MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 9 File information Comments

SHA256 hash:	b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a
SHA3-384 hash:	eac1832c8029fe6b1373b890c4421dea0dc396c1bab0e6b7ed7ca428d236e72487e6a7e5a2b9b6a294c2c241ab1c1120
SHA1 hash:	98ae2458837e4f2bc4e518fd867d3edd28c4236f
MD5 hash:	f299a3572c1ca67f5df9c027c50f5488
humanhash:	whiskey-stairway-maryland-happy
File name:	SecuriteInfo.com.Variant.Bulz.771382.15623.28477
Download:	download sample
Signature	Formbook Create hunting rule
File size:	812'032 bytes
First seen:	2023-07-16 10:27:50 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:MotEJb4xECMrM7I+KA0Z2+8cjtHei+uo0hE/:nCCMrG/R0wTcjtHei+uo0hE/
Threatray	3'451 similar samples on MalwareBazaar
TLSH	T1D2050F48F3048A72EC4E9BB2D436CC2166277E2B7534460E62CF36D957F730669E5E88
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	72f2d2d2d2d6d2d2 (5 x Formbook, 1 x Loki, 1 x RemcosRAT)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

380

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

SecuriteInfo.com.Variant.Bulz.771382.15623.28477

Verdict:

Malicious activity

Analysis date:

2023-07-16 10:30:23 UTC

Tags:

formbook xloader

Link:

https://app.any.run/tasks/43062d8b-8d60-4af4-ba75-41822c62bc2b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/421446/

Detection(s):

SecuriteInfo.com.Variant.Bulz.771382.15623.28477.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated packed packed threat

Link:

https://www.filescan.io/uploads/64b3c6337a9c6ddebf0af22f/reports/a082f1af-7d7a-4189-9668-e6463b6f61a7/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/56a33533-2b4f-447e-9827-2518cf8f9293

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1273921

Signature

Antivirus / Scanner detection for submitted sample

Binary or sample is protected by dotNetProtector

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to delay execution (extensive OutputDebugStringW loop)

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-09-28 18:25:51 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 38 (68.42%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wmf25ju6lous6vxh26vhtozq5wpirhp54gtjajcmt7qcxlxumf5a._file

Verdict:

malicious

Label(s):

formbook

Formbook

129d230573fdb00a681a7f0c507bc16d2efcd08c4408f544f1d7653162b2cd92

Formbook

1fae82dd43e0af0adf50dea57a3a609682ea8a604d67701448ab91d3193f4eb1

Formbook

2385821f2732aafbdf3ddde31c314ddfaad694ad9261e4b40961b61a1a78cf64

Formbook

5dde67093b891df286e998912557fa598ebebc662bb30252fbe9ce7798e50242

Formbook

83242a0f42be34e66e502e4a3a45d2470f3b24aef8a1d8484711f4439d7fe74a

Formbook

+ 3'441 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:mjyv loader rat

Link:

https://tria.ge/reports/230716-mhm8bsfb5w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader payload

Xloader

Unpacked files

SH256 hash:

5504a5d754cf7b84da550e9f14d30817fd8f5dd98753701d9ec7516d92b015bc

MD5 hash:

7ad3ea0dcbe73bb9445199f99d4d4222

SHA1 hash:

fb4a26a6870e88a5d15cf593b915aa01ddd6ca8e

Detections:

XLoader

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/135a92ff-5537-450e-b8dc-4f767b2b3f8f/

Parent samples :

83242a0f42be34e66e502e4a3a45d2470f3b24aef8a1d8484711f4439d7fe74a
1fae82dd43e0af0adf50dea57a3a609682ea8a604d67701448ab91d3193f4eb1
b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a

SH256 hash:

b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a

MD5 hash:

f299a3572c1ca67f5df9c027c50f5488

SHA1 hash:

98ae2458837e4f2bc4e518fd867d3edd28c4236f

Link:

https://www.unpac.me/results/135a92ff-5537-450e-b8dc-4f767b2b3f8f/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b30baea69e5b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Babel Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Babel

Rule name:	INDICATOR_EXE_Packed_Dotfuscator Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Dotfuscator

Rule name:	INDICATOR_EXE_Packed_dotNetProtector Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with dotNetProtector

Rule name:	INDICATOR_EXE_Packed_Goliath Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Goliath

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/421446/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample