MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac23d4ba0e11c07488224b01abc734d353da88537ed55c945eec7a91a20216a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac23d4ba0e11c07488224b01abc734d353da88537ed55c945eec7a91a20216a4
SHA3-384 hash: 563c0b0ee1b6749a63f1841ddeef71f7ace802b983df8339b5983c27cc872d10ddb41b3a2fece8f4a9439febb2d0274f
SHA1 hash: 4e62b1c4166d9f569a3d3dba845330e22cf4b23c
MD5 hash: c5b91765063ed56b54eb8048711109bc
humanhash: florida-johnny-delaware-football
File name:SKM_C3350191107102300.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:573'952 bytes
First seen:2021-01-14 20:21:59 UTC
Last seen:2021-01-14 21:35:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2087285a50d01bf3729a786c15ab23ed (6 x Formbook, 3 x RemcosRAT, 3 x Loki)
ssdeep 12288:MwlWZb2WKaO3jWIWNO3YhO1Hip1FFlDVAENjNHqV7Eewc7nPlf:Mkw7XlN8YcIrJDV7p87l7Ph
Threatray 3'373 similar samples on MalwareBazaar
TLSH 1DC4016437F9F471D4AD023015E8E3779E34642201A985B7FBA41FEF4FB86E0246A64B
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: relay3.redynet.com.ar
Sending IP: 200.107.202.26
From: Vicu Bruma <sale@ocaire.com>
Subject: IFW Air Export Invoice - 1253604
Attachment: SKM_C3350191107102300.zip (contains "SKM_C3350191107102300.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
163
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SKM_C3350191107102300.exe
Verdict:
Malicious activity
Analysis date:
2021-01-14 21:18:59 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/2f14fa72-7514-436f-97da-3dcb52483c54

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/112101/
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.48175.362.5871.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Creating a process with a hidden window
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Sending a UDP request
DNS request
Sending an HTTP GET request
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/581868
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac23d4ba0e11c07488224b01abc734d353da88537ed55c945eec7a91a20216a4/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vqr5joqochahjcbcjma2xrzu2nj5vcctp3kvzfc65r5jdiqcc2sa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2ce70c12c5b8806fc6b3e507c5ed406599045b20688b456db124b1b685da60d0
Formbook
565a3fc27dfb56071acfd1e8c492eb3becbb587f0167353834e97c3819cc1337
Formbook
574e414e22746d7781bd6ca6f4cc64be417b65696104dda71b037c9584cea01f
Formbook
6526a7eed94f5bff8a1c8b3d9d0aca202b72102edb7beec08644ff9ba06e00e2
Formbook
a5a6c551d8c3ea36aa3d399ed87dc15c9d311bcdcb70f246b8d11fb15622798d
Formbook
b4a9843d6c2869da17c9fb36d3aae7b869f3df444280943e07f3944f6408f086
Formbook
b9e89d7766f894c102cd449dace5e9c1ef8f3cdca070af5f6ce22a7737eb593a
Formbook
cdfc1600f7f5656fb2b72fd10da44b8f7e12f4c40027a4338251e5d7e9f0e743
Formbook
f1c600a86d9492512f5c80574f885bc0b2c0f058419f58b1c8800eb6e1502713
Formbook
fda9bc94b5b0819fb153117c4a037262264d7d22d2610eafd45c7fbfd4765c7b
Formbook
+ 3'363 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/210114-wc837b4f6n/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Program crash
Suspicious use of SetThreadContext
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.4mzn-l1mit.com/x2ee/
Unpacked files
SH256 hash:
ac23d4ba0e11c07488224b01abc734d353da88537ed55c945eec7a91a20216a4
MD5 hash:
c5b91765063ed56b54eb8048711109bc
SHA1 hash:
4e62b1c4166d9f569a3d3dba845330e22cf4b23c
Link:
https://www.unpac.me/results/70e65310-1bc1-4511-bd14-3ae035c4b58e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ac23d4ba0e11c07488224b01abc734d353da88537ed55c945eec7a91a20216a4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip b2b4fde970eda6d35e4f633e909f92b66e97c268659487e6cd44422aa8a5e864

Formbook

Executable exe ac23d4ba0e11c07488224b01abc734d353da88537ed55c945eec7a91a20216a4

(this sample)

  
Dropped by
MD5 70a19d6fbc2fc5f2bb9de2e1e5a7ddab
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112101/
  
Dropped by
SHA256 b2b4fde970eda6d35e4f633e909f92b66e97c268659487e6cd44422aa8a5e864

Comments