MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b83afeb8225d897dcac8a075bfda8659a64ac5b6c7db788e6913bf7e168caacf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments 1

SHA256 hash:	b83afeb8225d897dcac8a075bfda8659a64ac5b6c7db788e6913bf7e168caacf
SHA3-384 hash:	08c6186a6a4c59e6d8f52a4861094e965ca51f4ab82408d42d7ca6cf473041c5d97fa5a496dfdc317ec7bebfc9f5859e
SHA1 hash:	349a64622920f327a4007527126857162c72fc02
MD5 hash:	d1947108d14444faeef2714a28897b2a
humanhash:	freddie-july-lake-fillet
File name:	d1947108d14444faeef2714a28897b2a
Download:	download sample
Signature	Formbook Create hunting rule
File size:	311'808 bytes
First seen:	2021-09-02 06:42:38 UTC
Last seen:	2021-09-02 08:20:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	5c93c97e908d457a11b98f665a319008 (7 x RaccoonStealer, 2 x Smoke Loader, 1 x ArkeiStealer)
ssdeep	6144:8xbugUN0QQrl4Dy2sUnspTkOs4yRn5a4BL4p:sugc0QQrl4DZsOOGhUi
Threatray	7'651 similar samples on MalwareBazaar
TLSH	T16B64BE20B7A0C035F5F752F469BA93B8A92C7A705B3450CFA2D52AEA16347F49C31397
dhash icon	60e8e8e8aa66a499 (24 x RaccoonStealer, 14 x RedLineStealer, 7 x Smoke Loader)
Reporter	zbetcheckin
Tags:	32 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

238

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Arrival Notice_VSL TAICHUNG.xlsx

Verdict:

Malicious activity

Analysis date:

2021-09-02 05:42:28 UTC

Tags:

encrypted opendir exploit CVE-2017-11882 loader

Link:

https://app.any.run/tasks/b49a15d8-bf87-49c8-bc06-eef0858e11af

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/184684/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader41.63105.12802.13364.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching the default Windows debugger (dwwin.exe)

Sending a UDP request

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/24dcd1d4-0e4f-4d32-a56c-181c662b90fc

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/843830

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/b83afeb8225d897dcac8a075bfda8659a64ac5b6c7db788e6913bf7e168caacf/

Threat name:

Win32.Trojan.Racoon

Status:

Malicious

First seen:

2021-09-02 06:43:06 UTC

AV detection:

20 of 44 (45.45%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

Formbook

314c2feb9e8798e4676b9350faba5721af148fa1e04fcaac8e698bbb027aa7cd

Formbook

8909a6a1081cf2202e33dbc0e496c5be450f360b8f2d63a05c8c671d5ffb00de

Formbook

8e36abaf554e37c743a7874d53dcc57751e88be673ac98c5abaa873984cb6e23

Formbook

b36a2901bfafd8723bfddd0388f65b0a46237b063ca33edbf773bb589f929981

Formbook

ea66d2f582f9da718979a56b628e19a5712e41e979808cb84a8cb427fbe1ab30

Formbook

f782375e80f3a68b36457886ac1c6490e2497e6c9fb3ffdb33c1679597f0770e

Formbook

f792fdad86a8e30cb364d54392dd57b58b7699a17ef35b716f1a115516adfe10

Formbook

+ 7'641 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:imi7 loader rat

Link:

https://tria.ge/reports/210902-t8jbqdk8px/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Xloader Payload

Suspicious use of NtCreateProcessExOtherParentProcess

Xloader

Malware Config

C2 Extraction:

http://www.southerngiggle.com/imi7/

Unpacked files

SH256 hash:

ea88e40b750a9f44289afb18b9096c14c1a0d81ae92bd236fe3fd15bf9f8dd27

MD5 hash:

8110d942a1afd5a03fb68ef51e9bce54

SHA1 hash:

d22bf05fd3f760e6f65d5ab239adf71c25f0be09

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/5e2bb2a1-a592-489d-8a9b-39adab9f3436/

Parent samples :

3c30562fe4d02debdc7ff0d3a101e4807010b779166bbafd25ae0fd068b7255a
12de2f015642b7430fdf5e76d186dc2c38161f4e2238e84d8dd9e4125d3bceec
4474153b57e54b4c94dc0c4e063dde0a7f296bc8f20a7a5d41d99d91c4239cc0
b83afeb8225d897dcac8a075bfda8659a64ac5b6c7db788e6913bf7e168caacf
bf9f97f369f730dbe091c7a5304ae2503f61eb0f226bfc763e0681cf07035618
ca9d13706dad307a2021d1fa1683e46b5b9670b92ad0ee5e474cbea0620d6299
01459f26c9c160284fbb5d73fe3e2c05634295c07c78b9667107950526af179c
4bd5c83d0ec09eb7019537466d0c3c1469986dce8c358041f65be1a60a6b6fe4

SH256 hash:

b83afeb8225d897dcac8a075bfda8659a64ac5b6c7db788e6913bf7e168caacf

MD5 hash:

d1947108d14444faeef2714a28897b2a

SHA1 hash:

349a64622920f327a4007527126857162c72fc02

Link:

https://www.unpac.me/results/5e2bb2a1-a592-489d-8a9b-39adab9f3436/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b83afeb8225d897dcac8a075bfda8659a64ac5b6c7db788e6913bf7e168caacf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe b83afeb8225d897dcac8a075bfda8659a64ac5b6c7db788e6913bf7e168caacf

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1585253/

Cape

https://www.capesandbox.com/analysis/184684/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2021-09-02 06:42:39 UTC

url : hxxp://103.133.106.199/hsbc/vbc.exe