MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a85b95364a9cfc74c4219a544a20deca3f2a30b666aa1f84073fc1f56e1330b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a85b95364a9cfc74c4219a544a20deca3f2a30b666aa1f84073fc1f56e1330b2
SHA3-384 hash: b044ca5326eccc879e47e5e82352be7041875a973322b9b14dcd687dd77d31814edeb112ab9761c91f62ac38c0b36430
SHA1 hash: a4a1866548bcc6432949e92b04c5bf8d60181aeb
MD5 hash: c404a45755638a43963d964a56dd54ba
humanhash: autumn-golf-shade-whiskey
File name:c404a45755638a43963d964a56dd54ba
Download: download sample
Signature Formbook
Create hunting rule
File size:851'456 bytes
First seen:2022-03-07 16:42:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 37979f6c41c57d8235586cd064f0497c (2 x Formbook, 1 x NetWire)
ssdeep 12288:z1TYdtaA5/cer85Y/rr+iOc9WOlKly8AHjbS1Nh26394bpgBfdFanC0HOAzT:z1TXAtU64E4lF6ug6394a7Ft8
Threatray 14'154 similar samples on MalwareBazaar
TLSH T1D705BF11F2D11877C3721A3E9C2B93595929BF413D2F68462BFC2C4D6E362903D39A9B
File icon (PE):PE icon
dhash icon 3c2c6c9c97cc6493 (7 x Formbook, 2 x DBatLoader, 1 x RemcosRAT)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
225
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/247965/
Detection(s):
SecuriteInfo.com.Artemis813231C25EAC.25031.27404.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/8497/overview
Behaviour
MalwareBazaar
CheckCmdLine
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/51150e25-8078-4dfb-8f66-bbff395bbb97
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/951983
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Drops PE files to the user root directory
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 584464 Sample: yON8sn8ddH Startdate: 07/03/2022 Architecture: WINDOWS Score: 100 56 Multi AV Scanner detection for domain / URL 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 7 other signatures 2->62 9 yON8sn8ddH.exe 1 17 2->9         started        14 explorer.exe 10 2->14         started        process3 dnsIp4 46 bondbuild.com.sg 101.100.211.101, 49734, 49737, 49755 VODIEN-AS-AP-LOC2VodienInternetSolutionsPteLtdSG Singapore 9->46 36 C:\Users\Public\Znqqspq.exe, PE32 9->36 dropped 38 C:\Users\Public\qpsqqnZ.url, MS 9->38 dropped 40 C:\Users\Public\Znqqspq.exe:Zone.Identifier, ASCII 9->40 dropped 80 Drops PE files to the user root directory 9->80 82 Writes to foreign memory regions 9->82 84 Allocates memory in foreign processes 9->84 86 2 other signatures 9->86 16 logagent.exe 9->16         started        file5 signatures6 process7 signatures8 48 Modifies the context of a thread in another process (thread injection) 16->48 50 Maps a DLL or memory area into another process 16->50 52 Sample uses process hollowing technique 16->52 54 2 other signatures 16->54 19 explorer.exe 2 16->19 injected process9 process10 21 Znqqspq.exe 14 19->21         started        25 Znqqspq.exe 13 19->25         started        27 systray.exe 19->27         started        29 2 other processes 19->29 dnsIp11 42 bondbuild.com.sg 21->42 64 Writes to foreign memory regions 21->64 66 Allocates memory in foreign processes 21->66 68 Creates a thread in another existing process (thread injection) 21->68 31 DpiScaling.exe 21->31         started        44 bondbuild.com.sg 25->44 70 Multi AV Scanner detection for dropped file 25->70 72 Injects a PE file into a foreign processes 25->72 34 logagent.exe 25->34         started        74 Modifies the context of a thread in another process (thread injection) 27->74 76 Maps a DLL or memory area into another process 27->76 78 Tries to detect virtualization through RDTSC time measurements 27->78 signatures12 process13 signatures14 88 Modifies the context of a thread in another process (thread injection) 31->88 90 Maps a DLL or memory area into another process 31->90 92 Sample uses process hollowing technique 31->92 94 Tries to detect virtualization through RDTSC time measurements 31->94
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a85b95364a9cfc74c4219a544a20deca3f2a30b666aa1f84073fc1f56e1330b2/
Threat name:
Win32.Trojan.XLoader
Create hunting rule
Status:
Malicious
First seen:
2022-03-07 15:22:20 UTC
File Type:
PE (Exe)
Extracted files:
41
AV detection:
25 of 42 (59.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vbnzknsktt6hjrbbtjkeuig6zi7sumfwm2vb7bahh7a7k3qtgcza._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
03c24fbe7c863e8337b0c944f96847b5166297283727edccca056c4f6f688d4e
Formbook
0abec9fa236e37269a9bf904a27b2a2650bea8a5b81fcdbed6a1c5b5f37218cf
Formbook
564d91f37b294e7a10fe79495dc9da5ae6733b20f2d7c732ff0c692110b0e01a
Formbook
5ab614491453ac799f4944620f8d433d42427aaea0ad0f1d55f240bc1ba6a057
Formbook
988d086b6ca75da2fca905b090c6f20b21749335f7e2ee99d8dab2001d4667e3
Formbook
9e3aeccf79c4c92f97410817a161701c59affa07403748695e61fef0d1d082e7
Formbook
c180bb8451472fc5931d0dc3aac6ef18ca417665b958d1480dd0787ba3de238a
Formbook
c7c0d3e8cd6fb36ceb4b5c2e32b019dd209fdd38fdf1bcb215f973da80437dd8
Formbook
d8842d4c311c9e35f77ef0ee038f34061be70a55b38f949e0624d32e5a6a4212
Formbook
+ 14'144 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:e3rs loader persistence rat
Link:
https://tria.ge/reports/220307-t78znafed9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Xloader Payload
Xloader
Unpacked files
SH256 hash:
e0f0812898ccc9c325dc08dc1377365ec34bf8b6da18aa90e6b7f7aa2a13c548
MD5 hash:
289caf1027c7b756ce8da53d02485cea
SHA1 hash:
2f583c1c335fd45d56929dcf54c85ec37251edf7
Detections:
win_dbatloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/42961a97-853a-4fc7-ad77-6e71bf466cec/
Parent samples :
6a7dd66c29530f7ed8f03ebd4b5f843639b34581d2e9ecd85c9fbdfb60450607
8051703485faca901060ae5b39054e5efee88909d2e1d4bb0f65126cda3230c1
1977d11ffc5195546fb8d5d8c660d7553c3961bf87ad4b972ee0cb1794d2168d
d4a859db98f9fd7473592c49c36ac926a2a29b27d7db8fc311f468bf82e64588
f35eab27c7c3c148fc5aec8351e7e5bd612214c91937d9867c8683ea7cde130d
974c776e5c3d20d4e254a4a493757f482931a2c48cdde33c76a0097eafbfdc85
83650c9dbbc1f4c607efa7934674da5f6237b234a81116744288be02cf2ead54
ee2440922354d6be2dce4ab27274ae2cc2108d8dde37837a739a7e2a36e317d5
f80a58564f070acf295b2a76ce6331402b3e9e71eed07cf3e017376e1bdb0f36
fb98f0f50c30ffdacfa3ea67a2990fa5ec2ee2646dc2226179f8589aec41f5d1
5289d529e7d53da3449ddf8400d12ae7622ede25284c2823ed46d0800fd94736
46c2da007a993c4b1ecfa3ff91364bc98341c9c228517eac38b50c4567fb78dc
ea43c71d7ec447e2483c7f0c8488972648209f2b487f2e6e64227d3d729c1d88
23ebe8ce49e895139f26f190d36a37ec52e924db63a995901948f30111efe6fc
526f4e19614eb20343647b92758df4c1f9227e77bec90af22256af4b3b091596
02466f10b00992a56b5fbfd4f8117e8572c2f64b27fd7bed8b51acc159004fd5
d8842d4c311c9e35f77ef0ee038f34061be70a55b38f949e0624d32e5a6a4212
d3c632c33688b9d7ae817a7932ddb1a48dbaad0410a681304c6c88211a020fdb
641726e045898d15c39c11559c01e297aff22924a4cd3543e0ce2e3cdc3c2277
9e3aeccf79c4c92f97410817a161701c59affa07403748695e61fef0d1d082e7
564d91f37b294e7a10fe79495dc9da5ae6733b20f2d7c732ff0c692110b0e01a
ac59a96a7600ffeacec6db910d9ff04e5ddfaf5f325ca41a0c06028a739509da
7391303e2231d2f0143f8b0e86df253054e461a52279139fb800180d32271dbb
03c24fbe7c863e8337b0c944f96847b5166297283727edccca056c4f6f688d4e
c1c5eecc6b6b1138ad43a1b2793d3872dca1c6ab4ec53d34e354e49e35d045d0
82c24935270870bb35719f35c29075f8bf02894bf81ba28e66983aa2247472a8
7146b418cdd99ac478a67e603bffb10c10f1c32745da1fd60c931f54f1f114a6
a7f53b92008e8a3678035fc366bc1b88d152efc8466e9e82c754752d000a5ad5
d423d7edf718ca00f8410a93834a6f9c99216c3a60860700f1fc6e493fedcc43
53685ac5f275b61fc580f2203e7d7e431d2b03b8e4320015b428745d68d5e333
3bada4f5bcaee92a5979aecaa24326988226e9886815ccba28904d30735fe506
50365c827bd768ec7fdf1a5b688d19ec0645042e92f04dad712a1955e9bb4c8b
e0cee79b01870e15ca64195ba9d953f91173b189b9fb8c45a2bae916dd8f95a5
3fbc9c55133b3d51ba2221836cffc08e727826e9514233706781f897ca0988f3
15bff226310e77a5ff67a9e131c8e5d7ec0686e967e0863dca784f20fd8d0268
3d256cfde83a4560df279fbe2b4ef03ccd52fa13b31bc1daebcb3bed353c215b
03610e21a01afd8dc19c986d69a4c13eeda93fbec0e6eae7828065781ca028bf
6d3ef9ddf5f1d57d353e5d8b9bedbca6ab42765de06abf381534126d24142948
bd54feaedda33ef8e611cd540e84b8c44d989f2417ddca33472cea3b7892afaf
3f8e7640849ec23964af23d6e70ccc62510a3cec9bd775b30d18d5db7215a22b
b65b5c308318e1e0fc2228dd022300099273dc340aa8faba81abc1d3868707ea
4195e6b7bfb7263798034048a5a2d34780ecdddae25576e23e9c6b0df9316ccd
5ab614491453ac799f4944620f8d433d42427aaea0ad0f1d55f240bc1ba6a057
b3b8ceafdfc6bde8a73c68005414b709ca2b08f5eecfd9a49d769460d6c17c98
67708b9f3764b349b6cdb3d8cef073edc22303181f0a1c6f129ac1dae18feb1d
714e06d12bf6f481cfd3dfa64a13d37c614a759543d87b38ca2c6a03ee936f7a
fa6d0f34d7c69bc4e525cf1830beffa3aec08c9b69aae24f55a6232d89680421
4a59190e199b69f65aa69f2f5f1f6b568d49a052868e2c853b7ea1d70c04a953
5a288a8a3fd0158f2d9e11713cc4eaf951e12e4f196fcea95d74a14fc37d16d1
6c18b064240861b42aa8fadbea5472fdce174a4d2b1510d53cba2b28779602d7
988d086b6ca75da2fca905b090c6f20b21749335f7e2ee99d8dab2001d4667e3
aeb38f72dfa11e848a65cf0814a530e24df08dc818348d9e80978cb330f24af3
90b5404ae697363f350f8c78220428a79ce57b743e5f0eac06137b27fea25400
c1b7572079230fd99c0ca004448f526420c124efbd0e1f6027fb950fbac5e05e
952d3a3e3d19204bf7bb614623aa0d78e0be4ee05b0313c5c68e0e10f6e390e0
f1d8f8c8bb9871fabbd6a001c48bc001c5181b512d2989e87f08280b74ada33b
42dfb1aeb19afac4595bc0146dd42ee251896ea1bf3ea8ab05d4bd28a7edbed1
8dffb14c55c2880b40767aadf5615a6652403d59f357b0b77da3e00b875a0e32
a02d52f23eb9e8a857c9ed01d81e6220e787a1e2838d42c2734e99bc73cff250
2fa540a1679ecd37874e53b50eb4c756223420d5f970c935ce053345f1f231f4
8f9f3e0d7eebe0304aeb35eb75be87c7bfe13859e00851df037f54d14765cbb9
44d963269f8d6e5ec5c15354be28c9078f58eea78943d39eb78c6485dea5065d
55d580190c976f23c945cb65feac487555e1b919079d930fe6201e22b5538905
d7d7882cc702fc76252e2b4fe7cdc7fbffa038e2329e579142e64acf81a26304
c7c0d3e8cd6fb36ceb4b5c2e32b019dd209fdd38fdf1bcb215f973da80437dd8
b0842f8285062f38c030bdd15264ec38fb23624888d135121f1cc11084c765ba
a85b95364a9cfc74c4219a544a20deca3f2a30b666aa1f84073fc1f56e1330b2
42cbad41d36d2c0f5ae498e89024822907894f02e173802d6e96dc57f0bff2ef
SH256 hash:
a85b95364a9cfc74c4219a544a20deca3f2a30b666aa1f84073fc1f56e1330b2
MD5 hash:
c404a45755638a43963d964a56dd54ba
SHA1 hash:
a4a1866548bcc6432949e92b04c5bf8d60181aeb
Link:
https://www.unpac.me/results/42961a97-853a-4fc7-ad77-6e71bf466cec/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a85b95364a9c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a85b95364a9cfc74c4219a544a20deca3f2a30b666aa1f84073fc1f56e1330b2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe a85b95364a9cfc74c4219a544a20deca3f2a30b666aa1f84073fc1f56e1330b2

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2073568/
  
URLhaus
https://urlhaus.abuse.ch/url/2082243/
Cape
Cape
https://www.capesandbox.com/analysis/247965/

Comments


Avatar
zbet commented on 2022-03-07 16:43:01 UTC

url : hxxp://23.95.122.119/421/vbc.exe