MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5fb671ff149d2c1c97fcd000703037ca35298d3d45d4797ab20a190aea0ff10. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5fb671ff149d2c1c97fcd000703037ca35298d3d45d4797ab20a190aea0ff10
SHA3-384 hash: 98185a3c43a407ec91d2a5dabf9a2b3cc7cf2cf0525a70779118d63303506b8cb4df00b217963a78f58bfe03acb93f18
SHA1 hash: c09d4b4b399ff3c346103e33879f0e4bdcc2fa6a
MD5 hash: b5f072069794e482d7a5940d8ba04a9a
humanhash: mississippi-ack-twenty-hawaii
File name:vbc.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:524'800 bytes
First seen:2021-09-14 13:14:54 UTC
Last seen:2021-09-14 13:56:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:UoafvcJ1uc/kG/2uiQNM93qzlTg4Gz3Gjw6YkXpGC:scJJviQNM93+Tg4Gz3GnXpGC
Threatray 9'273 similar samples on MalwareBazaar
TLSH T15CB4125A25987E22D57E0B3FE8D89691973DCD13A343F22A04C476BDE4F37A8481078B
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
275
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
vbc.exe
Verdict:
Malicious activity
Analysis date:
2021-09-14 13:16:01 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/a16dfc22-153e-4bfd-bcb9-46363d0e3548

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/187819/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1027.26902.18338.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
monero obfuscated packed
Link:
https://www.filescan.io/uploads/61750f76db358dd15ed92277/reports/45d0c2e5-d6be-428e-b4de-2b3e0f419586/overview
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/69817682-25f8-47a1-a1db-a59019e8e910
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/850710
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 483141 Sample: vbc.exe Startdate: 14/09/2021 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 7 other signatures 2->50 10 vbc.exe 7 2->10         started        process3 file4 32 C:\Users\user\AppData\...\JdPRfOWLFui.exe, PE32 10->32 dropped 34 C:\Users\user\AppData\Local\...\tmp839C.tmp, XML 10->34 dropped 36 C:\Users\user\AppData\Local\...\vbc.exe.log, ASCII 10->36 dropped 62 Uses schtasks.exe or at.exe to add and modify task schedules 10->62 64 Tries to detect virtualization through RDTSC time measurements 10->64 66 Injects a PE file into a foreign processes 10->66 14 vbc.exe 10->14         started        17 schtasks.exe 1 10->17         started        signatures5 process6 signatures7 68 Modifies the context of a thread in another process (thread injection) 14->68 70 Maps a DLL or memory area into another process 14->70 72 Sample uses process hollowing technique 14->72 74 Queues an APC in another process (thread injection) 14->74 19 explorer.exe 14->19 injected 23 conhost.exe 17->23         started        process8 dnsIp9 38 www.gushixiu.com 154.207.58.141, 49805, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 19->38 40 www.allfyllofficial.com 50.87.144.47, 49795, 80 UNIFIEDLAYER-AS-1US United States 19->40 42 6 other IPs or domains 19->42 52 System process connects to network (likely due to code injection or exploit) 19->52 25 cscript.exe 19->25         started        signatures10 process11 signatures12 54 Self deletion via cmd delete 25->54 56 Modifies the context of a thread in another process (thread injection) 25->56 58 Maps a DLL or memory area into another process 25->58 60 Tries to detect virtualization through RDTSC time measurements 25->60 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a5fb671ff149d2c1c97fcd000703037ca35298d3d45d4797ab20a190aea0ff10/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-14 13:14:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
15 of 45 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ux5woh7rjhjmdsl7zuaaoaydpsrvfggt2roupf5lecqzblva74ia._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2cacbf5edb0feaee79523ed3d17bd8ad53528244142244ca40626626baaec46b
Formbook
3fd3f37912e5aa23fceb3877d6ee43c8b102410d4fc90b147aab266972939b07
Formbook
41e1e39ddc4c57a2f85a475d30a43c6ca33346399d9fbd5548c78e4b8c732e14
Formbook
4311e97e616734f94d1aa4d38f37679749ae84513d132aee134fbc364d25b6ec
Formbook
489e0e46a5df58a3144cd7a3ecb1fd0e29aa2db5060084ec774f1d2c8c763fd9
Formbook
4ab9d09d0ffc49408cb40fe30791e2dbe7d6ea5cec1d44d509c0032b7b0322c5
Formbook
9eb08a4fd35569b3034dbe07ba5334ec8c5bfe262d589bb123e838dbcf688e08
Formbook
a47054787772fce1a96257aa9f1a70356fb752ba73ee714beed7826796db3a13
Formbook
bb8edab2af37d542c7774e5f5253e1de86fc80525f29e0e274747378201a3537
Formbook
d86dafa5f676c411da4770e51dd034590dbe6dbac01ca90e0c5015a17b363b75
Formbook
+ 9'263 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:b6cu loader rat
Link:
https://tria.ge/reports/210914-qg8pesfgd2/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Uses the VBS compiler for execution
Blocklisted process makes network request
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.allfyllofficial.com/b6cu/
Unpacked files
SH256 hash:
9f0504e928d32b48eebf9c0ff72e61751fa16482f490bba59e4e4c8eda864f3e
MD5 hash:
6a7d943c3990612f8b47f7ecc9f48cf7
SHA1 hash:
de4705788da371a53409575bc59452e2a68f647a
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/3f6fb9b2-1fbe-4b1b-958a-ec5ff407d632/
Parent samples :
2cacbf5edb0feaee79523ed3d17bd8ad53528244142244ca40626626baaec46b
3fd3f37912e5aa23fceb3877d6ee43c8b102410d4fc90b147aab266972939b07
a5fb671ff149d2c1c97fcd000703037ca35298d3d45d4797ab20a190aea0ff10
1829af596150521350d812c07f81226755d397e4755f649e083cc06de7d6f402
207dff33f6f91f114deae60a6cb3a404a5f40bc607fb6015f680c8980af7ac16
SH256 hash:
ad4a7895d529d5164302bb88596964ab42ff125bf0f5544418c80b6d438cb587
MD5 hash:
43ababb6b0a02907aad43084f12b10d9
SHA1 hash:
b60ba705891d5a666d64300181b475a46714ffa8
Link:
https://www.unpac.me/results/3f6fb9b2-1fbe-4b1b-958a-ec5ff407d632/
SH256 hash:
dc7f70fbfd6d4b7ce34cbfb519bc4a8f0729c78aac10b2c0ec8493da155a0b2b
MD5 hash:
97ddde30c6f66736954df20ad2ab2a41
SHA1 hash:
8700347b6f84e74c0dbebab61320c044baff034d
Link:
https://www.unpac.me/results/3f6fb9b2-1fbe-4b1b-958a-ec5ff407d632/
SH256 hash:
a5fb671ff149d2c1c97fcd000703037ca35298d3d45d4797ab20a190aea0ff10
MD5 hash:
b5f072069794e482d7a5940d8ba04a9a
SHA1 hash:
c09d4b4b399ff3c346103e33879f0e4bdcc2fa6a
Link:
https://www.unpac.me/results/3f6fb9b2-1fbe-4b1b-958a-ec5ff407d632/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a5fb671ff149d2c1c97fcd000703037ca35298d3d45d4797ab20a190aea0ff10

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/187819/

Comments