MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a045f05076f6ba87c264a104517f72a16e629fc713fd6591078d46b14776ad1b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a045f05076f6ba87c264a104517f72a16e629fc713fd6591078d46b14776ad1b
SHA3-384 hash: 9f715099ab218faeb70bfcd7a13ca34f9536715e2ab8cf99e0ae2f935b3b697a309647059463a6d4a8b356ac790f21d4
SHA1 hash: 02950b417b690aec2fd4976f08353c37ee616030
MD5 hash: 00c6d5c908902b425d518d8b50ef54a0
humanhash: wisconsin-zebra-foxtrot-wyoming
File name:00c6d5c908902b425d518d8b50ef54a0
Download: download sample
Signature Formbook
Create hunting rule
File size:341'258 bytes
First seen:2022-03-15 15:31:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:rGilrzRsLO1u0b9Bebsc3DyKA0p6WYrvsnpdH9/11s0rI:Jzmyug9BeF3DCSTqsPH998
Threatray 14'275 similar samples on MalwareBazaar
TLSH T10B74224B9FD80C9BD4E14A7509F6AB38E7B748EB12A7112B37F42E97C1315D1CA016E2
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
232
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
00c6d5c908902b425d518d8b50ef54a0
Verdict:
Malicious activity
Analysis date:
2022-03-16 04:12:36 UTC
Tags:
installer trojan formbook stealer
Link:
https://app.any.run/tasks/0c4f6764-4e7a-45ee-b551-490adc68c991

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/250961/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Launching cmd.exe command interpreter
Searching for synchronization primitives
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6230b1810cd58dbd929f850c/reports/5c92cc0f-48c0-4809-b575-b81a8f842f9c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/188c3a20-8620-4993-b583-163db9da869d
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/957165
Signature
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 589664 Sample: n4i29G4M4g Startdate: 15/03/2022 Architecture: WINDOWS Score: 100 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 2 other signatures 2->53 11 n4i29G4M4g.exe 18 2->11         started        process3 file4 37 C:\Users\user\AppData\Local\...\flynrizjy.exe, PE32 11->37 dropped 14 flynrizjy.exe 11->14         started        process5 signatures6 61 Multi AV Scanner detection for dropped file 14->61 63 Tries to detect virtualization through RDTSC time measurements 14->63 17 flynrizjy.exe 14->17         started        20 MpCmdRun.exe 1 14->20         started        process7 signatures8 39 Modifies the context of a thread in another process (thread injection) 17->39 41 Maps a DLL or memory area into another process 17->41 43 Sample uses process hollowing technique 17->43 45 Queues an APC in another process (thread injection) 17->45 22 explorer.exe 17->22 injected 24 conhost.exe 20->24         started        process9 process10 26 explorer.exe 22->26         started        signatures11 55 Modifies the context of a thread in another process (thread injection) 26->55 57 Maps a DLL or memory area into another process 26->57 59 Tries to detect virtualization through RDTSC time measurements 26->59 29 cmd.exe 1 26->29         started        31 explorer.exe 2 143 26->31         started        33 svchost.exe 1 26->33         started        process12 process13 35 conhost.exe 29->35         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a045f05076f6ba87c264a104517f72a16e629fc713fd6591078d46b14776ad1b/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-03-15 07:14:53 UTC
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ubc7audw625ipqteuecfc73sufxgfh6hcp6wleihrvdlcr3wvunq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
085716dfefcb862a1677484242f5e03be402875e1752717a9e9f6ce346120ea4
Formbook
0da36b7f7e4b44b640ab5769532fdd7599032ca2b1d6b57807ba48ad1fa76780
Formbook
57037671020fbbcf7e45114c351297ed8ccf818410c36aa4030434bc41ce86b3
Formbook
58a3b0684756dd561c0300547a910b82c2b177d7644cca51b1e746302fe8fdbc
Formbook
75362f20dab8d57db3ade6427e647b0bc01d8345ccfa9781d5778877f04f7fb5
Formbook
889a99efe47a7cd2f2ee5797086d76e5811f9502047d9be1c6cbc1dc815c57fe
Formbook
adee504198fbe0336c2f1cd0c729dc7624c582bab3bd796dbb525f2b0d98d9ac
Formbook
deac58296321ec67026dc3de7275137fbdf1775e28fbd9e4d3bf528be7bc95ff
Formbook
+ 14'265 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:wesd loader rat
Link:
https://tria.ge/reports/220315-syl8vsdbh4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
Xloader Payload
Xloader
Unpacked files
SH256 hash:
a045f05076f6ba87c264a104517f72a16e629fc713fd6591078d46b14776ad1b
MD5 hash:
00c6d5c908902b425d518d8b50ef54a0
SHA1 hash:
02950b417b690aec2fd4976f08353c37ee616030
Link:
https://www.unpac.me/results/d83d2c0f-2601-47be-8f2a-f77ed27a4887/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a045f05076f6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.18
Link:
https://yomi.yoroi.company/submissions/a045f05076f6ba87c264a104517f72a16e629fc713fd6591078d46b14776ad1b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe a045f05076f6ba87c264a104517f72a16e629fc713fd6591078d46b14776ad1b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2098471/
Cape
Cape
https://www.capesandbox.com/analysis/250961/

Comments


Avatar
zbet commented on 2022-03-15 15:31:16 UTC

url : hxxp://198.12.110.210/721/vbc.exe