MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7655f6638eabfbb8f8f1f2a1a06a3c7c548791e39587b0b9b8aaff68f5b8e5a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	a7655f6638eabfbb8f8f1f2a1a06a3c7c548791e39587b0b9b8aaff68f5b8e5a
SHA3-384 hash:	ec44e5423390a0a423ffb4243f0e0ce0b4e843453341b76e2820a4deeedb7451933c5f6f5caec8ec14dc0bdc1e8fff9f
SHA1 hash:	54158521035e30fcfa5a3fa9947e210a009dfa23
MD5 hash:	97f0b51c3fb5aa3eeba0b3bac26d5dfb
humanhash:	crazy-fourteen-xray-fix
File name:	payment swift.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	817'152 bytes
First seen:	2022-03-10 05:49:42 UTC
Last seen:	2022-03-10 14:43:49 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:GNx+HpyCYLpRmzV4t9jf9TMrhuV+BFg1x1nW5Fm9bT3vfQWhe:GNxGipAkTMrhu+g1xs/63HQWhe
Threatray	14'182 similar samples on MalwareBazaar
TLSH	T1AC05BEE0EF1C837EEC14723AC5A854B10EF52A9E3420BF1E968D11DD0967ECF58A652D
Reporter	GovCERT_CH
Tags:	exe FormBook xloader

Intelligence

File Origin

# of uploads :

# of downloads :

235

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/248985/

Detection(s):

Sanesecurity.Rogue.0hr.20220310-0505.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Launching a process

Creating a file

Searching for synchronization primitives

Launching cmd.exe command interpreter

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

fareit obfuscated packed replace.exe

Link:

https://www.filescan.io/uploads/6229918fb94fb38cb44ed4fb/reports/320f45a9-9d11-4ce7-b8c0-58dbd3f1dfd0/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/877217c2-d2a4-44a9-a4a3-be0788c0a50c

Result

Threat name:

FormBook gzRat

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/953930

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected FormBook

Yara detected gzRat

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/a7655f6638eabfbb8f8f1f2a1a06a3c7c548791e39587b0b9b8aaff68f5b8e5a/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-03-10 05:50:13 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 27 (81.48%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=u5sv6zry5k73xd4pd4vbubvdy7cuq6i6hfmhwc43rkx7nd23rzna._file

Verdict:

malicious

Label(s):

formbook

Formbook

31f44a55873cb84506a1213469e0c884eb7f8b4dea91197bedf8a892c1404654

Formbook

417c951fb4d744d1446011b1e2e36e76d450801fa8072d72ea600d323d03a8c5

Formbook

49f94b3fbaf875cb2c223cdee59cfdedf4b2b937fba4a473cf2e4f767b44cb4c

Formbook

6077a6a5a6270bd0cbd94bd424294d9c1afe129e72ac671db981245f4e294234

Formbook

6a68426f18f239950d5bb0d82223890b44ea10de5a5fa83294457dd3dcdc5068

Formbook

+ 14'172 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:yrcy loader rat

Link:

https://tria.ge/reports/220310-gjm13aecb3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

.NET Reactor proctector

Xloader Payload

Xloader

Unpacked files

SH256 hash:

c65a6af5fa8719686bd9fb55055ee825ec87b5e4adf7e58baa5676b45600ea7e

MD5 hash:

152b5fcf2580b07523200858789d1abc

SHA1 hash:

db90e619c454ed44bc97bd0e057d572e82c67cf7

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/3800f6cc-39b0-4105-8bdb-6e2d9b6b3c2e/

Parent samples :

8f3f5241a8c1bbeb66db71d0836e576ae397e001b80975c4d45514a40388a12e
1c4ea60d79cd47479c151fb42ce286b38081387516735919714b866d0fbd6ec7
97b6532c228002e364a4bb3ad8efb13b1b13f9bbacfc93416b7b56f371e25983
11c1e5905566d8f30d8da73ce95e426fe6b960dae7e2852a0801297404d0d02c
a8aac4da04f10b4b936a31005d3e1fc2ac55dd172f00041e124a35240697a161
1e8c3bd4971e0110de6f8e3cbd73d60ff5bfa574319f4c15067b92f00d013bb8
3b556486b755edeaf1d0db1901be72b28993c44bcf80ef5e0459500b7ecd2014
3a4fb4a64ab988cc53007ff478c4e67ab7e03460884fc23fa0ef1f91f742887a
37fb6b86524033fb07847e3550977bd8028701039465431bd89a33e870ff2c4d
b55f35c86108c878bde53d36cfb0e5233aa97ccc006df085c08ffd1ba38b657e
605353b30400dd2065e8197d1ee3664907c67dda7fb7f1668fd6f61bc12fd6a1
7d2c10bd9b951382f20c6d058020f344099a8fffd5a8228fd60ab30631a6e78c
34e9283bbe09b998f45aa5194c9c7f615e43b46870ea68388e2b4ad312b72114
31f44a55873cb84506a1213469e0c884eb7f8b4dea91197bedf8a892c1404654
417c951fb4d744d1446011b1e2e36e76d450801fa8072d72ea600d323d03a8c5
078559092efe7665afdcb9aace0a5c76d8506f07832db7f83f72ad56fb572add
a7655f6638eabfbb8f8f1f2a1a06a3c7c548791e39587b0b9b8aaff68f5b8e5a
8ea742e271b371fe424d1e2cb3f5227c6a0f2af70161f5c7600148228e2d77c1

SH256 hash:

0208ac5c6bf360b1331d08792be1a51cacfdfc7c1a9e6d79d02869bac44efe35

MD5 hash:

27ddbd11fb509c3419ba958bad54a59f

SHA1 hash:

c2f3b89a5b10289cffb6005c1e38d770b79e5084

Link:

https://www.unpac.me/results/3800f6cc-39b0-4105-8bdb-6e2d9b6b3c2e/

SH256 hash:

860819c79adc89cefab88ac11ffc2c5d741adb649e5c906593e6d418e2208252

MD5 hash:

33eb973efdbe7371320e2a59475c647a

SHA1 hash:

aeebadf020df853a58793463e76609e3bc59ae3e

Link:

https://www.unpac.me/results/3800f6cc-39b0-4105-8bdb-6e2d9b6b3c2e/

SH256 hash:

9b00e2fa33ad72dec22a5e107ab6886da72bbe0bed89a721e877c1dc3ce6a662

MD5 hash:

b4c9c16228f0ee1de70ffc6264fb720c

SHA1 hash:

437049e452a511e220abdb32df695cdf07f5a7d0

Link:

https://www.unpac.me/results/3800f6cc-39b0-4105-8bdb-6e2d9b6b3c2e/

SH256 hash:

a7655f6638eabfbb8f8f1f2a1a06a3c7c548791e39587b0b9b8aaff68f5b8e5a

MD5 hash:

97f0b51c3fb5aa3eeba0b3bac26d5dfb

SHA1 hash:

54158521035e30fcfa5a3fa9947e210a009dfa23

Link:

https://www.unpac.me/results/3800f6cc-39b0-4105-8bdb-6e2d9b6b3c2e/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/a7655f6638ea/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/a7655f6638eabfbb8f8f1f2a1a06a3c7c548791e39587b0b9b8aaff68f5b8e5a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe a7655f6638eabfbb8f8f1f2a1a06a3c7c548791e39587b0b9b8aaff68f5b8e5a

(this sample)

Dropped by

xloader

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/248985/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample