MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5e3426a888ddb5751f9802093f1bd10ec696b2994bee03b99b7ba2b4f21a57d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b5e3426a888ddb5751f9802093f1bd10ec696b2994bee03b99b7ba2b4f21a57d
SHA3-384 hash: 5980a7026b9e1491e4f42014e058bf8162834a7d10dafbb53cb59e7855d09269f4ba9e170e8b2b7a3300130a6102116c
SHA1 hash: e34b69f0ded056eca7dd43b8f5be2edf7198c211
MD5 hash: 91523f8d438585534d9466432cc4665d
humanhash: winter-sink-early-arkansas
File name:91523f8d438585534d9466432cc4665d.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:206'058 bytes
First seen:2021-04-08 08:12:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 18bc6fa81e19f21156316b1ae696ed6b (51 x Formbook, 24 x Loki, 9 x SnakeKeylogger)
ssdeep 3072:NeYBCwqDxkJ0APVbpNGMsacBTLPQ6XNxuq/L8It9Uv3oc78YYWiqf9N8OrOUGuVf:NDIqbjB8BXo6XN9QipQY2zu14iprCP
Threatray 4'582 similar samples on MalwareBazaar
TLSH 40141286A7C588F7DEAB4E301877973EF275C0121055174B0BED6EE762118A34F2E19B
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order_00429pdf.iso
Verdict:
Malicious activity
Analysis date:
2021-04-07 10:54:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f831feb9-67ee-4004-977b-ef314695fb90

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/133100/
Detection(s):
SecuriteInfo.com.Troj.Kryptik-VJ.21065.26087.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/670014
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 383953 Sample: LWlcpDjYIQ.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 31 www.socialunified.com 2->31 33 www.kaashir.com 2->33 35 HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com 2->35 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 5 other signatures 2->49 11 LWlcpDjYIQ.exe 18 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\Temp\...\9a5t.dll, PE32 11->29 dropped 59 Detected unpacking (changes PE section rights) 11->59 61 Maps a DLL or memory area into another process 11->61 63 Tries to detect virtualization through RDTSC time measurements 11->63 65 Contains functionality to prevent local Windows debugging 11->65 15 LWlcpDjYIQ.exe 11->15         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 Queues an APC in another process (thread injection) 15->73 18 explorer.exe 15->18 injected process9 dnsIp10 37 www.huongdandidong.com 108.186.210.142, 49731, 80 PEGTECHINCUS United States 18->37 39 www.luxel01.com 118.27.122.19, 49722, 80 INTERQGMOInternetIncJP Japan 18->39 41 17 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 22 cmstp.exe 18->22         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b5e3426a888ddb5751f9802093f1bd10ec696b2994bee03b99b7ba2b4f21a57d/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-04-07 10:15:30 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3ab2ff5459a46d33405f2c4a2853dbd9c21b09fd8f7abf0bb9683736f372776b
Formbook
3c5cf190ba17e8138feadf46a81dbdafff69ecd8b9122aaf4967fbd9aa79c1f6
Formbook
7ec78d6c2c919a22185cb0000f2e273d66019b8409a3ca47c819d44cedead22e
Formbook
87fb0ca5b0ebcc0dc80aeca8065b2e2bf1ec14cade124316227646bc59ad237c
Formbook
8e1f1877d8dcc92cd69d189e628129202cee73b9d63f8db4f303b2eb28d97798
Formbook
9e23de70acc475a483df75190ca88ff14395f99074f84c8eb86b4eadf523e498
Formbook
b060cb81afd9113cfbbb1e346c99e503c545da47ed80096c021b7ca41c064c76
Formbook
b1999a87350ef2b15e663c809ac16f2f0832ba3dcd868aefe0d36392af04da29
Formbook
cf993c713cfe3b22bd4978530f420e2dc54c38d106ad5fc5a9aacb1e377b81e2
Formbook
fa768e26f300f2c19ef11635dd836b031e0b5352d86d40cdc24284bf874230e7
Formbook
+ 4'572 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210408-4rzvmbrt36/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.simplyhealrhcareplans.com/sqra/
Unpacked files
SH256 hash:
3e39c71277fd492f9e995a5913176bebd8f78b9cff306a9ce6e5c8dba7600015
MD5 hash:
e5a5e61ad269d94aa1f74f929f76addc
SHA1 hash:
41a4642319054581903776cd0fe5ac282ec6fc8a
Link:
https://www.unpac.me/results/2f1d0d21-0cc3-4915-92ae-9f6fe0fdb480/
SH256 hash:
b5e3426a888ddb5751f9802093f1bd10ec696b2994bee03b99b7ba2b4f21a57d
MD5 hash:
91523f8d438585534d9466432cc4665d
SHA1 hash:
e34b69f0ded056eca7dd43b8f5be2edf7198c211
Link:
https://www.unpac.me/results/2f1d0d21-0cc3-4915-92ae-9f6fe0fdb480/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.57
Link:
https://yomi.yoroi.company/submissions/b5e3426a888ddb5751f9802093f1bd10ec696b2994bee03b99b7ba2b4f21a57d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/133100/

Comments