858f9775319b9d536e
98f3a321eecbb419352f9ecbf3ef45a404ee280d18aa148c4e1dc80867cc09a2
00509d2de60dcdf523ea44b90e5dbbb510f6298bcd9810686ea625d33160176e
b326a836015d646984f10a251e4b6678a9822a1f365369512b80f0928b35299d
f6c20c48de3ffdb54b94206a36926206993732ee873b0e0916e417ff93e9f878
7ead9b6c89ec926f1b8f0f793e305315f9bc59876e14b57653e47f336648eafc
25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21
a1fda3d25de841c11ff5dae7f624462a8ee8b66ad97ead52b2d69f88875c3e5a
29706d5927c63e4ef3241012c1a81d1ca0382fbaa05d7f115c39184a03c598c3
f6b709d4d41b801c2f5df85f05f3396ab9a2d0b1851ebdc5e434b03c184dacd6
765c9f36ef8ac4c126c700a74d79f85ad6f02cc7e3539c1f79337efd9fd21bf6
329aff3de19577cdf2a9cba76a69b538280b0984577226b52ed9eeb193bbe0e7
05400e2e332ef1360d0e1a85c751d4e33e1269e7d5087ea695fe53b62180a121
215e5a85cc6a627b1abdf8744a7b20c3c3f2663ec5e59264d40679f004d4eca0

SH256 hash:

826eee8cc037ad62a6f9c0fd5e9afb9aca800a7c8a5eb178a2546384acac200d

MD5 hash:

b32e63871a9bf18cd3933d38bdab6d03

SHA1 hash:

da06c820dbf8fa52b8a58d3a48c17b978aeba4e8

Link:

https://www.unpac.me/results/db2a0f02-87cd-4972-b6a1-66b39831fb90/

SH256 hash:

6a6a9860bbfe39ca79d30f790c60932e64bf5dde3468b3e7abef250c9b0b50f1

MD5 hash:

10d58e7f5003b9fb044ca08da0beabcd

SHA1 hash:

94eb1d67e38ca5bc9fab4393b30f2e3b6ec26a24

Link:

https://www.unpac.me/results/db2a0f02-87cd-4972-b6a1-66b39831fb90/

SH256 hash:

8e88aaa9014d04b1ef25dbcda8ddd06017be33b89c185a0ef60e84ce07d4aa82

MD5 hash:

dbcd32a3fceab5491cf57ec1d665f4d2

SHA1 hash:

5805fb72ee86ee4420fd14790b29ee0651d35def

Link:

https://www.unpac.me/results/db2a0f02-87cd-4972-b6a1-66b39831fb90/

SH256 hash:

98f3a321eecbb419352f9ecbf3ef45a404ee280d18aa148c4e1dc80867cc09a2

MD5 hash:

2c03b32751ced3d481f98dc5bc2d74e6

SHA1 hash:

7a840a7e4e8357d2833ff017826b507dc2fb22ac

Link:

https://www.unpac.me/results/db2a0f02-87cd-4972-b6a1-66b39831fb90/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/98f3a321eecb/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.61

Link:

https://yomi.yoroi.company/submissions/98f3a321eecbb419352f9ecbf3ef45a404ee280d18aa148c4e1dc80867cc09a2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/277145/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample