MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1a9315bbe1d7fed90a33a02d205fa96993061c7fb391ec408180f2381db9318. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	b1a9315bbe1d7fed90a33a02d205fa96993061c7fb391ec408180f2381db9318
SHA3-384 hash:	3994660b031e3d9375af0f9602aacd8aa737be5430f710955fb0354c986fd89952a0fee9bf1c12d272709270a33c45ef
SHA1 hash:	919d080fb5cb10de8a1c99d12fd605f1a4b0c038
MD5 hash:	f820ecf6752d4fe2d39347dfbff8db18
humanhash:	fifteen-pizza-blossom-victor
File name:	SKM_BL_C224e2104221317034443434434342244347.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	286'198 bytes
First seen:	2021-10-28 08:01:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep	6144:wBlL/cuiQSeQ6LouFKiINBDiCtvQsf5Zs9sTyucHm88tR+7s:CeuzanuABDpVQsf5WHqtR+4
Threatray	11'069 similar samples on MalwareBazaar
TLSH	T1B6541324A2D39823E94257F04EF69F6486A7C318473C7FC717504F1A6E7D1CAA463AA3
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	cocaman
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

111

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/200826/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file

Creating a window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/617a58fca9d585e6d53ccffe/reports/0426cbc5-f6cd-495a-9d7e-ce5df60faa70/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f853f51d-5e24-4f44-b0ab-8bc981edf9c0

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/878390

Signature

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample uses process hollowing technique

Sigma detected: Suspicious Svchost Process

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/b1a9315bbe1d7fed90a33a02d205fa96993061c7fb391ec408180f2381db9318/

Threat name:

Win32.Trojan.Nsisx

Status:

Malicious

First seen:

2021-10-28 02:55:22 UTC

AV detection:

15 of 44 (34.09%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wgutcw56dv763efdhibnebp2s2mtayoh7m4r5raidahshao3smma._file

Verdict:

malicious

Label(s):

formbook

Formbook

19428f9c431fb0f8d6fbd9ca194589bacf9d9d3e475717031373b71982bea2a5

Formbook

5852e0b1479d914e16a2f1cf21d61ff4e1f3d35b6fa5dbcf0055cfc2c9a89936

Formbook

75772375acbcfb6cb668fc2449671a6a83afe1434184ac7c01fd895825fcf5e6

Formbook

7b11c921e5383232009985b5912967978ae269287359f9c1718c2b37e1a067f8

Formbook

7fb7251cf348d413059da050f27e4cd9a4f9ca833bbb11f554e19612d060a691

Formbook

87f8905d999f293634fddf1bff47a614041bdfaa2f07ef19fe70e5296a7b086e

Formbook

+ 11'059 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:yrcy loader rat

Link:

https://tria.ge/reports/211028-jw468aabh4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.drmichaelirvine.com/yrcy/

Unpacked files

SH256 hash:

b1a9315bbe1d7fed90a33a02d205fa96993061c7fb391ec408180f2381db9318

MD5 hash:

f820ecf6752d4fe2d39347dfbff8db18

SHA1 hash:

919d080fb5cb10de8a1c99d12fd605f1a4b0c038

Link:

https://www.unpac.me/results/6324d184-4e99-4c4c-b857-ccd64da9b155/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/b1a9315bbe1d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.47

Link:

https://yomi.yoroi.company/submissions/b1a9315bbe1d7fed90a33a02d205fa96993061c7fb391ec408180f2381db9318

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

7z 3a85da88d8f74a6301bd27ff908155a4392c4f3fe65215c3ad780a8b569dbe37

Formbook

exe b1a9315bbe1d7fed90a33a02d205fa96993061c7fb391ec408180f2381db9318

(this sample)

Delivery method

Other

Dropped by

SHA256 3a85da88d8f74a6301bd27ff908155a4392c4f3fe65215c3ad780a8b569dbe37

Cape

https://www.capesandbox.com/analysis/200826/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample