MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa600ea695abd3d2d6d445c6d2b07d3944cfbbf77f0850411ac426d9d6c037c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	aa600ea695abd3d2d6d445c6d2b07d3944cfbbf77f0850411ac426d9d6c037c2
SHA3-384 hash:	48568cfb008e2cb554e53981597fb569255fe98886b043a3b45c4be5ed5b2dacacab1325bee3d72e25164cb50de9e898
SHA1 hash:	f73844f2fd89c797ad02d1868f63d145e471cef1
MD5 hash:	5f2da3f9d83babaa9fc94615ce884be1
humanhash:	high-oregon-october-seven
File name:	SecuriteInfo.com.MSIL.Kryptik.ABUV.23831.19672
Download:	download sample
Signature	Formbook Create hunting rule
File size:	739'840 bytes
First seen:	2021-07-06 13:48:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:Ay4p3e7ftXMxtUyHmFk4gh954la0yc56oGe82DqsH5ORreQs4nxeiNRRhgad7D97:A9p6ftcLmF+h34la0yO1EuZ
Threatray	6'408 similar samples on MalwareBazaar
TLSH	24F48C9C3610B6DFC85BC976CDA82C64EA6074B7931BD343A05712AC9D4EA9BCF150F2
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

120

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.MSIL.Kryptik.ABUV.23831.19672

Verdict:

Suspicious activity

Analysis date:

2021-07-06 14:10:38 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/2b9bca0a-6ff3-4896-bb92-31e5b6737d1b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/169966/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.ABUV.23831.19672.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/09de1d56-8751-4c8b-b41c-2579b543856f

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/812306

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/aa600ea695abd3d2d6d445c6d2b07d3944cfbbf77f0850411ac426d9d6c037c2/

Threat name:

Win32.Trojan.Wacatac

Status:

Malicious

First seen:

2021-07-06 09:25:57 UTC

AV detection:

16 of 29 (55.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vjqa5juvvpj5fvwuixdnfmd5hfcm7o7xp4efaqi2yqtntvwag7ba._file

Verdict:

malicious

Label(s):

formbook

Formbook

49e85a486931e92ab028dc10d02b1d2d5860a6656bf6d50cef71542fc0905105

Formbook

5d1870672eff4e2ec6d699d654d5268051f7a56f8ca991fefa538eeef380a89c

Formbook

95eedb3eaf98ec12d5f66609278d43f94e1f635420d413ee0672bbf9434aafa4

Formbook

ab95bc3c40647b2b700cdb9aba76b6de220fd528fd194e6071c1747df6cb78ce

Formbook

b60294d835ab78cd6edb940a020d476704f528f65b9e03559ed53cc182c808c8

Formbook

bd6055810a703f4f0caec388c7cce89661ee9451179dc3abe6261480bda4105e

Formbook

c9b6e262a0d1effd54b6ffcdc4f761d159e21b74afd02519aed342c1d7fac68e

Formbook

cd292d4cdb5ff8f2de087a09de2a152722d910f1df7ce7b65e6480be9ae77fdf

Formbook

f96442a26d160132827a3b109acadaf4aad9dab625939103677cc93783c93ea6

Formbook

+ 6'398 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader loader rat

Link:

https://tria.ge/reports/210706-nxmfartq22/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.mfitcommunication.com/ogia/

Unpacked files

SH256 hash:

1a93600b92de92180b422c15eb6d6bcd5fa77075aec0cda6e6f92febbf53934d

MD5 hash:

1599e0481fb61dd3ba0ad0c229704ad5

SHA1 hash:

a61b36a57c69ba572cede8c1b5b9f579b46ec792

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/1e16cccf-796d-48b6-8cca-0994d78b4781/

Parent samples :

aa600ea695abd3d2d6d445c6d2b07d3944cfbbf77f0850411ac426d9d6c037c2
445ed93365c347e46a9e8c38fed4d13a61a5f00f3f2ea830eaaf321cc91fbc7a
1ccdc34a2258984fb0df40dd979f71d4c11bce12cb6e840e90fbd9281254ade6

SH256 hash:

5bede9eedf6ae6df5a9d587c116c9583b31474c159c2b53486b000093cb3fde6

MD5 hash:

072eeac61b35d3f09edee4ff4f80f52d

SHA1 hash:

696fd9905a47e526470c2e234fef32f1ec1b74ad

Link:

https://www.unpac.me/results/1e16cccf-796d-48b6-8cca-0994d78b4781/

SH256 hash:

f3fdf1ac2360695f84e7779ae0403de0e42a7e07e8d542cd33a336b1c9c45c39

MD5 hash:

97964cbd7f922a9606dd6ce6401ef811

SHA1 hash:

25e70f258ccc16a3787aea9ace31861c46197560

Link:

https://www.unpac.me/results/1e16cccf-796d-48b6-8cca-0994d78b4781/

SH256 hash:

aa600ea695abd3d2d6d445c6d2b07d3944cfbbf77f0850411ac426d9d6c037c2

MD5 hash:

5f2da3f9d83babaa9fc94615ce884be1

SHA1 hash:

f73844f2fd89c797ad02d1868f63d145e471cef1

Link:

https://www.unpac.me/results/1e16cccf-796d-48b6-8cca-0994d78b4781/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/aa600ea695abd3d2d6d445c6d2b07d3944cfbbf77f0850411ac426d9d6c037c2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/169966/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample