MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8ae452aae57b904e1058a00c0a22dc8c9fa86e5b042d7fe5c812f724b7531a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash:	b8ae452aae57b904e1058a00c0a22dc8c9fa86e5b042d7fe5c812f724b7531a6
SHA3-384 hash:	fbbacb5e9071e4387fe4b858136d94264902b4035cd0736e22b8b9511cb0f7b4aab2b6c5929dd8daa38456ba8c65a782
SHA1 hash:	4f64e8cdd22ff4e28cf885da1dbd74c5b28fe920
MD5 hash:	1e6137c61ef9e86172dc6f9b1fbda68b
humanhash:	eleven-utah-minnesota-cold
File name:	1e6137c61ef9e86172dc6f9b1fbda68b.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	210'709 bytes
First seen:	2021-03-01 07:44:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep	6144:x9X0GbinDyWSRO6PpWuCtUchDlwZFm/yFey:n0einDyW6MGoy4y
Threatray	3'992 similar samples on MalwareBazaar
TLSH	7F241245B6A0A4F7E9A61B300ABFA2CFBFFF82541258624357444F6E7C339C2951E163
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

122

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PO 120610361.xlsx

Verdict:

Malicious activity

Analysis date:

2021-03-01 07:14:08 UTC

Tags:

encrypted exploit CVE-2017-11882 loader trojan formbook stealer

Link:

https://app.any.run/tasks/4af3a36a-7c66-48dc-9221-960fa2d00b4e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/120161/

Detection(s):

PUA.Win.Downloader.Soft32downloader-6691270-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Unauthorized injection to a recently created process

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/621828

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/b8ae452aae57b904e1058a00c0a22dc8c9fa86e5b042d7fe5c812f724b7531a6/

Threat name:

Win32.Trojan.Wacatac

Status:

Malicious

First seen:

2021-03-01 07:45:16 UTC

AV detection:

16 of 48 (33.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xcxekkvok64qjyifriambirnzde7vbxfwbbnp7s4qexxes3vggta._file

Verdict:

malicious

Label(s):

formbook

Formbook

170eb254fe7cae506272dd7f934000734f55648fcefab6843eca50311a98a07d

Formbook

1c0a0e62b6945e4613b04e61cfc76b876d647b632ccf5d72d9d1e24fa967550f

Formbook

38b6a40d2eeddf38695294c57971fc2efab81fea95100260a2003baa13616b83

Formbook

8241caa4d6c5a09290864492d19dee143f0f80074d370135c0f91bad01c16ee3

Formbook

8e1f1877d8dcc92cd69d189e628129202cee73b9d63f8db4f303b2eb28d97798

Formbook

b060cb81afd9113cfbbb1e346c99e503c545da47ed80096c021b7ca41c064c76

Formbook

b1999a87350ef2b15e663c809ac16f2f0832ba3dcd868aefe0d36392af04da29

Formbook

c1dc214e929541d1f9d0ede9422bf40f61f766de5e8a32bc2fb2d73a91e4a71e

Formbook

d3a729cac68f5147eb5b7a4e288196b37d0e7a02305529c591b060bcd36a843d

Formbook

+ 3'982 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader loader rat

Link:

https://tria.ge/reports/210301-71wqbdjc7a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.856380692.xyz/nsag/

Unpacked files

SH256 hash:

b8ae452aae57b904e1058a00c0a22dc8c9fa86e5b042d7fe5c812f724b7531a6

MD5 hash:

1e6137c61ef9e86172dc6f9b1fbda68b

SHA1 hash:

4f64e8cdd22ff4e28cf885da1dbd74c5b28fe920

Link:

https://www.unpac.me/results/9f1d865f-f9ba-4dcf-9455-fdf02241967f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Eldorado

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/b8ae452aae57b904e1058a00c0a22dc8c9fa86e5b042d7fe5c812f724b7531a6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.