MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5731442f5716f83eca02e956d6ec3c42aca7eda54eea7643cf18f95d6817546. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	a5731442f5716f83eca02e956d6ec3c42aca7eda54eea7643cf18f95d6817546
SHA3-384 hash:	908856fac5838c69de5937d52c0615bd7e3ad933070c8cd655e6dbdc592f57efa25e5187b75a50fe6e5780390f6bb548
SHA1 hash:	735a4d10a58adab64deef3f4a63104d40dd8586a
MD5 hash:	36d837ee33175839b0fe83c09b5098d4
humanhash:	uranus-whiskey-eleven-princess
File name:	36d837ee33175839b0fe83c09b5098d4.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'091'072 bytes
First seen:	2021-10-27 16:59:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'655 x Formbook, 12'248 x SnakeKeylogger)
ssdeep	24576:y0x9FdgxqOhvSj8aSC5dAMlOddPBDxHT7mS:yYgxqOhELOddPHz7
Threatray	9'473 similar samples on MalwareBazaar
TLSH	T1EA35061AB758BFA7E16D1F39881F1C2883F5C0232331F6AB29C59AD61185FD94B4F126
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

195

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/200664/

Detection(s):

SecuriteInfo.com.IL.Trojan.MSILZilla.5457.15191.1680.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Launching a service

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/617985959a5a1e91c5d7a7c5/reports/b65ceba2-3978-4927-b68b-f11d6ac2adab/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/616ea44c-af06-496d-a301-013f0ee029dc

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/877966

Signature

.NET source code contains very large array initializations

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a5731442f5716f83eca02e956d6ec3c42aca7eda54eea7643cf18f95d6817546/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-10-27 17:00:05 UTC

AV detection:

16 of 44 (36.36%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

Formbook

83806181eaf99abe4f92d4f5846837c73053239ec7412072913834e33721673c

Formbook

85eb901d5863c16a7526addfb18464967c45348aec3e1d1bf6014958fa4aff8f

Formbook

bcf09c801e101acbaa20ef272f86c7eac2c311bf20c6a5b6e245fc0b92be576e

Formbook

c4d1d6a9baaeb3802cfb9f7e21db83b85236844b62dc05f8ed4822e491703eb3

Formbook

e876c1db90717ff0819f4fc578adace61decdad64963836ebc9ae983dc87a5d6

Formbook

+ 9'463 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:upi8 agilenet loader rat

Link:

https://tria.ge/reports/211027-vhzkcsfgd6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Executes dropped EXE

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.dfwbcs.com/upi8/

Unpacked files

SH256 hash:

a5731442f5716f83eca02e956d6ec3c42aca7eda54eea7643cf18f95d6817546

MD5 hash:

36d837ee33175839b0fe83c09b5098d4

SHA1 hash:

735a4d10a58adab64deef3f4a63104d40dd8586a

Link:

https://www.unpac.me/results/00dc469f-f7fb-4f78-97cb-d3200f525511/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/a5731442f571/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.81

Link:

https://yomi.yoroi.company/submissions/a5731442f5716f83eca02e956d6ec3c42aca7eda54eea7643cf18f95d6817546

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe a5731442f5716f83eca02e956d6ec3c42aca7eda54eea7643cf18f95d6817546

(this sample)

Cape

https://www.capesandbox.com/analysis/200664/

URLhaus

https://urlhaus.abuse.ch/url/1715158/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample