MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a195d9091ef3b62929cd8637728a190bd54a80c1d4fa89680e9b452677dcb934. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a195d9091ef3b62929cd8637728a190bd54a80c1d4fa89680e9b452677dcb934
SHA3-384 hash: 68b9376da11c3169e109db23bedc6f261c743fc1eec67157ee9f354231d12a632a0a2f7cb3a7702b8f0bd7b4be281661
SHA1 hash: e2748e39aee6a535ddab9f27c1f5619baef947eb
MD5 hash: 2546592d458f8c44c65c890cd4358d56
humanhash: music-salami-bakerloo-spaghetti
File name:IMG-433665587656789565467654-9872.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:395'195 bytes
First seen:2021-07-26 13:07:29 UTC
Last seen:2021-07-26 13:51:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d4cc1601fd324eebfdf856765dda2bd4 (3 x Formbook, 1 x SnakeKeylogger, 1 x RemcosRAT)
ssdeep 12288:nfiUDGoIgDSiJHpCq+Aed+x6OPIqyFQZwPSvGOXlzXAK1A:aQjJHpKArx60xyFQZio5XAF
Threatray 6'839 similar samples on MalwareBazaar
TLSH T15E84F12839C1C0B3D47729301CF4D6B11B7DFA321F21994F93656B3A9F342E29619A6E
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
IMG-433665587656789565467654-9875.exe
Verdict:
Malicious activity
Analysis date:
2021-07-26 13:29:21 UTC
Tags:
rat remcos trojan formbook stealer
Link:
https://app.any.run/tasks/e57aa48e-4687-4869-8171-e9654851faa5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/174126/
Detection(s):
SecuriteInfo.com.Win32.Kryptik.HLVG.27351.20071.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/03740004-2726-43c0-a4a9-035d6a7a9516
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/821788
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2021-07-26 13:08:05 UTC
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
047ca53bf616a52ba6946c0a6cf6676a3030b0baf6d987b6268203caebd87b74
Formbook
1c2c212dbad3b81d9c6225c3a9f9f6211b10782d228a090f9aa4f038b0270663
Formbook
2eb57ff3dfafc142e693dd878044f38cb02090cbef35246b2525d19abf0fbaf5
Formbook
68ce8d90669037ccbd6aa1f309b397fc0c0126eaf250329ec5e4974fda2d7b11
Formbook
803d374b6e236873f3ca7c55a94b6b7827083559c750625e8a00a669cf0995d0
Formbook
8d96cdba8c8ac7896773c03f0ab27a5cebe912d9cc6614fda1e149191fc6a7c7
Formbook
9899334e8bd5a7a1131f9a32e9d50c5181487464b6bc5f791c8fba906610b9bc
Formbook
b1fbc6ceb27ff1142228b55cfc493da29609dcaf9660ce70af8e574beecfd560
Formbook
c58abe9cc2eda9f80841417a5e8dd7c75416cf0183a6fda6b616a2c312450ab5
Formbook
eb2f60b27fe8568bceadd7535f5f7c88de028cf454185a54a4b0b2aa0be63a17
Formbook
+ 6'829 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210726-w7str511p6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.northriverlawns.com/q3t0/
Unpacked files
SH256 hash:
d01f1b68cd4b87036d8ce4d307f76205b708cd0fcd0e757e6d2de206cd5ce4a0
MD5 hash:
a3a155e53969bb3c5b6e2c392d482f63
SHA1 hash:
42a5d86bc0dbffcb46435a34bafed0fe31332854
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/90051330-3007-4616-90e1-62d60229c04f/
Parent samples :
52208fdea02024ab93aebbc72f62d3b105644d5afcb4d8de494f001f87a03a9d
54f0db8ab08387aa0cee79b3ab7efeb0056d1aa9c46e36093db156ffa7fd29dc
a195d9091ef3b62929cd8637728a190bd54a80c1d4fa89680e9b452677dcb934
3407864368687cf310e2cc011b1446b7a2d1caf28cef7ed58d01fa71293f07bd
SH256 hash:
a195d9091ef3b62929cd8637728a190bd54a80c1d4fa89680e9b452677dcb934
MD5 hash:
2546592d458f8c44c65c890cd4358d56
SHA1 hash:
e2748e39aee6a535ddab9f27c1f5619baef947eb
Link:
https://www.unpac.me/results/90051330-3007-4616-90e1-62d60229c04f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a195d9091ef3b62929cd8637728a190bd54a80c1d4fa89680e9b452677dcb934

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe a195d9091ef3b62929cd8637728a190bd54a80c1d4fa89680e9b452677dcb934

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/174126/

Comments