MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7595a0ccd50ea8a1e86cfc4ef6d8847266a6be2db436455b8057a9b154b2fda. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 4 File information Comments

SHA256 hash:	b7595a0ccd50ea8a1e86cfc4ef6d8847266a6be2db436455b8057a9b154b2fda
SHA3-384 hash:	f685b4e1da61a643be1b51cad371513df1e1d6d59380c562182222d893907aaab1fd4dbb0bf601e04e2e8a28fa5eead9
SHA1 hash:	a5181df675e807038cdf6acd275460b7a645dc9e
MD5 hash:	4cb6dea7a13d023a47d7fbca4c7889a1
humanhash:	finch-thirteen-juliet-winter
File name:	SecuriteInfo.com.W32.AIDetectNet.01.31948.23437
Download:	download sample
Signature	Formbook Create hunting rule
File size:	450'048 bytes
First seen:	2022-06-21 23:52:50 UTC
Last seen:	2022-06-27 09:34:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:Erl8VrFx9deDEWAnQt9PM21OnJRS8vESqNitJ018zzmeY:Erl8VrFfwDEWjPf14vbqNit+1Z
TLSH	T1E3A41241AAACEB22DA3EABF524D2414457B1A03A3110F31FCFD164D758E6F48C5A2F5B
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

267

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

ORDEN DE COMPRA.pdf.xxe

Verdict:

Malicious activity

Analysis date:

2022-06-21 20:59:06 UTC

Tags:

formbook trojan stealer

Link:

https://app.any.run/tasks/5ddf2a2d-ca04-4d0a-8f44-17a46963b5e0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/282133/

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.31948.23437.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62b25a1e1fcdba4e1a46aa54/reports/b6faec10-96ad-4d28-a2fb-97d396591c06/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3156bd6f-9016-4d9f-9098-f8716588728a

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1017569

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/b7595a0ccd50ea8a1e86cfc4ef6d8847266a6be2db436455b8057a9b154b2fda/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-06-21 21:06:57 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=w5mvudgnkdviuhugz7co63mii4tgu27c3nbwivnyav5jwfklf7na._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:oa3a loader rat

Link:

https://tria.ge/reports/220621-3w971shhc8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Unpacked files

SH256 hash:

f440eeff80bf9433030053c0a68dd51568cec6a2b2e833b03b0a688a211e5716

MD5 hash:

2913b4a9f4ce77712bde549ead31b069

SHA1 hash:

635a3cc41c8f769be0691a85b66aab8c988f311e

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/2b66c529-3114-472e-89ca-4ededf5481bc/

Parent samples :

b7595a0ccd50ea8a1e86cfc4ef6d8847266a6be2db436455b8057a9b154b2fda
5acdd7386319cf85fcc1ddec65225adce14969cebd16d9c117120e2d590bf851
50c4ddf65f86d50b2aeaabce3c0fa6acf50ec05520ef4d7720f8b4b1fb19b201

SH256 hash:

357b041c29a1c84448a4f0cdd4c52c9e9385fa641efe7e06483c101c8cd58519

MD5 hash:

b96228fb6043d73bfe0091bc30e8543c

SHA1 hash:

f11abad505078c2c6dda8dfe0c988dd6b2351e72

Link:

https://www.unpac.me/results/2b66c529-3114-472e-89ca-4ededf5481bc/

SH256 hash:

6de8bc7d4844efdb55328126b632a374bee9aaf3073cf9ca5fe5fdf303106f8e

MD5 hash:

7ce2d10bd0f02667bc0e1343d9ffc1c1

SHA1 hash:

c3a5b4e5721085022eb7bf0008b7e449f9369fcf

Link:

https://www.unpac.me/results/2b66c529-3114-472e-89ca-4ededf5481bc/

SH256 hash:

d1e8e78fae9471bbd4dc4d18e4ceb8f00f9b9579f1adfcd7e8821d4e38434376

MD5 hash:

5c46384cc8722f55835688eea0160a9e

SHA1 hash:

0476e6ca1a80a0569a64c62438588dae95f160e2

Link:

https://www.unpac.me/results/2b66c529-3114-472e-89ca-4ededf5481bc/

SH256 hash:

b7595a0ccd50ea8a1e86cfc4ef6d8847266a6be2db436455b8057a9b154b2fda

MD5 hash:

4cb6dea7a13d023a47d7fbca4c7889a1

SHA1 hash:

a5181df675e807038cdf6acd275460b7a645dc9e

Link:

https://www.unpac.me/results/2b66c529-3114-472e-89ca-4ededf5481bc/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b7595a0ccd50/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/b7595a0ccd50ea8a1e86cfc4ef6d8847266a6be2db436455b8057a9b154b2fda

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	exploit_any_poppopret Create hunting rule
Author:	Jeff White [karttoon@gmail.com] @noottrak
Description:	Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/282133/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample