MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af734d11eb2809d171ff3e63096cb2cbd38ee44a6e4b9e0ab195498635208598. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	af734d11eb2809d171ff3e63096cb2cbd38ee44a6e4b9e0ab195498635208598
SHA3-384 hash:	b1279de79dd1d078ca0ab3cbeadf0e5f3ac9c0fa63003e2103d71068512f9185d2722a27f3a12d32272146e84cdb0527
SHA1 hash:	bb6405e828b4f43846e2bf5dcfda7ccad2c204a3
MD5 hash:	4cfcb2976dc600ecd5e61ee012d2cf80
humanhash:	nine-south-fanta-twenty
File name:	SecuriteInfo.com.W32.AIDetectNet.01.19961.17844
Download:	download sample
Signature	Formbook Create hunting rule
File size:	458'752 bytes
First seen:	2022-06-16 11:49:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:projjSa9fkWkKEZaF1hQyWO+NnFwnvIlmttIv4QEOov:pI9fk4fF1SyF+J+vIlUIv4Qb
TLSH	T190A41206139C9770EBAED77A9445010507F9B2367B10F785DDC0BEE61EA2B819B027EB
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

246

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/280664/

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.19961.17844.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Сreating synchronization primitives

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62ab18f05c08d80e8ed6dc86/reports/c36f5d4d-cab9-4ec5-b76f-642aa05aa3be/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/30414035-20c5-48eb-bf7e-73de2a8e15d2

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1014498

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/af734d11eb2809d171ff3e63096cb2cbd38ee44a6e4b9e0ab195498635208598/

Threat name:

ByteCode-MSIL.Trojan.Woreflint

Status:

Malicious

First seen:

2022-06-16 09:19:36 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=v5zu2eplfae5c4p7hzrqs3fszpjy5zcknzfz4cvrsveymnjaqwma._file

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:r87g loader rat

Link:

https://tria.ge/reports/220616-nzkzzaefcj/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Xloader Payload

Xloader

Unpacked files

SH256 hash:

39e441a543904b641526982d9a068086c6617c7634d6fbf23afa95e2c2d17ba0

MD5 hash:

a6988e39e88adaf61eec4ead2f094c39

SHA1 hash:

69f894fe81864a6872219ae63abc3d20f8a1af4b

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/b8d0bbae-d2bd-4b02-a44f-3c335524cbba/

Parent samples :

a102818080dee054dc3006ca676c09a7c0b398e0fa29164d86ee0978cd38d183
8e7a6dbb2098baeb2669737e69b40625b4b046ab8145acc530c21bedab7f223d
ae9f0346b40cfbd4c996fa4c44dc84cbc39ee02785059b02138474a0cb0acd46
6dcb58ae937b9194609ef51a11f945abb7b82d9f10e032bbef2fda12ee96e6db
347fc805a4e64d0e7418dff453ab17c3f76bb0809ef0cfd4b1866d13d494a935
508cb22224be3ffe5f189767b150490b717fdfbbdea4ea41c3a1add4ecfe7730
1815af32dc17a841da7e5a722841fc310bbbd25972773721226bc8406b8b399c
9dcb8b18c173b2407f6edd177227417ab9e0742997570b07d3d40ec71506480d
af734d11eb2809d171ff3e63096cb2cbd38ee44a6e4b9e0ab195498635208598

SH256 hash:

0270629474b731abc7a4a038e1b3b694082b0fdcc627b7aa3590f6ba48dbc870

MD5 hash:

77525cd4c51dfe43cafe885954d87782

SHA1 hash:

7475a6dce3e84400394df197fff9664732dc3609

Link:

https://www.unpac.me/results/b8d0bbae-d2bd-4b02-a44f-3c335524cbba/

SH256 hash:

84238dc32dc2c72716d7233f509b43a45617e2a24ca07eecda58ae37a704b90b

MD5 hash:

1d6115ad56b1707c8afa1a65f22afc96

SHA1 hash:

58cbf25298e84cf9d91da78ae370ac5ddbb2c3fd

Link:

https://www.unpac.me/results/b8d0bbae-d2bd-4b02-a44f-3c335524cbba/

SH256 hash:

991e725612104bb83a3ecad0dd9a7c47f4a7782ce3a854b5cf57f894091cf343

MD5 hash:

e49d26d74dba968cdb75ed65d0e3bfdd

SHA1 hash:

24fb7e2e50dc8eca1c15acac7cfe9dd6ce420bed

Link:

https://www.unpac.me/results/b8d0bbae-d2bd-4b02-a44f-3c335524cbba/

SH256 hash:

af734d11eb2809d171ff3e63096cb2cbd38ee44a6e4b9e0ab195498635208598

MD5 hash:

4cfcb2976dc600ecd5e61ee012d2cf80

SHA1 hash:

bb6405e828b4f43846e2bf5dcfda7ccad2c204a3

Link:

https://www.unpac.me/results/b8d0bbae-d2bd-4b02-a44f-3c335524cbba/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/af734d11eb28/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/af734d11eb2809d171ff3e63096cb2cbd38ee44a6e4b9e0ab195498635208598

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	exploit_any_poppopret Create hunting rule
Author:	Jeff White [karttoon@gmail.com] @noottrak
Description:	Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.