MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b503be7988f66c2820e5f9a13b6e53ba9b8d14011069c6c809065cf08463e22b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b503be7988f66c2820e5f9a13b6e53ba9b8d14011069c6c809065cf08463e22b
SHA3-384 hash: 9bd5181fb7f0122bc3ec752f6bcdf90d1a232501f518bdd0de03d2b38081a7358c8bbce0e6536b81a6402b262f3c86ed
SHA1 hash: 26a7d116c944c709369a95a4d86eaf8813860adb
MD5 hash: 40efdd8d2045850561ca484d01633793
humanhash: football-carolina-lactose-mississippi
File name:40efdd8d2045850561ca484d01633793.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:259'786 bytes
First seen:2021-10-19 14:26:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:wBlL/ciApcHmBWwKdo9STFbpzcUQ4iqmTRButukkAtwKvbwv5a:CeiDEWjV5baUNiqyRstio
Threatray 10'773 similar samples on MalwareBazaar
TLSH T18D44122157E1847BF49963F95FBE73BCE2B952004228A1C31FA00E6B6B5D7CA4E17352
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ETC_813_TXG-PKG_CFS_SO0704pdf.iso
Verdict:
No threats detected
Analysis date:
2021-10-19 08:28:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/aaa0e159-f3c9-438f-9e9b-fe2e9c092f69

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/198569/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.12405.30471.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Deleting a recently created file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/616ed5b8a9d585e6d52e0972/reports/4d12338b-d921-4516-8496-fd7ede28f3dc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e33908f5-40e2-4140-9572-e63c1b0486aa
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/873018
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b503be7988f66c2820e5f9a13b6e53ba9b8d14011069c6c809065cf08463e22b/
Threat name:
Win32.Trojan.Nsisx
Create hunting rule
Status:
Malicious
First seen:
2021-10-19 09:45:21 UTC
AV detection:
19 of 44 (43.18%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
26506e7d3f4821066fc1989a5c79afb4d1a316aa428f9e4a920644d93a80b495
Formbook
75772375acbcfb6cb668fc2449671a6a83afe1434184ac7c01fd895825fcf5e6
Formbook
7a12f38cc2bd503f9667620f86315281e8319f9f2dca72aa19eb19ff6f3629a6
Formbook
7a8cd0fb35936203195d49af3fec0140f45e8b8fb75df0203db6b914d4b8d192
Formbook
90e1eac40edda005fffadbb1d16c652d16e685f8f4cf7375eb6ac928222c3a1c
Formbook
ae55ee08f18b57a38a47ed9bc161b7833e35c31b014e8579ae904a2d4d7c63e3
Formbook
d079479dd85fb94fe08f6cd70cfff35e39c14294174a8ed6f9b480ffc1cbc9b2
Formbook
dae6ba220bb0a34de731b57965753391343bfe96f9f3fa4fea48102d3377ccf7
Formbook
+ 10'763 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:dgt9 loader rat
Link:
https://tria.ge/reports/211019-rsefdsghcl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.discountaquarium.com/dgt9/
Unpacked files
SH256 hash:
50b2a7c4cdde5100c1460be4dcdc37a305a5ccd6ef5d9199749145631e4ec9fc
MD5 hash:
e15dd4390a315e06f5139e6fefa853db
SHA1 hash:
4af9ca7045e7ad11787ae1de1c9645761a74568d
Link:
https://www.unpac.me/results/6a362871-ab6a-4d13-beb6-2ff716208e5d/
SH256 hash:
b503be7988f66c2820e5f9a13b6e53ba9b8d14011069c6c809065cf08463e22b
MD5 hash:
40efdd8d2045850561ca484d01633793
SHA1 hash:
26a7d116c944c709369a95a4d86eaf8813860adb
Link:
https://www.unpac.me/results/6a362871-ab6a-4d13-beb6-2ff716208e5d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.47
Link:
https://yomi.yoroi.company/submissions/b503be7988f66c2820e5f9a13b6e53ba9b8d14011069c6c809065cf08463e22b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/198569/

Comments