MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a65520867c851b43c93d5e7c390bb4fedef94a648c70631bc02f396e4dbff522. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a65520867c851b43c93d5e7c390bb4fedef94a648c70631bc02f396e4dbff522
SHA3-384 hash: fbf094dd9a70aa845ac37266529998d681b5f6926c23372da10feac96f46cc7fd72cf3890cb650434056bbf296158109
SHA1 hash: ef600bba0be54d6fbc5f9e85cc2c129b69b04c88
MD5 hash: d7ee862b8a238cbb6d1aaff7648ca759
humanhash: white-pennsylvania-mississippi-nitrogen
File name:Uhutmcwfoicdxzberyhxhmcegzlqipqsdr.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'110'016 bytes
First seen:2022-03-14 09:59:44 UTC
Last seen:2022-03-16 07:34:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 777e841787613958f7e29d118d28ecbe (4 x Formbook, 1 x AveMariaRAT, 1 x RemcosRAT)
ssdeep 24576:74Qea4ilR2Ck0H49Q49OWvpL+hu7fjCURX:7eeRzyAm3
Threatray 14'210 similar samples on MalwareBazaar
TLSH T13335AE13B3908736C72726B64D17A250172AFE556D14A94A3FE83E4C2FB41E3B879363
File icon (PE):PE icon
dhash icon 63111616171fffee (13 x Formbook, 5 x RemcosRAT, 3 x AveMariaRAT)
Reporter TeamDreier
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
5
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/250070/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.28469.25557.15684.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Launching cmd.exe command interpreter
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/9112/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe keylogger replace.exe
Link:
https://www.filescan.io/uploads/622f12310cd58dbd92956fbc/reports/46583028-0e20-48f7-a60d-810bffcb5e72/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1c6823ec-d7bd-4031-a5f6-d44b6f418318
Result
Threat name:
DBatLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/955951
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Drops PE files to the user root directory
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 588433 Sample: Uhutmcwfoicdxzberyhxhmcegzl... Startdate: 14/03/2022 Architecture: WINDOWS Score: 100 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus detection for URL or domain 2->58 60 8 other signatures 2->60 9 Uhutmcwfoicdxzberyhxhmcegzlqipqsdr.exe 1 17 2->9         started        process3 dnsIp4 48 qeiexw.dm.files.1drv.com 9->48 50 onedrive.live.com 9->50 52 dm-files.fe.1drv.com 9->52 30 C:\Users\Public\Uhutmcw.exe, PE32 9->30 dropped 32 C:\Users\Public\wcmtuhU.url, MS 9->32 dropped 34 C:\Users\Public\Uhutmcw.exe:Zone.Identifier, ASCII 9->34 dropped 76 Drops PE files to the user root directory 9->76 78 Writes to foreign memory regions 9->78 80 Allocates memory in foreign processes 9->80 82 2 other signatures 9->82 14 logagent.exe 9->14         started        file5 signatures6 process7 signatures8 84 Modifies the context of a thread in another process (thread injection) 14->84 86 Maps a DLL or memory area into another process 14->86 88 Tries to detect virtualization through RDTSC time measurements 14->88 90 Queues an APC in another process (thread injection) 14->90 17 explorer.exe 2 14->17 injected process9 process10 19 Uhutmcw.exe 15 17->19         started        23 Uhutmcw.exe 17 17->23         started        dnsIp11 36 192.168.2.1 unknown unknown 19->36 38 qeiexw.dm.files.1drv.com 19->38 44 2 other IPs or domains 19->44 62 Multi AV Scanner detection for dropped file 19->62 64 Writes to foreign memory regions 19->64 66 Allocates memory in foreign processes 19->66 25 logagent.exe 19->25         started        40 l-0003.dc-msedge.net 13.107.43.12, 443, 49796, 49798 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->40 42 qeiexw.dm.files.1drv.com 23->42 46 2 other IPs or domains 23->46 68 Creates a thread in another existing process (thread injection) 23->68 70 Injects a PE file into a foreign processes 23->70 28 DpiScaling.exe 23->28         started        signatures12 process13 signatures14 72 Maps a DLL or memory area into another process 25->72 74 Tries to detect virtualization through RDTSC time measurements 28->74
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a65520867c851b43c93d5e7c390bb4fedef94a648c70631bc02f396e4dbff522/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-03-14 08:31:53 UTC
File Type:
PE (Exe)
Extracted files:
51
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uzksbbt4qunuhsj5lz6dsc5u73ppssterryggg6af44w4tn76ura._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
527036f9e449de86dc23ca03f80ea7da2d0ee7d7752203bbfad4ffb9237a19a8
Formbook
5ab614491453ac799f4944620f8d433d42427aaea0ad0f1d55f240bc1ba6a057
Formbook
6e0e8d1cb340a26f3e8294c7b07ce486b56afcabfb90b7e20e4331b6384a85ce
Formbook
89ca1ae6afd4451562d33f381d21e085245ebe1047d4a812d818fcf0a2e01393
Formbook
8da279ac96b229e5cf9e94b6d3a50ad3a3c048960d072f503565305deee84654
Formbook
988d086b6ca75da2fca905b090c6f20b21749335f7e2ee99d8dab2001d4667e3
Formbook
b161e9594ef8849e7a1c09a801b5d248cfff6b08c65ed6459dda75b25fdeafee
Formbook
b9ed36a21e09ff33bef163a4b8f5f041bcc51ef24b12b66e4192a3dc529ba5f5
Formbook
fb98f0f50c30ffdacfa3ea67a2990fa5ec2ee2646dc2226179f8589aec41f5d1
Formbook
+ 14'200 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:euv4 loader persistence rat suricata
Link:
https://tria.ge/reports/220314-l1n2xagafr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
82c6df58281ae7cc2374f3cb500a03483c5e5f1b53b84f8f96223eb7c50bdb44
MD5 hash:
189fa04bd7b35f265ab6ff4d7e25787c
SHA1 hash:
815b241eb9128ae75c1b187b39e95434eb780499
Detections:
win_dbatloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/611ccdbd-3c86-4471-a19e-4d4a57685f25/
Parent samples :
b9ed36a21e09ff33bef163a4b8f5f041bcc51ef24b12b66e4192a3dc529ba5f5
a37011f4db99b06727ee861d1931ea2b0cd1d048aadce2e51485983dd83d8a99
77e99afc3316611a03c302e162838a45df001ec4eac0d4533aba69e98c3becf6
c498aa9cf4e79784433902911692b917a1990fa009515ca307b675eb9f34077b
8da279ac96b229e5cf9e94b6d3a50ad3a3c048960d072f503565305deee84654
741c817dd6bc5c718770d5903d3d0bbb0038408cd6bc6321c1fe364649e38ffb
18c5126639d2d4f5f95f8579f783e56f1ee0dc385f1ef2a6404b9ca70399285f
a54f3a94b5d82060b575d85b0ab779f32f532c96beef3081783f838e687bfcfc
50dba2f344aa086c034ce37a3aea4e70629a0eeaa8c59b2b6f6395b4969b7dc1
f917034d08d7cc2d2af50ff28d1b52944691fba6bb96965e18948cf7473bbd80
1777cad58e9516ffbeb10b73f8b751d8689a71712266f223e2281a425ed09551
ea5a2cf2a4c8ddc7f01d6b8a573efa20b7dd35fe633e0d1413b0d41e2cd31874
708af0a1312a0b416011df2aa5d4c7aa52f4ff483e9e0f4795e0e98eddc5a781
f0a3b64a941e0abb7fbc40e63dbc2cc1efe0822739280c0f6fab6b877bdf711d
8fd2d590487f9c781d57cf53186e0e713e06095bf7c71cc442ec349f6a1f5c9b
6fc9563d971fe534d3b73811ed493784a02bab6f4a0c13362c762a33eb59300b
ef808aede6f70068b433647ba15f37e8b2b207b3bf1bd2e8d623ca0b18a64f5f
c536b84ee17abfc596058bf5aca74f161cc372669760aba80804d497bb256bfa
6e0e8d1cb340a26f3e8294c7b07ce486b56afcabfb90b7e20e4331b6384a85ce
f72d7e445702bbf6b762ebb19d521452b9c76953d93b4d691e0e3e508790256e
b161e9594ef8849e7a1c09a801b5d248cfff6b08c65ed6459dda75b25fdeafee
d1d9a1e96a6f7b46b3634ec6454c07043c26fdc8455c949738e51b712340022a
8fb9ddc78aef013fcbc8ff38135972fdacf66a871cc4b42f719efefe2255219f
89ca1ae6afd4451562d33f381d21e085245ebe1047d4a812d818fcf0a2e01393
fd56e2246a9054a8981dd48ce0858a9dc5aa92115b0d27d1192e9005cd27f7e9
7397f5b9dcb22b5032f825681a1158f362b3485a120f0fecbc51f1b1c5ca6a52
67e27b7d6665351e8cfef328924fa39f06ca60d4cb40287936293d4f2daff84e
2a46c9193e41e7e908edfd45c08368959abf9155d056305eed43a46f882d6866
a65520867c851b43c93d5e7c390bb4fedef94a648c70631bc02f396e4dbff522
341d113b8a3f61a729b14f38483a48d610e80757a50068c1683e10d7381a299d
319d243495674c304b394ebaf3e7265ac58f7e7f6ef0e727fd4cab977d939586
df89b24a6d5aa863a8f74587615c997510a46dc5fe6dc52389047b8d0753b1f2
b0d39dfb3b1d61b324e915ac84465e694988fa179c988798eb8d9dabacf58712
031e877589f97a23fae025f6f7ff04b31f5a4341fed57933191e1645b43cab32
ae51f5b12195c2ce67b7bcb6f2f97844b7abd02ea94026a60080ba5060a19a18
4bb146afde30f4c68237fa83d0235813b9548d4b4800e9a4ca7bfc57f49c6ebf
41052b2fbebd33434878b18c4b3fdedcc71ed062357fff97a97737440b633853
42bed45454511067a6358d37aaab96c745722d990125bd1951bb42346ff3717f
a84bdf209b862ffbdf3d963611eec3c1c2d70024e24041727a49bc618d6ff4cd
8db76bfdd2666649dc2be8ef188d9548971f1edbe4d45c0d689a4700f7ff8169
2c3d0dfe94f6ee36822a79a0d6bc22efbd964781a984dec679acbb5029ce1493
b08dd02223a62d1f9dae7ecd8770288acb32dcfafcfa5a58095b495dd43e3f1a
39ce700e582c22bf87f67241aa5537b74991a30d016878bdd6c2dfd6dc114f9d
a6cea446b135529f57315da655e5329e267f80a67940edbf949196536b212c5b
9ac0322714806d2e922280dc9d59622656f1d0f682cf093df8505022cd631da0
efdd97e52e2d4a47a66abeb6073c2be21ce056da12256a2f74a5e9c6a8fe1916
d6fd4c8c1b20fd3d8c8e9e9c951a7975bb332655e83a9c8f8dd23742331186db
3d5d161635b1d409b28564bb95c9006687b720caa5bfb6ed8679b87e889baf3a
199cc04b9d617b58a11715354df9a83c93416a3906a352aeb21181d65021fdfd
d385c24887eb6e83869c401aefa83135165cd196e5b959e369c5d520c71ab016
56ac1555cc21d3400c4168a52da00cab97bfb205f0b43ab417fbaa85e02def9c
c8f1d68423b8b8f43600ad0fb409f71283cd5a9c732d7b1e641b414f6313625e
ca0cfe500b3f6a17dd31e684c1b32c9190b08480cfc630c23d1ce6cb6164918d
9e5ede8160535eae10bd05d831b9276301611620d7b82e38ea1c8d75edcbd7eb
f1c91bc11ffe14c373f0165d7876db47b1768c326f4d46a270fb6247ca11b1f0
90462bba4bd8ee1b0e442050d6e8f6880daa7ce74d0cd9da1c6e4067e8a16221
d6f3a14495623a92c292f7285b1879575c34a135bc9bfef37b8d778d5de450e7
5852bf7347b25ab7e1f19cd1ce6e09a5c0fd0a6bf3282db4273e0a2446476af7
2b0c03ec624b83fbdc97d1b026c8274b13e2aeff02165d4464375518f217ae56
8d5f75029a8b18b50f6d17ff20cb510d60fcea55b7ea49b9bb3f18dc1424db8a
834bbca917e33d612d4989b3b68ab2aec2d6f5ac27494514238eba9f579d9a95
df4529d0592f28fbe9ad1918f19fc78db86e7abbca15b24cd016e5f34774bdcc
82c6df58281ae7cc2374f3cb500a03483c5e5f1b53b84f8f96223eb7c50bdb44
SH256 hash:
a65520867c851b43c93d5e7c390bb4fedef94a648c70631bc02f396e4dbff522
MD5 hash:
d7ee862b8a238cbb6d1aaff7648ca759
SHA1 hash:
ef600bba0be54d6fbc5f9e85cc2c129b69b04c88
Link:
https://www.unpac.me/results/611ccdbd-3c86-4471-a19e-4d4a57685f25/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a65520867c85/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a65520867c851b43c93d5e7c390bb4fedef94a648c70631bc02f396e4dbff522

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe a65520867c851b43c93d5e7c390bb4fedef94a648c70631bc02f396e4dbff522

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/250070/

Comments