MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1bf6120b566e76d3df3b722c1a517fe69b74e670d70bde100c4cf04e3ee947e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1bf6120b566e76d3df3b722c1a517fe69b74e670d70bde100c4cf04e3ee947e
SHA3-384 hash: 6f86fccd214c3c19f7d2c2225672e30f9d840120f6156639feec1adcd7550a47acec67518f6ce78a6cf5d4cfcbd3a838
SHA1 hash: 26de0fe1f99e50859715040901c7303a15a9cf39
MD5 hash: f245bc7fd14a989b83c7dd40f78733f3
humanhash: apart-summer-summer-uranus
File name:f245bc7fd14a989b83c7dd40f78733f3.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:419'256 bytes
First seen:2022-01-31 07:50:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 6144:fwrFaiaYtZpFWouUyVrWvdyH7yztIZ7fZtvQ5uLzPA6Yx14K+Kk:GFaiaYtFuzrW162qkQcf4Ok
Threatray 13'229 similar samples on MalwareBazaar
TLSH T11094AFD2F69DACDDED794CFB04F5A3D67861AE1C0B0297D1A3A53AD9937A2523C0C009
File icon (PE):PE icon
dhash icon 00ccd4d4d0c8d400 (7 x Formbook, 2 x Loki, 1 x NanoCore)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
QUOTATION REQUEST - SUPPLY OF PRODUCTS - DTD JANUARY 2022PDF.xlsx
Verdict:
Malicious activity
Analysis date:
2022-01-31 04:52:28 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/7fd1a5e3-07bf-477c-ab47-63f89507dc8e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/228348/
Detection(s):
SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe csc.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/61f794e8d7fd65ae55fb4efc/reports/78d7f03c-9362-48af-bb50-b848db1b7470/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7fe615dc-b06b-499a-a921-638dd36fbdac
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/930655
Behaviour
Behavior Graph:
n/a
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a1bf6120b566e76d3df3b722c1a517fe69b74e670d70bde100c4cf04e3ee947e/
Threat name:
Win32.Trojan.Risis
Create hunting rule
Status:
Malicious
First seen:
2022-01-31 08:01:07 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
17 of 43 (39.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ug7wcifvm3tw2pptw4rmdjix7zu3otthbvyl3yiaythqjy7osr7a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0d42799a7602de1d76ef3b39ceff5075b95dd1e3891332987d525a07ef5c5f0f
Formbook
15f9ae45222e5eb82ac39303b8f9b852399bbf3ea54c3f7ff7d04e76756bc43f
Formbook
2a4415721925c12ce8a80719697ffbda5daf88fe34804b0549bc5d5605790cdb
Formbook
4f64511b423d79682dfad8f6b516516d32e801f0031f07b7e3c6c19798a64b95
Formbook
6846492babd6809fcbf6d1a30ebd47db29061bc23237069ff85a86b406b1abb0
Formbook
75362f20dab8d57db3ade6427e647b0bc01d8345ccfa9781d5778877f04f7fb5
Formbook
a1d8420052bbdcaf3d318427bfe57edf5cc330fb14aaa5f4a597fac220c2a6de
Formbook
a632daf4953367bf3024b3e84d13b5beb03d77719cca10b155355e474b3173e3
Formbook
cfdf477d386cab73129ac775a953d693466176d4d4854d06d580125a8f20f9e6
Formbook
d1a716b9f2d3c4be4527b077dd5da726ffb4008935c7223116a3aa64b4f5f8f0
Formbook
+ 13'219 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:pnug loader rat
Link:
https://tria.ge/reports/220131-jpvdfaggfn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Xloader Payload
Xloader
Unpacked files
SH256 hash:
a1bf6120b566e76d3df3b722c1a517fe69b74e670d70bde100c4cf04e3ee947e
MD5 hash:
f245bc7fd14a989b83c7dd40f78733f3
SHA1 hash:
26de0fe1f99e50859715040901c7303a15a9cf39
Link:
https://www.unpac.me/results/d937317a-b621-4050-b034-f8d672abdc6c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.33
Link:
https://yomi.yoroi.company/submissions/a1bf6120b566e76d3df3b722c1a517fe69b74e670d70bde100c4cf04e3ee947e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe a1bf6120b566e76d3df3b722c1a517fe69b74e670d70bde100c4cf04e3ee947e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1995426/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/228348/

Comments