MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7644594c68c21aa4731efc1d146a8546ee3915d338903cea20d56d28a49fe23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments 1

SHA256 hash:	b7644594c68c21aa4731efc1d146a8546ee3915d338903cea20d56d28a49fe23
SHA3-384 hash:	9331994379119b024db543eeea3dfafc4cb43d99e24475c2d56d3352c2bd1f9a1a45301c5a0ca4aecde0250de02ad1e2
SHA1 hash:	5288cae8e029f2deefddd204cddb88054c115fe9
MD5 hash:	49a77e1272a4b42e8da887b7f1647748
humanhash:	seventeen-diet-early-double
File name:	49a77e1272a4b42e8da887b7f1647748
Download:	download sample
Signature	Formbook Create hunting rule
File size:	974'848 bytes
First seen:	2022-03-14 20:25:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	24576:liBZXCCAdU4lRGd1aU6SoWVj2bpR62c6uokhzA:liB1Qu4nSFoWCEhzA
Threatray	14'960 similar samples on MalwareBazaar
TLSH	T13325F1A13E192FD2E5394BF4105A466E83F32A662F13E93A1FF02EC7085EF119565E13
Reporter	zbetcheckin
Tags:	32 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

178

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/250432/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.28465.1282.24005.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated packed replace.exe update.exe

Link:

https://www.filescan.io/uploads/622fa4a3b94fb38cb47db582/reports/e662c390-f201-4fd3-ad4f-605a9c9eb5e3/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b8ea1c3e-f321-4630-aff9-b64aa47915b7

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/956530

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Self deletion via cmd delete

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/b7644594c68c21aa4731efc1d146a8546ee3915d338903cea20d56d28a49fe23/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2022-03-14 17:36:55 UTC

AV detection:

14 of 27 (51.85%)

Threat level:

2/5

Verdict:

malicious

Label(s):

formbook

Formbook

8d6fcc0c461c48ee2da0b00354d946342c3521662cafc0b0d519b5d875279939

Formbook

9b989810b625c75d2d669edbb692f4bfd55684f71f3c082e80609ee68e4fe06f

Formbook

b55fdab1b973c44e6fb9e7689cd2f41e191a79078fc5c0c0a9d6c8387ea9340d

Formbook

c0b711533265ba0808d1f7a5fc9b0dd17e19187c9566d9908763d27aaddf023c

Formbook

c8781b8dca56fa093b3df95c16360b2dc381eadb10b4f9055e11b39f34284749

Formbook

e1589588b95e03844e0f5ccae574e722d68351c867b8535cd3df9467d381cdbb

Formbook

e321bd433e6e630bb69b21c80533446717274fd02eb74e74670934f5cc7e145c

Formbook

+ 14'950 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:pvgu loader rat

Link:

https://tria.ge/reports/220314-y7ajbacaf2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Unpacked files

SH256 hash:

f2fd2a66520f0b0cd24cdbb0c1edafda47f03a1656b7edd5e84245c9a42ae5eb

MD5 hash:

9621f5b5322aa74769639b6104fdc6fc

SHA1 hash:

1501d2300eb134f73a53deaf751a9156fb2d0f87

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/93cce93c-9446-4042-8d61-82b7519d8684/

Parent samples :

c0b711533265ba0808d1f7a5fc9b0dd17e19187c9566d9908763d27aaddf023c
b55fdab1b973c44e6fb9e7689cd2f41e191a79078fc5c0c0a9d6c8387ea9340d
b7644594c68c21aa4731efc1d146a8546ee3915d338903cea20d56d28a49fe23

SH256 hash:

f46dd8b75422f12f083a13079bb790853dd2187bbd561d87d6fb9add7fb9f493

MD5 hash:

f5393f01fd4073345b0e9511bd1c4497

SHA1 hash:

7bb96ad21f79d4ec9f83b58ea3822ff25666a56f

Link:

https://www.unpac.me/results/93cce93c-9446-4042-8d61-82b7519d8684/

SH256 hash:

5b7da029d64cea05a37737af6d68281d089430389f07168b6d4caa83792cc675

MD5 hash:

6cd61188afd9a9597b61c5431eee062d

SHA1 hash:

3e580950318104d6db7f4fe9e4ba26c4a88d4a0a

Link:

https://www.unpac.me/results/93cce93c-9446-4042-8d61-82b7519d8684/

SH256 hash:

fd5ddf87d0b44bbf5e8cca6f1e2c7e84113a5be8a697c4e1a8238cb8b0964bc6

MD5 hash:

54a18f394a7753cba5dfa42d7b986279

SHA1 hash:

302b72e0828b41fc27f00e7808bd708bf9701bc2

Link:

https://www.unpac.me/results/93cce93c-9446-4042-8d61-82b7519d8684/

SH256 hash:

b7644594c68c21aa4731efc1d146a8546ee3915d338903cea20d56d28a49fe23

MD5 hash:

49a77e1272a4b42e8da887b7f1647748

SHA1 hash:

5288cae8e029f2deefddd204cddb88054c115fe9

Link:

https://www.unpac.me/results/93cce93c-9446-4042-8d61-82b7519d8684/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/b7644594c68c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/b7644594c68c21aa4731efc1d146a8546ee3915d338903cea20d56d28a49fe23

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe b7644594c68c21aa4731efc1d146a8546ee3915d338903cea20d56d28a49fe23

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/250432/

URLhaus

https://urlhaus.abuse.ch/url/2097039/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2022-03-14 20:25:04 UTC

url : hxxp://107.173.219.53/SEbin.exe