MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 adcd734d11d1d4f1362c9acd526c0f4e224974d3b04257f9348ee475208b49ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: adcd734d11d1d4f1362c9acd526c0f4e224974d3b04257f9348ee475208b49ac
SHA3-384 hash: ae3fea0cc839423bd6ac1b6373c18972643d64322d16bd640741cde3f5d915dc358373e6383b4b23fa8e5766d83be342
SHA1 hash: c7174d007681e8695d51e8c2e913d5bc2429e2db
MD5 hash: ed81d1c4438c15157f70c7a55b0d8775
humanhash: robin-delta-mockingbird-ink
File name:Hesap.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:508'200 bytes
First seen:2022-02-10 07:25:42 UTC
Last seen:2022-02-11 22:20:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 6144:qw2t5NGNYOQDzhP9SUfVB+jIF/Z2pfjD3eE6gLYHgWQjLpunU4PEVdl4vaw:w5NGSdDzV9SCVcK/Z2pfjaETc7PO+aw
Threatray 10'799 similar samples on MalwareBazaar
TLSH T175B4E1630D7CAA92F40A547561239BDEE5B0FC26563A8C73B61CBE3645B8343C50F26E
File icon (PE):PE icon
dhash icon 0c9c8acccccc96b2 (1 x Formbook)
Reporter abuse_ch
Tags:exe FormBook geo TUR

Intelligence

File Origin
# of uploads :
2
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/240257/
Detection(s):
SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Searching for synchronization primitives
DNS request
Sending an HTTP GET request
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6204be1936f9921918363871/reports/b7de9783-15b1-407f-9c6e-ea3d6fd66a6d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9e06705d-f067-4216-ad4b-ec6f38a8fca9
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/937453
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 569931 Sample: Hesap.exe Startdate: 10/02/2022 Architecture: WINDOWS Score: 84 17 Found malware configuration 2->17 19 Malicious sample detected (through community Yara rule) 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 2 other signatures 2->23 7 Hesap.exe 19 2->7         started        process3 file4 15 C:\Users\user\AppData\Local\...\vhaeerpca.exe, PE32 7->15 dropped 10 vhaeerpca.exe 7->10         started        process5 signatures6 25 Multi AV Scanner detection for dropped file 10->25 13 vhaeerpca.exe 10->13         started        process7
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/adcd734d11d1d4f1362c9acd526c0f4e224974d3b04257f9348ee475208b49ac/
Threat name:
Win32.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2022-02-10 07:26:25 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vxgxgtir2hkpcnrmtlgve3apjyres5gtwbbfp6jur3shkieljgwa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
13c9e72370631d555cab3bd6ba12339252fa26915a6a60741668aea478a17cbb
Formbook
41d5c1e02c1b4a694660a1c8759ffd46569f5b9574ed99a08d3f00cd2765d2d0
Formbook
94517fa5a38b384136a3027f7588daa605494dd888e4658cb89d521f5fb2d55a
Formbook
9a4c4c66cf18870f1afdf443ca1490b044db24e3331cae51c718b605b08ac32c
Formbook
af7abd08a5752f55f59e38b2bd9568943ada7d2b23ddc3324b735beebd8846ce
Formbook
d2cc3484cdabe8305bf9afd35530ca1118ca2c308408dc7140c3a94b392b60bb
Formbook
dbc4b30858a2fa9f7001f2347e1cb88f660b8e6651962519b78a7978c6cc2d72
Formbook
fcccde6b56dbe8650273f1d67957a1adc1dd0e783d43d6543da7a44696731292
Formbook
+ 10'789 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:efa8 loader rat suricata
Link:
https://tria.ge/reports/220210-h9rbvagchq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
859036c9a7591655f904f6200de6b2adf050611ae7bd0fdb43eae6a7563ee5d9
MD5 hash:
e42357af1349fb977f15e2ee866ff5b4
SHA1 hash:
d2bfa9d97879d4151299bfd333bcf7d641af79fe
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/c6204971-3701-46a4-9b23-d6d4e4dd6718/
Parent samples :
adcd734d11d1d4f1362c9acd526c0f4e224974d3b04257f9348ee475208b49ac
42dc6cb1694709c1a2d33542a735b89ab39810fd2ac5a434fb74446b7edd56e5
36dc07d6b4c429cda1b5a6f01f54675575f8b2929a0999047f598c85c36b4bdf
2f5f6db578c19a5a380e6e95f5ac284b348d2cb1a28b980fcc3596852e25f618
c252479bfb6cebbb01e698ade5db7a3cc8cd3a3e0ca118bedaf3f0c26721ee31
SH256 hash:
5e5bef6052e9c6dad5494f887cb6a69c5c70988bc296f423f0253396dbc6d25e
MD5 hash:
b375384c89943425d6f124190b2c70d8
SHA1 hash:
7ca84c524027008c349513950a93d325591d9b9e
Link:
https://www.unpac.me/results/c6204971-3701-46a4-9b23-d6d4e4dd6718/
SH256 hash:
adcd734d11d1d4f1362c9acd526c0f4e224974d3b04257f9348ee475208b49ac
MD5 hash:
ed81d1c4438c15157f70c7a55b0d8775
SHA1 hash:
c7174d007681e8695d51e8c2e913d5bc2429e2db
Link:
https://www.unpac.me/results/c6204971-3701-46a4-9b23-d6d4e4dd6718/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/adcd734d11d1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/240257/

Comments