MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aaf0400f83fd271800e1f4cb50fab438958eb3771a6b6a9401c5fa66c1c5b956. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	aaf0400f83fd271800e1f4cb50fab438958eb3771a6b6a9401c5fa66c1c5b956
SHA3-384 hash:	65d337533c85f83825c182a0f11aedf83ada84849c7e0e05ed5d3e602dbbd440c7e0e68d90ae4d46a61ade5c97947a25
SHA1 hash:	a164c5bf7e2bb44ccece3d28ee4b7ae040c6f004
MD5 hash:	fa3d5b504712ac42e68f6c5d98598e1e
humanhash:	glucose-wisconsin-friend-princess
File name:	fa3d5b504712ac42e68f6c5d98598e1e.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	599'552 bytes
First seen:	2021-10-18 20:17:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:ny3bU4N/HJRNwwC6dQ7HG+4FnjLlOhsxeHH:0fJrPZQ7HGhBpOyxen
Threatray	10'675 similar samples on MalwareBazaar
TLSH	T126D4BE7CEE046A67D269D63CE49E0506F27450D733316E8711CB370D741FA8A3AAA39E
File icon (PE):
dhash icon	ecdeeececee0f831 (3 x Formbook)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

306

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/198314/

Detection(s):

SecuriteInfo.com.Trojan.Siggen15.26901.10862.8949.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file in the %temp% directory

Delayed writing of the file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

75%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/616dd680a9d585e6d52c69c1/reports/21539294-6956-4e2a-a8c6-c40135b4f47e/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c4b93cb1-4522-4b4d-8ea8-bf5a1f565caf

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/872651

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Self deletion via cmd delete

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/aaf0400f83fd271800e1f4cb50fab438958eb3771a6b6a9401c5fa66c1c5b956/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2021-10-18 11:01:46 UTC

AV detection:

11 of 28 (39.29%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vlyead4d7utrqahb6tfvb6vuhcky5m3xdjvwvfabyx5gnqofxfla._file

Verdict:

malicious

Label(s):

formbook

Formbook

1d3c91b0ec0e3b039a78c042eec94a3aebbe5da4d6e61cf7b7e54de22084d4a3

Formbook

4340e97182604cbe78767ba17c66b1d106d7e28855fc5ef3737142b41656cd9c

Formbook

6d2abaaa61c35b3bc1cf8ae531dd9505406379b70f414f806974d0202365d14e

Formbook

6ffe756ce71f1457d7dd480357f3545f123b750fc4bf30683b59887d491948a7

Formbook

89b049bc712096512185d1607a9318c074885b2d5b529e0985dc92cdd94d1f51

Formbook

9136c283e5029c2f073b706014f6f73b67ead84450267cb5ce0dd26cbcecaa25

Formbook

91a166f9a29ad832c9640078210a47e5afa928ab1a79a7b40d3b358e9c8bc5d5

Formbook

ba22bb07f3ef12877682493d25ed29cf6e2ca6c9ce2bc9527396a7bae00ec578

Formbook

d567a6e6ac075533ef1960033ab07c0afed9638c785ccb3a9461195785ac9636

Formbook

+ 10'665 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:fqiq loader rat

Link:

https://tria.ge/reports/211018-y3a92sfeer/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.esyscoloradosprings.com/fqiq/

Unpacked files

SH256 hash:

36962a581f91e7f4920e3da5c34a4753efa23e5dd51822b52fa726c44aa3be51

MD5 hash:

0fcc97c13416adb52d58364646db8ef8

SHA1 hash:

8fba0404952912070ee5ae0ac760519f498daf0f

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/87f03e16-5739-48c0-94af-6408d1ebb8f5/

Parent samples :

6ffe756ce71f1457d7dd480357f3545f123b750fc4bf30683b59887d491948a7
092be1f456b0c24d932d6c4e4c44cfd0c9abc6c0418bf1567e67826cb51aef14
91a166f9a29ad832c9640078210a47e5afa928ab1a79a7b40d3b358e9c8bc5d5
9136c283e5029c2f073b706014f6f73b67ead84450267cb5ce0dd26cbcecaa25
89b049bc712096512185d1607a9318c074885b2d5b529e0985dc92cdd94d1f51
d567a6e6ac075533ef1960033ab07c0afed9638c785ccb3a9461195785ac9636
ba22bb07f3ef12877682493d25ed29cf6e2ca6c9ce2bc9527396a7bae00ec578
4340e97182604cbe78767ba17c66b1d106d7e28855fc5ef3737142b41656cd9c
6d2abaaa61c35b3bc1cf8ae531dd9505406379b70f414f806974d0202365d14e
1d3c91b0ec0e3b039a78c042eec94a3aebbe5da4d6e61cf7b7e54de22084d4a3
aaf0400f83fd271800e1f4cb50fab438958eb3771a6b6a9401c5fa66c1c5b956
832c65a202ec1c69a8297af3d2fc3d233ac65b7c2c670f30d0694089601c9cfe
58877fce8fc8226d8ed82e6db80af591acc24372286f86518908b934ddc65e57
36465b5c8b0baa57cc7d26405d290bff57488f216c72654b2773e506dc6646df
b16670d7ab7fc43029ef6033d5bf6b8a3ad78f09fefed66ec6351c7eac0a53f8
37669e84be570d6748f6bae3adbaf41a969894111073837204f526a1f8c8dad9
c0363e690238ce1be218baa1c66a3fe647df3740da9448788945c6863ac6b07c
a104d6d98afd1eca774c2b8b12aee19bbc52216a358d9bf00ebfb503ef8e553d
0e636b89393a1581a2e3f4b141c9886bed9c77969569605cdb44b78d94127802
060c2f164a53cf74817b9b2f176d770dbde8b1ef71fe5322abf9ae8197232b7d
43d01d2eb5232707d644d1ea624c347b98220adbbdb7a8bd625814a5b971dd2d
37fe8e29a0b03c101b7de698fe335669bd98d2f4afdbe202bca00ceef540bd5d
88162d7f1cc5091fe38963f350017010d2ff7167e4d50c84599ad9f3b29a1a2d
5fa1ff89c81ecaec98e5995fbfe4df5caaa1da2f514d2deefff5ea91938d579f
b2663af445ff18476795d3462841a45488a9f2fd53c92d0c798e2e24892e10ae
cd9c2941f474d97ebaf1b88641fa3153958c8936939b77e0a62fb19fa488b25f
be6f833816e4dd59791654e138d793e1bfb6bfe016f34ae63b9b3e2f6106fc55
1764a3523eb73d0b632820c013bb2a723fbb3779c7eb59c7e0b67cd488deda6d
f0a7f92f4fa639da7f829e82242a21aa8861bc98f1783b51638e04dc148e81b5
92dfbdc903edcc919f426dc689d4461d354d15d77bf7f865db884f5de11d1253
29e85e2310c309eb1fc9939287177b02a8b4b096c2b600b2bd47a8e1acb58f36
28903cad5faee3c56985c052982d83527166253a85a74315ecca8d6dc17e6a59
ff50a282945cb9b5a738f97aa08714f874469eaa4ed79fcd0c5fd0c12d6a4be8
3d50a61d513475fc02d1685b3e4af3d10c2b23136c41703552e0e41b35fbeae9
7e6b468c991367b78ad9d9a9437ab4a4efd789203038a75e687cc3beaa346dd7
ee2706bc2dcedaf802a943ae5e94af62e28b004f39059f8c9a2fffd88de49aeb
19e393a62338d6cc292c4aadeab10121a453635fdb5fe291d295a3a6fc6ef712
d042461c8232d82419b3c843757d65e0e3ccfcdaf7d12c03c7e027f5b8639854
7a1a96acb6fbf74b821d7cad25b8912cbb97ea2eb4b847289cc0486705984fda
6b9d128b143bc2ec8b72ac36891a5b12887f182de44ae5e367c0a486b774a59f
12c431c9695b91725092b2261e1f4d251d682fdc0784ae3c7df3a7a478f194f6
dab06b4d2862c59c9a454d29852d9bf4a15462d660ff65e0a29d987d6b8f320c
63c0f55aa5ab5b3cd05a335deb13a29dee7f1bc41b860c716239c44a2bef39f4
7538dd54090aa1debe47b52503cf0099fe2b2839f08ff282dacd31734a0bcb9a
55b588d9d763bee7e3a03b6bb027af6ccd779fadd9022696d31e102a97f1b18b
dcd2e00fc2a47d732fd3d0d79fd224caac8bee02053a1b02ba4e51e022a949f9
bd7cddd657e0144076352a60664ca134c2ddee8ffe8da70793d5b97f17cf9318
933a2e4716b395f6fa6aed9ae203901742b7993fdb29d5b2f56a3c82f80fc095
b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255
a1b040465bd651704642deeb02ab2aa060f2f64183b297062c011e10456279a9
821d7489d8ef08b8ebdfb08350ac7cf3ae8ac918b4a1aa4bcbbcc0ffbd668059

SH256 hash:

2aeca15a0dfd80251c2e58912a4ba30fcc6014d7d982282830d6fced7bf9ab1f

MD5 hash:

71ed5a2f24f83829f8be8428bb1e7c7d

SHA1 hash:

d7558d328817aebfa8a0719792768698bbb069a1

Link:

https://www.unpac.me/results/87f03e16-5739-48c0-94af-6408d1ebb8f5/

SH256 hash:

682aad6d60ec15161014fb0afa6b8282d913c4100ffd35ab1845ed257f5c2b3c

MD5 hash:

14bc2c95b53a6fd191c74d2ed42bb11a

SHA1 hash:

8939698c7075703e75bd8233dac272bf025452db

Link:

https://www.unpac.me/results/87f03e16-5739-48c0-94af-6408d1ebb8f5/

SH256 hash:

aaf0400f83fd271800e1f4cb50fab438958eb3771a6b6a9401c5fa66c1c5b956

MD5 hash:

fa3d5b504712ac42e68f6c5d98598e1e

SHA1 hash:

a164c5bf7e2bb44ccece3d28ee4b7ae040c6f004

Link:

https://www.unpac.me/results/87f03e16-5739-48c0-94af-6408d1ebb8f5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/aaf0400f83fd271800e1f4cb50fab438958eb3771a6b6a9401c5fa66c1c5b956

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe aaf0400f83fd271800e1f4cb50fab438958eb3771a6b6a9401c5fa66c1c5b956

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1690405/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/198314/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample