MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af7abd08a5752f55f59e38b2bd9568943ada7d2b23ddc3324b735beebd8846ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af7abd08a5752f55f59e38b2bd9568943ada7d2b23ddc3324b735beebd8846ce
SHA3-384 hash: d1af4c40d66744938d36eaace5779d81580cc64cf2f7deb29245ae06e474928f59e859da7bb6bf7393fcf3ff2644547d
SHA1 hash: d13ac912867e46b4a88abc1ea35516fc95759a96
MD5 hash: e0f1e3b823d0cddfa31461ab72ea9406
humanhash: skylark-double-river-december
File name:e0f1e3b823d0cddfa31461ab72ea9406.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:269'949 bytes
First seen:2022-02-09 16:18:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 6144:owWG34Axqu8wLk1DTPQlLXNQDdCnmkvfgocT+6INHl:aAw6O6KD/T+6INF
Threatray 13'208 similar samples on MalwareBazaar
TLSH T1F144125A70C244B7C0A31670037B692BE7FAEF5536401A17E729DEF8AF215D2985E382
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/239725/
Detection(s):
SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6203e9809c257bc16263d19d/reports/8f664771-1913-40dd-8026-b54656322f63/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/240aaec0-85e6-48b8-8bbc-e55422336153
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/937048
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 569534 Sample: u22Qw3WM8N.exe Startdate: 09/02/2022 Architecture: WINDOWS Score: 100 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for URL or domain 2->47 49 4 other signatures 2->49 11 u22Qw3WM8N.exe 19 2->11         started        process3 file4 33 C:\Users\user\AppData\Local\...\xbtzqwy.exe, PE32 11->33 dropped 14 xbtzqwy.exe 11->14         started        process5 signatures6 57 Multi AV Scanner detection for dropped file 14->57 59 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 14->59 61 Tries to detect virtualization through RDTSC time measurements 14->61 63 Injects a PE file into a foreign processes 14->63 17 xbtzqwy.exe 14->17         started        process7 signatures8 35 Modifies the context of a thread in another process (thread injection) 17->35 37 Maps a DLL or memory area into another process 17->37 39 Sample uses process hollowing technique 17->39 41 Queues an APC in another process (thread injection) 17->41 20 explorer.exe 17->20 injected process9 process10 22 wscript.exe 20->22         started        signatures11 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        27 explorer.exe 1 171 22->27         started        29 explorer.exe 119 22->29         started        process12 process13 31 conhost.exe 25->31         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/af7abd08a5752f55f59e38b2bd9568943ada7d2b23ddc3324b735beebd8846ce/
Threat name:
Win32.Trojan.GenericML
Create hunting rule
Status:
Malicious
First seen:
2022-02-09 09:37:40 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
31168981af16e0fc209774a91e04e5aaf622cacbed12e970b7a35db0705174d6
Formbook
502bd048ca66ac44a6ee60d4737e1b9fc5749bf3e665645e9da6039bdf399ba7
Formbook
7cbd8cc35b03d65491ad01b6a44b84dc047e6663189554201c24dbfbeb81473c
Formbook
820b1216485962fa3501dc8bd02a76bdb821fd7b6ffab858c4ebe135c4246090
Formbook
b1e2238ed835357f061456c7a38d0620cef8b78f0e1a9856133cc5b2805e0ed1
Formbook
d2cc3484cdabe8305bf9afd35530ca1118ca2c308408dc7140c3a94b392b60bb
Formbook
e8720afe9895124761086a0f00aa515997015669cc5332aebe99d5ea02ca7377
Formbook
fcccde6b56dbe8650273f1d67957a1adc1dd0e783d43d6543da7a44696731292
Formbook
+ 13'198 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:o6tg loader rat suricata
Link:
https://tria.ge/reports/220209-tsh5pabahn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
cc560afb8cb6ce65bd152af4449180e85e5e6872ffeabd00632730fec76855e3
MD5 hash:
c3c198e51bbf45a03e44854937b7b2a0
SHA1 hash:
8f723f35adf5520774cecb635ab26197775b90c7
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/c8c5ccac-ff70-4478-9762-8f53f9e4618d/
Parent samples :
a9dd9bda70b16a68d8f55e09a1f9bc5d29b49ca060d5642ac9057ab50968f262
cfd1a77378decd68cd7a59307b77b93247bdd91e00de5111ecae6b5658c8665f
75362f20dab8d57db3ade6427e647b0bc01d8345ccfa9781d5778877f04f7fb5
af7abd08a5752f55f59e38b2bd9568943ada7d2b23ddc3324b735beebd8846ce
4d854fee4f2e2a7b2afb2c13b28207f5388b095d0f7f053b90e03cf5873904e9
SH256 hash:
ec42e375e505ab31d26a08a1ea510b646c7254c665cd0a01a6aad9c5577ade64
MD5 hash:
b5e54ee9c196c5dc3327426f2f883771
SHA1 hash:
940df73d290c823bdb8f2d91f034e30ab5efe895
Link:
https://www.unpac.me/results/c8c5ccac-ff70-4478-9762-8f53f9e4618d/
SH256 hash:
af7abd08a5752f55f59e38b2bd9568943ada7d2b23ddc3324b735beebd8846ce
MD5 hash:
e0f1e3b823d0cddfa31461ab72ea9406
SHA1 hash:
d13ac912867e46b4a88abc1ea35516fc95759a96
Link:
https://www.unpac.me/results/c8c5ccac-ff70-4478-9762-8f53f9e4618d/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe af7abd08a5752f55f59e38b2bd9568943ada7d2b23ddc3324b735beebd8846ce

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2004811/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/239725/

Comments