MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a65fa640ac023cb2207b4707ca53b54ac80fab579b1ab598637850a003b4f2e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	a65fa640ac023cb2207b4707ca53b54ac80fab579b1ab598637850a003b4f2e4
SHA3-384 hash:	6d7ceb7cd5937d694246a26cf9d7e3186d3a93a820ceec7718351bee34687d1a00f9b4b1d25a730914b1ae0acd5521d9
SHA1 hash:	78b41e3c049f5dca11aa3c9679f757461cabea7d
MD5 hash:	cfddc31fa56b6e1a80f29386769bd19e
humanhash:	enemy-louisiana-nebraska-florida
File name:	comprovante de pagamento.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	347'740 bytes
First seen:	2022-03-01 20:36:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep	6144:rGinZreRjskqUeS4uNaCT57GEUZ8YINwWkL1incQH5hLUr8ZFrfnBjw:bZCRsseBZCT5CEUIK4XhLUYFrG
Threatray	13'725 similar samples on MalwareBazaar
TLSH	T10174221A52C541A7C782047609BB7A1EFFFBA2D801865AE76FA14F1C493C7EEE50C538
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	pr0xylife
Tags:	exe FormBook xloader

Intelligence

File Origin

# of uploads :

# of downloads :

251

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/246018/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.11794.18895.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Сreating synchronization primitives

Launching a process

Launching cmd.exe command interpreter

Searching for synchronization primitives

DNS request

Sending an HTTP GET request

Reading critical registry keys

Unauthorized injection to a recently created process by context flags manipulation

Query of malicious DNS domain

Unauthorized injection to a system process

Sending an HTTP GET request to an infection source

Verdict:

Suspicious

Threat level:

5/10

Confidence:

75%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/621e8408b94fb38cb4319ea9/reports/11be63a2-da96-44fd-b552-279563ad9c76/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/db53d689-b611-4e30-8f17-12e1751bd4f1

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/948596

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a65fa640ac023cb2207b4707ca53b54ac80fab579b1ab598637850a003b4f2e4/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2022-02-28 07:07:45 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 27 (85.19%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=uzp2mqfmai6leid3i4d4uu5vjlea7k2xtmnllgddpbikaa5u6lsa._file

Verdict:

malicious

Label(s):

formbook

Formbook

05af1ccc6696a83c58e46a5347b40959329af79869e9747399befbe97c85104b

Formbook

0da36b7f7e4b44b640ab5769532fdd7599032ca2b1d6b57807ba48ad1fa76780

Formbook

335fa8671bb1ef8659247de4bed05898512fb3a056ef6deb31849eefef8a4743

Formbook

3ef87bd378c364fe42e2a46547baa7b5683716328eaf8c1e3bd74050becb83a3

Formbook

502303edd5a9de57b3667146e84f15fc4957242ca2ef8f75f5e503946c452ee2

Formbook

58f65684890c1ec3e63d010defd5f3c48f963865d2fa1d468d5a5f44b7026164

Formbook

71bad0685e5b2447a8dcdc960ee2930ad5ec4910d5d449040fb52cb9754df2a2

Formbook

75362f20dab8d57db3ade6427e647b0bc01d8345ccfa9781d5778877f04f7fb5

Formbook

786698eab83f77c1fdc3d37daf49966befe788b0e85167083726354225176d1f

Formbook

+ 13'715 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:cbgo loader rat

Link:

https://tria.ge/reports/220301-zd5m2abec8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

Xloader Payload

Xloader

Unpacked files

SH256 hash:

1567ab36505b9c27f54c4cedfc4ff1e120118a0396f8edbebf1ea106be2b2344

MD5 hash:

17b73b2f3fd26ce31ddba6ac2c6e3976

SHA1 hash:

692b368f33515353371c8299dca256b0cabc35fa

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/f145ccf6-216d-483b-ac8b-83682dd7ee11/

Parent samples :

a65fa640ac023cb2207b4707ca53b54ac80fab579b1ab598637850a003b4f2e4
a3722866259ff0b2d2578842e1b1667e17f597c274544bb6e02f24b91cb4dbd4
f2b30831e93ef719ecc6b3d7fa88509a1b77d35068d4d6ab2728d9938c8a7859
7889cc6835fa2dad91efec45745239704b8d8ca2932ade574e92b9c28bf348c1
264709538c4d306bfbf521a73d87b5753f38952b09f597ad405c934139a1082c
27331403cd4e737d09c723eaa8ad57607f4a243a1fcde752443af581b9141092
c0d6833e7ba34a1a05310005fa4e09ad5e1e2b60edf8fe62fc42b7610913496c
50a9cc4decaf32975996710740956b5a9c4985c50ded5a2bb8611945263af65a

SH256 hash:

4292c224da004e87803c03795aee6b14783a6d1684f14b72067861de47424554

MD5 hash:

08aa484644018133907b0bd02a8b7aeb

SHA1 hash:

4ffd491c96147ece6e7184e692d68f391fe7bca7

Link:

https://www.unpac.me/results/f145ccf6-216d-483b-ac8b-83682dd7ee11/

SH256 hash:

a65fa640ac023cb2207b4707ca53b54ac80fab579b1ab598637850a003b4f2e4

MD5 hash:

cfddc31fa56b6e1a80f29386769bd19e

SHA1 hash:

78b41e3c049f5dca11aa3c9679f757461cabea7d

Link:

https://www.unpac.me/results/f145ccf6-216d-483b-ac8b-83682dd7ee11/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.18

Link:

https://yomi.yoroi.company/submissions/a65fa640ac023cb2207b4707ca53b54ac80fab579b1ab598637850a003b4f2e4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	malware_Formbook_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/246018/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample