MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6e23730cd711af23e7900cbabb871b668d37a74dda0c97d63f3303167861cf5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a6e23730cd711af23e7900cbabb871b668d37a74dda0c97d63f3303167861cf5
SHA3-384 hash: c2f06858c0b03fbcfb59c5f6991d2193ecfcda883c6752937ad2fea2555d6d3a1382b27dc8475db7ea9bfeeab815de58
SHA1 hash: 1a6672e1077b7e6f446d690a4f0718f3b20cbd82
MD5 hash: 4a66b881896533d4edfa6f9de09afac4
humanhash: blossom-hamper-london-network
File name:4a66b881896533d4edfa6f9de09afac4
Download: download sample
Signature Formbook
Create hunting rule
File size:279'198 bytes
First seen:2022-02-08 09:02:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 6144:ow3ClJ5F6M9egqqytfZLFCAcy0ehHdeSd:mlrIMIDfZLFC7+9l
Threatray 13'137 similar samples on MalwareBazaar
TLSH T12654235A32C49DF3ED46203314FB863DEB779218721009971B855FBBB6223CBBA59643
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
459c8859-5a9e-4390-a104-08d9eae90e73a4e9ff2b-b6e4-f3b1-49f8-8b8d4c908712.eml
Verdict:
Malicious activity
Analysis date:
2022-02-08 10:09:46 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/b2aec5ba-b11e-4d13-83f7-97779352a6f4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/237904/
Detection(s):
SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/620231d74077c8b9a0209506/reports/a7ea0a87-09ae-443e-999b-651ca0d758f8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/47b5de0f-958f-4ff3-aba8-363eb1b14566
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/935888
Behaviour
Behavior Graph:
n/a
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a6e23730cd711af23e7900cbabb871b668d37a74dda0c97d63f3303167861cf5/
Threat name:
Win32.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2022-02-08 09:03:11 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
34fc8a270fda2856448cb455e3dca4d8210f5e83f25f1fa8339d8f428a449466
Formbook
3c3ef93ea804d5d80ecbdb244ddf7fe2ab657f54089a397f0c79d89dfef5c95c
Formbook
4d1ac5962b58c0bf6386b85fc1c2029efb0c8d5ccf0054733795eec1ea8b3291
Formbook
703f4546b4adc3e685275a9840bafac150717c3259f629f6bf9bd8e5d191ad46
Formbook
7c7116c6a0f1e06e4c252ea45668b85c1fdf3f35216097be1208e14be4066b36
Formbook
b1e2238ed835357f061456c7a38d0620cef8b78f0e1a9856133cc5b2805e0ed1
Formbook
dc65156bfa6da463f9eb980c3a551ba0cd494b53a55b3a2e9b41c766ca3c011c
Formbook
e8e0f125d909bafae93f469222f2cfbcb30585e03825d8442c8934a92fdd6c89
Formbook
f777ad0feb1db2da7abb7c793515f7af49d06a7b4fc5904a9da436ccbd59ddc3
Formbook
ff3f7736a06e89ae300270369d83b922423c8a840903b30a8a21365c4b0b0628
Formbook
+ 13'127 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:yrcy loader rat
Link:
https://tria.ge/reports/220208-kz2qyafbb6/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Loads dropped DLL
Xloader Payload
Xloader
Unpacked files
SH256 hash:
37155cc88756674b6937890fa1586f0c4db49c7127683ece18185fdd2ecad5e8
MD5 hash:
7e69e0e1b3652454a0594dd775990dc9
SHA1 hash:
41756d66287c08fc3c8f857501766fdc6a72b626
Link:
https://www.unpac.me/results/1c036ccd-5a72-443a-bbfe-53173f861eba/
SH256 hash:
65f0bce9dc0a9ac44240513d358c8e469e1a57b50b0f9c7d953f6e00bd6861fa
MD5 hash:
905b1dc3e024e593c76ef625223d4412
SHA1 hash:
1929c9f87e67cd623d28aa4d5f58d7ed2b8a067f
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/1c036ccd-5a72-443a-bbfe-53173f861eba/
Parent samples :
1a92235ec84914d6b63d046bf213887d7c740026e8ed3e1ab3fb73cd061e5a34
15b9254c95a968eda264a52b68c3b315261b7f74a81ce68e4ea25295c160b563
c40915d082a87e80528c90dabc2a8ed32a7f4f7b6eb271a0a48d6cfdbefcae5d
4229b3a610aeed61f70687dd3a4853b2fedf562700a20fdff73d972468a26a02
98726c3f2754514f8cc061a34d0a1ed8de1088e8e4a6668cf1a0620ca73a89d1
66057851f8f534441fd89a161f2df30610f1c44554a209c67c09fee531f6a680
959b7ce61e82bc7f837042b10627c2d87442d52a243eafa8b837419ec0174418
0c14a21116ea3497be0c08563fc63f52b51b48bbab421face0ef44450cf09128
93d19d496e71478cf23769d45f29c123fcf591ba4c12771da2b7639bb7bb5e2e
db737716649c61d231c2f21b7fb84b0bec8a0db615a048b957f292db14c4b468
dc6726c9222c4d86d9d1167ab0a6bea35dfa47f17963aa8e9f15c4fb855069b9
a6e23730cd711af23e7900cbabb871b668d37a74dda0c97d63f3303167861cf5
9774f8078d941b17f5018bf3759bca9e62cfe4714ed55d5bd33737fcbba25ce3
426da9f975cd229fcd3b9abebd158cea9a9b2b4507d66f633c6a6e24b6df1d4a
c084b1885467d1af52d2745101718d4a064f55bef830728002660263482042cb
0bd7b99d07fe9fa76e4cf8b3f093f39c520735206ad6d4a63a8634487bb974b5
a5ed452879d2a8707bf07a7008c9e5be3c0cd924f089fa53811bd52a7790be38
96077c533e59e3b8cf38826e5e37e35f1f2eb44d356eae6575223158b565198e
d8f888158556fe3971ae3904db9268b95c1d7f3ee1991dbd04002e018b65750f
SH256 hash:
a6e23730cd711af23e7900cbabb871b668d37a74dda0c97d63f3303167861cf5
MD5 hash:
4a66b881896533d4edfa6f9de09afac4
SHA1 hash:
1a6672e1077b7e6f446d690a4f0718f3b20cbd82
Link:
https://www.unpac.me/results/1c036ccd-5a72-443a-bbfe-53173f861eba/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe a6e23730cd711af23e7900cbabb871b668d37a74dda0c97d63f3303167861cf5

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/237904/
  
URLhaus
https://urlhaus.abuse.ch/url/2036336/

Comments


Avatar
zbet commented on 2022-02-08 09:02:28 UTC

url : hxxp://103.167.92.57/Office365/vbc.exe