MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4fc77c70794670f21a4c4fbc3b608589cef7b9d98acadf9b0a956404f6ca0be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4fc77c70794670f21a4c4fbc3b608589cef7b9d98acadf9b0a956404f6ca0be
SHA3-384 hash: e7e3e96061debf80bac3b08e8f37ef46df6140015e14c673f461a08168d3bd737313f2536544c85a490b0c5d577c3c41
SHA1 hash: 290a186a9869a6f3ded1049b1d567eafe0041f5d
MD5 hash: f8ba5db8bad75222081bc6b9297126a4
humanhash: alaska-november-william-delta
File name:SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.16645.16215
Download: download sample
Signature Formbook
Create hunting rule
File size:617'962 bytes
First seen:2021-10-11 11:22:45 UTC
Last seen:2021-10-11 12:04:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 12288:HOqZR8TTLtQ1AUjTivh0FuKSpWmREeYubvKRn:FR8TTCKUjY0FuKSplFUn
Threatray 10'397 similar samples on MalwareBazaar
TLSH T130D48C60FBC76491D829063E86019967E410EC3FB5B1B8D7235CB97A59313926FE30BB
File icon (PE):PE icon
dhash icon c0dce4e0f8dcd4fc (1 x Formbook)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
09090.xlsx
Verdict:
Malicious activity
Analysis date:
2021-10-11 09:55:43 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/58cc58b7-0436-4c39-bf0c-4dac7fa19b2b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/196595/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.16645.16215.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61641e98fd35fe780c37dcf8/reports/0eba0f03-1be5-4b5a-9ffb-f09143952317/overview
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/867962
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b4fc77c70794670f21a4c4fbc3b608589cef7b9d98acadf9b0a956404f6ca0be/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-10-11 10:04:54 UTC
AV detection:
16 of 45 (35.56%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2d0bddbcdb78a0fed7250784feb4238aa9ad086fb4c9ab8d7c877a6ff503d309
Formbook
2dc7525f9ee6e09a25f840b457bf5b0ba228c4697e1f3d4b81bd2964d2eafc61
Formbook
31126bb88883cdb4de8893da0c275cb8e1bc3889258cc7710617b5c65cd6f476
Formbook
3ac2da7ec8b0c46550c9b85707c4743ea4cacbb5bb6ee0fd159792f3978e3ad3
Formbook
3c299b147655000b066676d4e3957f5583819bdda36c7d7710151932a337d2ba
Formbook
40da3a76d7dfbe395b879dc9b090af73483617c65c7c433975490c0a22e4a71a
Formbook
ab4676fc90e455da2127126bfbd1fd167328c79eda83f686ef71dd89266825f5
Formbook
d079479dd85fb94fe08f6cd70cfff35e39c14294174a8ed6f9b480ffc1cbc9b2
Formbook
e51c60f40080414b74c2eeef62780b28aa31c7875dada6dc2097323a61cc8396
Formbook
ea12191fcd49d36b68be2c466a24cac87cfd79f9d1fb18ef252037f0fb976979
Formbook
+ 10'387 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:b2c0 loader rat
Link:
https://tria.ge/reports/211011-ng5awshaep/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.thesewhitevvalls.com/b2c0/
Unpacked files
SH256 hash:
b4fc77c70794670f21a4c4fbc3b608589cef7b9d98acadf9b0a956404f6ca0be
MD5 hash:
f8ba5db8bad75222081bc6b9297126a4
SHA1 hash:
290a186a9869a6f3ded1049b1d567eafe0041f5d
Link:
https://www.unpac.me/results/c679795e-e209-4fe7-a322-bd066abb39ec/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b4fc77c70794/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.47
Link:
https://yomi.yoroi.company/submissions/b4fc77c70794670f21a4c4fbc3b608589cef7b9d98acadf9b0a956404f6ca0be

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe b4fc77c70794670f21a4c4fbc3b608589cef7b9d98acadf9b0a956404f6ca0be

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1666299/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/196595/

Comments