MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8d72d9791e3080312eeff69c3bda4301366780ad500701ffebaecde83cc2ed1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	a8d72d9791e3080312eeff69c3bda4301366780ad500701ffebaecde83cc2ed1
SHA3-384 hash:	51aeb97833e1d2b18c9a4034c2c79949571cd2d6177ee8b99d19cf33af2be30a0810bd786455a3390bdf725537760e59
SHA1 hash:	c7a813766f1f3cf47cf5ffdb22752bdd1c3153f0
MD5 hash:	c60caec54c1f969cb7ebb6b4717f9d95
humanhash:	romeo-magnesium-rugby-single
File name:	RFQ# 210362.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	424'381 bytes
First seen:	2022-03-31 13:48:23 UTC
Last seen:	2022-03-31 15:06:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep	6144:cNeZpf+qTwza339izUARXvDfKi4V+T72ZDJgxsYtCDeo008:cNKZ8zUAZDD4V0UVgx5
Threatray	14'682 similar samples on MalwareBazaar
TLSH	T1E794DF2271D08096D4294631A8BAF87E2D435E6918F1F49FA380FF5DDA35946FC2E732
File icon (PE):
dhash icon	54d4d4d4d454d4a8 (1 x Formbook)
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

208

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/260135/

Detection(s):

SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.32722.32303.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Сreating synchronization primitives

Launching a process

Launching cmd.exe command interpreter

Searching for synchronization primitives

DNS request

Sending an HTTP GET request

Unauthorized injection to a recently created process by context flags manipulation

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/12223/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control.exe overlay packed python shell32.dll

Link:

https://www.filescan.io/uploads/6245b15c9253b276b7b416df/reports/bb2f34b2-e9b7-484e-af66-259d57e7de92/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8eebaf68-6849-4dd1-a365-cba8883dc2fe

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/968371

Behaviour

Behavior Graph:

n/a

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/a8d72d9791e3080312eeff69c3bda4301366780ad500701ffebaecde83cc2ed1/

Threat name:

Win32.Trojan.Nsisx

Status:

Malicious

First seen:

2022-03-31 13:47:47 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 42 (45.24%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vdls3f4r4meagexo75u4hpnegajwm6ak2uahah76xlwn5a6mf3iq._file

Verdict:

malicious

Label(s):

formbook

Formbook

085716dfefcb862a1677484242f5e03be402875e1752717a9e9f6ce346120ea4

Formbook

0da36b7f7e4b44b640ab5769532fdd7599032ca2b1d6b57807ba48ad1fa76780

Formbook

190845482673ae60d3df5d77f593e736e1e91a3bc5870e0d8057ac70c73e02ea

Formbook

224f624a53eb1c209d1fc9161cb9d91464768960765e64855ccf547d0c64c478

Formbook

487abe718971e8c9415793ffe0c162a4843aeeb5d4667981bb0be983f7710f4e

Formbook

4ba70a201f9aeed927954ccf79ebba102df5f50c437c278636b1905b3f71058f

Formbook

a871695c7312b67a4d3e5c3a41094a5c3824fcfa9f02ee67b2e0d21a0ba061d2

Formbook

+ 14'672 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:n8di loader rat

Link:

https://tria.ge/reports/220331-q4pj3acgg7/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Blocklisted process makes network request

Executes dropped EXE

Xloader Payload

Xloader

Unpacked files

SH256 hash:

252a8e5ba8c4ba34bf5668e3de4642f6142885c3b35226aadcf7b2905616aeff

MD5 hash:

8fd950a48424898d10dacbbbd57e6376

SHA1 hash:

0b2909e4386d01181e14a47f41b843a4f0da58b1

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/3d030a4a-6d56-40a9-82d6-f32108c8339c/

Parent samples :

f230f73232a24ce8d07be64370eca15a4f4ad567a661008467645486e887e94d
a8d72d9791e3080312eeff69c3bda4301366780ad500701ffebaecde83cc2ed1
77c4b075e649411ca5da7f37be04f957e7e4ebb6d58b3eecdb7facf1033be81a
da0cceaa1bfab5fc8ceaf36994bf5a5fc06dcf60229a50135abd91beec0cd4f5

SH256 hash:

b652d5baa22790eea3e1d30c789a4183c1d3c9092a4dcaddb6009e1a37e7e6a2

MD5 hash:

060e6751f812268fc05ef2fb172eff71

SHA1 hash:

081ddfd8a1975dec0faf9f007429f28cc891c703

Link:

https://www.unpac.me/results/3d030a4a-6d56-40a9-82d6-f32108c8339c/

SH256 hash:

7ee3a8dccacc65c285d7dd46cf616c02480d763c0529a3b914c215dd853e4c4d

MD5 hash:

858ba7b059863c5fd4799c402677639d

SHA1 hash:

4754f016f1fedb3cc646d4df2ce45d89680ec761

Link:

https://www.unpac.me/results/3d030a4a-6d56-40a9-82d6-f32108c8339c/

SH256 hash:

a8d72d9791e3080312eeff69c3bda4301366780ad500701ffebaecde83cc2ed1

MD5 hash:

c60caec54c1f969cb7ebb6b4717f9d95

SHA1 hash:

c7a813766f1f3cf47cf5ffdb22752bdd1c3153f0

Link:

https://www.unpac.me/results/3d030a4a-6d56-40a9-82d6-f32108c8339c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a8d72d9791e3080312eeff69c3bda4301366780ad500701ffebaecde83cc2ed1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/260135/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample