MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8aa3a9c721eae2745f1671b70869a8e3fe847a16e769d69c40727857ba54b44. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8aa3a9c721eae2745f1671b70869a8e3fe847a16e769d69c40727857ba54b44
SHA3-384 hash: b2144e6f29734ee08cd69d8b03d11117144886296ce6476fc5a268728d41dcc039232410bc9ece01ba9e00f38838bca8
SHA1 hash: 2d0444ef8fe64348eee4d748b0528e3799d18304
MD5 hash: 3a9ae96d1f6404fccf5bd99b7c5c0383
humanhash: fruit-colorado-texas-pizza
File name:3a9ae96d1f6404fccf5bd99b7c5c0383
Download: download sample
Signature Formbook
Create hunting rule
File size:697'856 bytes
First seen:2021-12-02 17:21:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bbc9c0e1dd018627fbe5726a5fc2ba6c (4 x Formbook, 1 x AveMariaRAT)
ssdeep 12288:CIEpAb3iVUYfqUe+L7JMlbv7fkg48BcFcePyaW:CI8G3DYfq9+hMNTMz8Cbm
Threatray 11'917 similar samples on MalwareBazaar
TLSH T14FE47D757AD09D73C8672E78CC47BEAC65363D652E90794A3AF4A8CC4D383437A0A487
File icon (PE):PE icon
dhash icon b670390284e2da70 (14 x Formbook, 3 x RemcosRAT, 3 x AveMariaRAT)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3a9ae96d1f6404fccf5bd99b7c5c0383
Verdict:
Malicious activity
Analysis date:
2021-12-02 17:39:07 UTC
Tags:
installer
Link:
https://app.any.run/tasks/6ec9cd9f-4578-42bc-b5c3-9ecfedf9a96f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/210833/
Detection(s):
SecuriteInfo.com.Trojan.Win32.BestaFera.7c.7325.4767.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a file
Сreating synchronization primitives
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Malware family:
n/a
Score:
  0/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/577/overview
Behaviour
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger
Link:
https://www.filescan.io/uploads/61a900c0707a51cfe28b97e0/reports/c890aa2f-ca4b-47e7-a42e-a9f8a37cde0f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/32f04068-335c-42ce-ac77-b00481459983
Result
Threat name:
DBatLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/900350
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 532824 Sample: Y0QAky5VRV Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 58 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->58 60 Multi AV Scanner detection for domain / URL 2->60 62 Found malware configuration 2->62 64 9 other signatures 2->64 9 Y0QAky5VRV.exe 1 16 2->9         started        process3 dnsIp4 46 prigmg.am.files.1drv.com 9->46 48 onedrive.live.com 9->48 50 am-files.fe.1drv.com 9->50 32 C:\Users\user\Odhbljup.exe, PE32 9->32 dropped 80 Drops PE files to the user root directory 9->80 82 Modifies the context of a thread in another process (thread injection) 9->82 84 Maps a DLL or memory area into another process 9->84 86 3 other signatures 9->86 14 explorer.exe 9->14 injected file5 signatures6 process7 dnsIp8 52 www.hyslier.com 209.142.79.20, 49836, 80 INNSYSCA Reserved 14->52 54 www.sdtcbh.com 45.199.60.88, 49857, 80 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 14->54 56 2 other IPs or domains 14->56 88 System process connects to network (likely due to code injection or exploit) 14->88 18 Odhbljup.exe 15 14->18         started        22 svchost.exe 14->22         started        24 wscript.exe 14->24         started        26 Odhbljup.exe 15 14->26         started        signatures9 process10 dnsIp11 34 prigmg.am.files.1drv.com 18->34 36 onedrive.live.com 18->36 38 am-files.fe.1drv.com 18->38 66 Multi AV Scanner detection for dropped file 18->66 68 Machine Learning detection for dropped file 18->68 70 Modifies the context of a thread in another process (thread injection) 18->70 72 Sample uses process hollowing technique 18->72 74 Self deletion via cmd delete 22->74 76 Maps a DLL or memory area into another process 22->76 78 Tries to detect virtualization through RDTSC time measurements 22->78 28 cmd.exe 1 22->28         started        40 prigmg.am.files.1drv.com 26->40 42 onedrive.live.com 26->42 44 am-files.fe.1drv.com 26->44 signatures12 process13 process14 30 conhost.exe 28->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b8aa3a9c721eae2745f1671b70869a8e3fe847a16e769d69c40727857ba54b44/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-12-02 10:06:37 UTC
File Type:
PE (Exe)
Extracted files:
97
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2c81bc76bb2b34fc085a6ff0beb19fda2b1e400ad67341f55185b8d8b7351643
Formbook
387508d9f7c0d79b09bde31b037d1c43ceb1ce799a0cc94a77a20226477b47f7
Formbook
4c6f60ba070864a86dceaa5785b1dceb395cbe4667b9c539bc0675411b4e16a9
Formbook
5a573da6707c9373b0f49b049b07ddc21bc6976195b834473d0be2daaf52c173
Formbook
667e8635796cd94ca4161f15f33e8c9d837c7c35a25d583e4f978ad76d9b86f8
Formbook
771e4f69520f71afe6a6e9a4eb4de7dcd8d7521d90db290ca6c27b1a95c532af
Formbook
8ca2107e19d721b560f7e76c4a7ccb03869a24f478dc710159341ddc170e1741
Formbook
9998ff1d42d8af0fcc166bea36887eebf182e91d1816853d9f80e6cbbbaf9145
Formbook
ba10b4ebe4ae3556a1320c7a9b8cb14da16042061c33f1ded73c193cbac8f346
Formbook
bc42c1e528e70d0f4152e78278ed1a0e4bacf4cab8bb21da9ea8f99a48676355
Formbook
+ 11'907 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/211202-vxkpraagdr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Adds Run key to start application
Unpacked files
SH256 hash:
68ae5ffe5ad2069a531d80461d6f5ad6c210d0a19075a193894b95392827bec3
MD5 hash:
2cdfa8240841b03c9e440fbecf1ab6a8
SHA1 hash:
5f11ffeb002745eab78b1432e49adf6caf76286a
Detections:
win_temple_loader_w0
Create hunting rule
Link:
https://www.unpac.me/results/8d4a0c66-c7a4-4dd4-8522-624b02e9ac7c/
Parent samples :
6072185720cbcf2add1e2ada668484a4d55c601fcb2840ca6b7fbf9dfacdefb8
7ef8b67819945bc8f480ca064b5e3f5a330b6744d47d24b5d1c0214ca65724a3
d6b4f7ba99b492e9b2382b51f6c49b32e86cc81b7fc6c93313f5962de4b910bd
7195589ba87f4b77bc10af665070180cf807ff7d2f8198743248edda2e85b6a5
b8aa3a9c721eae2745f1671b70869a8e3fe847a16e769d69c40727857ba54b44
897d218b958ece913adb5670a36e54f96f7d5279174c21f11cef92e31876a772
1a77fe43c21c77b47c1ea009c8a7c082eb11abcfb48ff4375cce7edc0925e9c6
a6a14f198c4aecd3c93a2e2dbecefb7f56643c231fc6eb685c5006eb825c591d
SH256 hash:
b8aa3a9c721eae2745f1671b70869a8e3fe847a16e769d69c40727857ba54b44
MD5 hash:
3a9ae96d1f6404fccf5bd99b7c5c0383
SHA1 hash:
2d0444ef8fe64348eee4d748b0528e3799d18304
Link:
https://www.unpac.me/results/8d4a0c66-c7a4-4dd4-8522-624b02e9ac7c/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b8aa3a9c721e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b8aa3a9c721eae2745f1671b70869a8e3fe847a16e769d69c40727857ba54b44

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe b8aa3a9c721eae2745f1671b70869a8e3fe847a16e769d69c40727857ba54b44

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/210833/
  
URLhaus
https://urlhaus.abuse.ch/url/1845227/
  
URLhaus
https://urlhaus.abuse.ch/url/1845908/

Comments


Avatar
zbet commented on 2021-12-02 17:21:43 UTC

url : hxxp://13.250.31.113/7009/binso.exe