MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 994ea35144e43c0074f6d60ccff844cc70d0a2b34ad9b583a7316e17aec94e2f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 994ea35144e43c0074f6d60ccff844cc70d0a2b34ad9b583a7316e17aec94e2f
SHA3-384 hash: 528cfd2ab38118fbb36a621c71b560344d005eafdd1d6efb7f48645682e2c5ab58158005916347847e3df11159ff95a3
SHA1 hash: 66efe94a882fb82b13299c2630867bd440539284
MD5 hash: 483f032ab447b2eed7aa963f8c979ced
humanhash: river-uniform-berlin-utah
File name:0x0006000000023239-347
Download: download sample
Signature Formbook
Create hunting rule
File size:8'059'904 bytes
First seen:2023-12-30 10:56:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6f462fcc6b830b77fb3fef2add9dc570 (9 x CoinMiner, 3 x BitRAT, 2 x XWorm)
ssdeep 98304:PKhzlt7ledwzxTxhlC1uoj15uInxseGH44vDOzXRfe4qZjkQbyQAQSC45/OBeDT4:P+7IKBxzUTzjnuPHXDGByZjryQdBj
TLSH T14486BF0ADE9A61E06897ABF9BD6E7F3CCA512EE4731B64B01434B061E631FD155E0C0B
TrID 38.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
15.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
11.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4505/5/1)
4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 06276565593b9e4c (2 x DCRat, 1 x AsyncRAT, 1 x Formbook)
Reporter e24111111111111
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
291
Origin country :
GR GR
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21.exe
Verdict:
Malicious activity
Analysis date:
2023-12-30 11:20:13 UTC
Tags:
evasion xworm asyncrat
Link:
https://app.any.run/tasks/da923875-50b3-41e7-b17d-fbd4c3f7f358

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file in the Windows directory
Creating a file
Using the Windows Management Instrumentation requests
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Searching for synchronization primitives
Creating a window
Launching the default Windows debugger (dwwin.exe)
Running batch commands
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed shell32 xworm
Link:
https://www.filescan.io/uploads/658ff783b4e856b7282d39a9/reports/a91d2e1c-a651-4a16-83bf-11f7f98360fb/overview
Verdict:
Malicious
Labled as:
FakeAlert.Generic
Link:
https://www.hybrid-analysis.com/sample/994ea35144e43c0074f6d60ccff844cc70d0a2b34ad9b583a7316e17aec94e2f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
AsyncRAT, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1368235
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Drops PE files with benign system names
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Protects its processes via BreakOnTermination flag
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Generic Downloader
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1368235 Sample: 0x0006000000023239-347.exe Startdate: 30/12/2023 Architecture: WINDOWS Score: 100 54 ip-api.com 2->54 56 fviatool.com 2->56 58 fvia.app 2->58 70 Multi AV Scanner detection for domain / URL 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Antivirus detection for URL or domain 2->74 76 12 other signatures 2->76 10 0x0006000000023239-347.exe 5 2->10         started        signatures3 process4 file5 42 C:\Users\user\AppData\...\WindowsSecurity.exe, PE32 10->42 dropped 44 C:\Users\user\AppData\Roaming\Seting.exe, PE32 10->44 dropped 46 C:\Users\user\...\SecurityHealthSystray.exe, PE32 10->46 dropped 48 C:\Users\user\AppData\Roaming\Protected.exe, PE32 10->48 dropped 88 Encrypted powershell cmdline option found 10->88 90 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->90 14 Protected.exe 3 10->14         started        18 Seting.exe 1 10->18         started        20 SecurityHealthSystray.exe 1 10->20         started        22 2 other processes 10->22 signatures6 process7 dnsIp8 50 C:\Users\user\AppData\Roaming\splwow64.exe, PE32 14->50 dropped 92 Antivirus detection for dropped file 14->92 94 Multi AV Scanner detection for dropped file 14->94 96 Detected unpacking (changes PE section rights) 14->96 98 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 14->98 25 splwow64.exe 14 2 14->25         started        100 Machine Learning detection for dropped file 18->100 102 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->102 104 Writes to foreign memory regions 18->104 106 Injects a PE file into a foreign processes 18->106 29 RegAsm.exe 18->29         started        52 C:\Windows\svchost.exe, PE32 20->52 dropped 108 Drops PE files with benign system names 20->108 60 ip-api.com 208.95.112.1, 49704, 80 TUT-ASUS United States 22->60 110 Potential dropper URLs found in powershell memory 22->110 31 conhost.exe 22->31         started        33 WerFault.exe 22->33         started        file9 signatures10 process11 dnsIp12 62 171.247.47.66, 4444, 49709, 49730 VIETEL-AS-APViettelGroupVN Viet Nam 25->62 64 fvia.app 104.21.34.141, 443, 49707, 49722 CLOUDFLARENETUS United States 25->64 80 Antivirus detection for dropped file 25->80 82 Multi AV Scanner detection for dropped file 25->82 84 Detected unpacking (changes PE section rights) 25->84 86 3 other signatures 25->86 66 171.247.57.232, 4444 VIETEL-AS-APViettelGroupVN Viet Nam 29->66 68 fviatool.com 104.21.77.198, 443, 49705, 49727 CLOUDFLARENETUS United States 29->68 35 cmd.exe 29->35         started        signatures13 process14 signatures15 78 Uses schtasks.exe or at.exe to add and modify task schedules 35->78 38 conhost.exe 35->38         started        40 schtasks.exe 35->40         started        process16
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/994ea35144e43c0074f6d60ccff844cc70d0a2b34ad9b583a7316e17aec94e2f
Detection:
dcrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/994ea35144e43c0074f6d60ccff844cc70d0a2b34ad9b583a7316e17aec94e2f/
Threat name:
Win32.Dropper.Dapato
Create hunting rule
Status:
Malicious
First seen:
2023-05-26 11:20:28 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
19 of 23 (82.61%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tfhkguke4q6aa5hw2ygm76cezrynbivtjlm3la5hgfxbplwjjyxq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/231230-m2arcafdg4/
Unpacked files
SH256 hash:
8b20d57abe4f6522488b18b508ae5370fff40fa6b8040c5eeabd5fbc622ff55d
MD5 hash:
c80243d9d68b605c76914396136c7287
SHA1 hash:
a1689a4e5956f75e71a557b93480125ece751121
Link:
https://www.unpac.me/results/5f8dec8b-4b54-43ec-b0db-1b81f66b6f86/
SH256 hash:
94926b52e9346468aa7a64e1250b1c8e999f9a1d6848e0d024a94cf6ee4e4b0a
MD5 hash:
56927b8328ebd6da2e15649c0f20dcf9
SHA1 hash:
2b9d1462a70e969af80d02ab675c7986798f63e7
Detections:
DCRat
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DcRatBy
Create hunting rule
Link:
https://www.unpac.me/results/5f8dec8b-4b54-43ec-b0db-1b81f66b6f86/
SH256 hash:
dd0dc7ad62d2a66b164ba36dc395ab67466fcd519ceaffd62ccebf5ddb60a340
MD5 hash:
ea35b0859a343c66e692a216e3f64835
SHA1 hash:
7d67cf9ab7f48aa349e92bfef3dce7fc960ee7ad
Detections:
DCRat
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
SUSP_NET_NAME_ConfuserEx
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DcRatBy
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_B64_Artifacts
Create hunting rule
Link:
https://www.unpac.me/results/5f8dec8b-4b54-43ec-b0db-1b81f66b6f86/
Parent samples :
dd0dc7ad62d2a66b164ba36dc395ab67466fcd519ceaffd62ccebf5ddb60a340
d0d8566e5537f7d1c749632eafdd9475e89ca672376dba56055815538d80f2aa
80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21
994ea35144e43c0074f6d60ccff844cc70d0a2b34ad9b583a7316e17aec94e2f
SH256 hash:
d0d8566e5537f7d1c749632eafdd9475e89ca672376dba56055815538d80f2aa
MD5 hash:
82b237983c744cf8c87ecb771cb6712c
SHA1 hash:
f02619183210ebcfbeef9fb36bc05bb60f8525f4
Link:
https://www.unpac.me/results/5f8dec8b-4b54-43ec-b0db-1b81f66b6f86/
SH256 hash:
0e3b7bce0fb97f6860d6dd9142648188dce14573725d400174882e600e64bdbd
MD5 hash:
9c19d058a894e35cad64a0dab5f5a56f
SHA1 hash:
c41047677b50f5225eea3eb94df73bb99e43e076
Detections:
APT_ArtraDownloader2_Aug19_1
Create hunting rule
Link:
https://www.unpac.me/results/5f8dec8b-4b54-43ec-b0db-1b81f66b6f86/
Parent samples :
72ae820b13a8e8f73da2770b9c0bd9d0a6a42e2ba3dcaf1279359e2b2b221b12
80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21
994ea35144e43c0074f6d60ccff844cc70d0a2b34ad9b583a7316e17aec94e2f
SH256 hash:
5d717d35b913ff6d13c408f294d899ca58bb321598426eca2bea71b9e6edd9ce
MD5 hash:
216ef921adac2bbb51ff6331f61b19e7
SHA1 hash:
90c3cfc3b78daa2bfa12d26dbd765fbfd4bc510d
Detections:
XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
Link:
https://www.unpac.me/results/5f8dec8b-4b54-43ec-b0db-1b81f66b6f86/
Parent samples :
72ae820b13a8e8f73da2770b9c0bd9d0a6a42e2ba3dcaf1279359e2b2b221b12
80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21
994ea35144e43c0074f6d60ccff844cc70d0a2b34ad9b583a7316e17aec94e2f
8d11ec5c3f5b3d5eb57e75469ffc10721aee94ae56b3d432fafdee189bb0d6e8
c8dd8464008d24fe02938509eb3163f09749e1c76bff6dcfd25b1d3193357419
SH256 hash:
f5018f1b2138789f3f1c383992dcffac97017b0aeaaeb464b93ba0753277ae4a
MD5 hash:
d3fd42977e077b8c52c5bc5f65f8b64c
SHA1 hash:
74b1f0beb92ecf86a529bfba1cd961afa08a6d9b
Link:
https://www.unpac.me/results/5f8dec8b-4b54-43ec-b0db-1b81f66b6f86/
SH256 hash:
78afc634736b67ac434819e5fa7c27870eb2da7046366402a99de391c1ab6ec2
MD5 hash:
292f33d4599eea0451c1e11db998ddbb
SHA1 hash:
a44c67cdf15bfdf17ca877dca1de7de8dd431ef1
Detections:
DCRat
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
SUSP_NET_NAME_ConfuserEx
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DcRatBy
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_B64_Artifacts
Create hunting rule
Link:
https://www.unpac.me/results/5f8dec8b-4b54-43ec-b0db-1b81f66b6f86/
Parent samples :
80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21
994ea35144e43c0074f6d60ccff844cc70d0a2b34ad9b583a7316e17aec94e2f
8d11ec5c3f5b3d5eb57e75469ffc10721aee94ae56b3d432fafdee189bb0d6e8
SH256 hash:
994ea35144e43c0074f6d60ccff844cc70d0a2b34ad9b583a7316e17aec94e2f
MD5 hash:
483f032ab447b2eed7aa963f8c979ced
SHA1 hash:
66efe94a882fb82b13299c2630867bd440539284
Link:
https://www.unpac.me/results/5f8dec8b-4b54-43ec-b0db-1b81f66b6f86/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/994ea35144e4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/994ea35144e43c0074f6d60ccff844cc70d0a2b34ad9b583a7316e17aec94e2f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments