MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4881cc38748284029b7008aaf75c0f1f85a4dcb70a61425e787325736c83f36. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	b4881cc38748284029b7008aaf75c0f1f85a4dcb70a61425e787325736c83f36
SHA3-384 hash:	a451573f91c43f935a37e47741b4c4b989c13c8d83716e10a8a104b37d1f22204677d6e795efbfdbf7d596b2a1d448a0
SHA1 hash:	734eacaa3801095cc12434c7aede52db489c5920
MD5 hash:	b0b0c6a60d0d9ec36ff600de2bd35d56
humanhash:	fillet-zulu-seventeen-west
File name:	b0b0c6a60d0d9ec36ff600de2bd35d56.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	427'520 bytes
First seen:	2021-03-31 18:22:17 UTC
Last seen:	2021-03-31 19:15:27 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	6144:t+ipTmWMkk8MMfVKA7GpFPtBxskYKx6TkkOLQQiSsUS7TYQRCG9O0gqg:lZkM9KWGpht/skTxUkkAZLS/YQRjZf
Threatray	4'450 similar samples on MalwareBazaar
TLSH	E694F12153D8AB35F5BE6B7D00602520A3F2F119D723EF0D7ED841ED5E96B8086BA712
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

2

# of downloads :

99

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

1

File name:

b0b0c6a60d0d9ec36ff600de2bd35d56.exe

Verdict:

Suspicious activity

Analysis date:

2021-03-31 18:58:49 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/bbf9ddd4-8bef-4431-b589-095a6196691c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/129774/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.576.9037.20817.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/b4881cc38748284029b7008aaf75c0f1f85a4dcb70a61425e787325736c83f36/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-03-31 18:23:05 UTC

AV detection:

13 of 29 (44.83%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wsebzq4hjaueaknxacfk65oa6h4futoloctbijphq4zfonwih43a._file

Verdict:

malicious

Label(s):

formbook

Similar samples:

06fec711d6d4cc7d3446fdad1245c0cf7fee3bfb755039cfc3dad9bd25777bb1

298b7204317915aa463fecd43ee99abbb9020e993dc0ffdcc5e382d0f590a7b8

41d1baa905b28a22e738f7379125e26301e240815e85ef0492b6061432cfe139

462ede8a2b37164863953764e75ccb25c0224396475dbaf96f6dbb6b51484257

719604b516f11740266b2c7a8a61129f779caf4c1f9e16bac35d39f5792a009b

7c8eea0e649a176edb83fc19998f0e99be49c7bee1ff9090d1be69f614554088

7fba034b2f0aa5f549bda067c80b6494a02ea3d96e70e13701845bcfe7ade5e7

8fb2a899e6622a2ddc7989121174bea2b7756f3f56f64f42dc6ef875d19ce919

9c335d547092d063a6bc46441486d5336c62818b648139ab92839e30ef230c4a

fa768e26f300f2c19ef11635dd836b031e0b5352d86d40cdc24284bf874230e7

+ 4'440 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader loader rat

Link:

https://tria.ge/reports/210331-9jx8kz5wea/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.adultpeace.com/p2io/

Unpacked files

SH256 hash:

d436034270fb2d5380e4fcecc1ee6c821a1701aed96045fa13f597da16be08fb

MD5 hash:

00cbf73d8b9f03417a3a32957ec64ed4

SHA1 hash:

b862eff1cf240a5ad5325fd258892e534484a6e8

Link:

https://www.unpac.me/results/5e043526-510e-4625-81b8-ea4f17b32fa6/

SH256 hash:

b4881cc38748284029b7008aaf75c0f1f85a4dcb70a61425e787325736c83f36

MD5 hash:

b0b0c6a60d0d9ec36ff600de2bd35d56

SHA1 hash:

734eacaa3801095cc12434c7aede52db489c5920

Link:

https://www.unpac.me/results/5e043526-510e-4625-81b8-ea4f17b32fa6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/b4881cc38748284029b7008aaf75c0f1f85a4dcb70a61425e787325736c83f36

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe b4881cc38748284029b7008aaf75c0f1f85a4dcb70a61425e787325736c83f36

(this sample)

Cape

Cape

https://www.capesandbox.com/analysis/129774/

URLhaus

https://urlhaus.abuse.ch/url/1099912/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample