MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb86852cf19f43f30561b6deb1f31735bebe157fcecdc74f5b7ba453c253b367. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	bb86852cf19f43f30561b6deb1f31735bebe157fcecdc74f5b7ba453c253b367
SHA3-384 hash:	904112f1b48e4c754b575ba805c88190acb4b79bd54b276490e67215949e550f22526079243912d02677219a3b5f535c
SHA1 hash:	9d7add3ef8a94821eff53b9f3b6634a204248a08
MD5 hash:	f4fdac362f860520d28385d92c288a7c
humanhash:	florida-juliet-triple-montana
File name:	a.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	87'040 bytes
First seen:	2023-12-02 18:21:19 UTC
Last seen:	2023-12-02 20:35:28 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a9c887a4f18a3fede2cc29ceea138ed3 (33 x CoinMiner, 17 x AsyncRAT, 15 x BlankGrabber)
ssdeep	1536:tKC9T1+3phJnoHt3DU5zPHTLSG/raJtVfNfsCZU8rzfBPgH+U391ChsndEg3:tG/1HTba0ClXR8AsnP
TLSH	T11283CFF2DE19469BDEE009B53229725DC2E7F619C0B8E7C722E5580421DFBFE0465067
TrID	38.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 15.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 11.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 10.5% (.EXE) Win32 Executable (generic) (4505/5/1) 4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter	Xev
Tags:	ClipBanker exe FormBook xworm

Intelligence

File Origin

# of uploads :

# of downloads :

343

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/461966/

Detection(s):

SecuriteInfo.com.Win32.Evo-gen.4165.19802.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Creating a file in the Windows directory

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

DNS request

Sending an HTTP GET request

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Searching for the window

Unauthorized injection to a system process

Gathering data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

lolbin packed shell32 xworm xworm

Link:

https://www.filescan.io/uploads/656b75e9380413dc0c2c6d45/reports/b1ecbfd8-9932-47c3-a48a-5f6600b30f1b/overview

Verdict:

Malicious

Labled as:

Razy.Generic

Link:

https://www.hybrid-analysis.com/sample/bb86852cf19f43f30561b6deb1f31735bebe157fcecdc74f5b7ba453c253b367

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

XWorm

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b318c239-f47d-473f-bcc0-767e56a571c7

Result

Threat name:

XWorm

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1352198

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Drops executables to the windows directory (C:\Windows) and starts them

Encrypted powershell cmdline option found

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Potential dropper URLs found in powershell memory

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Generic Downloader

Yara detected XWorm

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/bb86852cf19f43f30561b6deb1f31735bebe157fcecdc74f5b7ba453c253b367

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bb86852cf19f43f30561b6deb1f31735bebe157fcecdc74f5b7ba453c253b367/

Threat name:

Win32.Dropper.Dapato

Status:

Malicious

First seen:

2023-12-01 03:43:16 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 23 (86.96%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xodiklhrt5b7gblbw3pld4yxgw7l4fl7z3g4ot23posfhqstwntq._file

Verdict:

malicious

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm persistence rat trojan

Link:

https://tria.ge/reports/231202-wzwepsef91/

Behaviour

Creates scheduled task(s)

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

Drops file in Windows directory

Adds Run key to start application

Looks up external IP address via web service

Checks computer location settings

Drops startup file

Executes dropped EXE

Detect Xworm Payload

Xworm

Malware Config

C2 Extraction:

goofyah-26004.portmap.host:26004

Unpacked files

SH256 hash:

b29fb89932c2a4b8c10a2be6b5c0e5fccbe6f4e9a5eca3562983accd0b4d76c7

MD5 hash:

687f761162c7f606147b6cb4ec53f1b0

SHA1 hash:

c5becf98823cf61fa049da30a9bb74819aa62d75

Detections:

MALWARE_Win_XWorm

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

win_xworm_bytestring

MALWARE_Win_AsyncRAT

Link:

https://www.unpac.me/results/55729481-a6c0-406d-9eb4-31d292b54a25/

Parent samples :

b29fb89932c2a4b8c10a2be6b5c0e5fccbe6f4e9a5eca3562983accd0b4d76c7
bb86852cf19f43f30561b6deb1f31735bebe157fcecdc74f5b7ba453c253b367

SH256 hash:

bb86852cf19f43f30561b6deb1f31735bebe157fcecdc74f5b7ba453c253b367

MD5 hash:

f4fdac362f860520d28385d92c288a7c

SHA1 hash:

9d7add3ef8a94821eff53b9f3b6634a204248a08

Link:

https://www.unpac.me/results/55729481-a6c0-406d-9eb4-31d292b54a25/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bb86852cf19f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bb86852cf19f43f30561b6deb1f31735bebe157fcecdc74f5b7ba453c253b367

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe bb86852cf19f43f30561b6deb1f31735bebe157fcecdc74f5b7ba453c253b367

(this sample)

Formbook

exe b29fb89932c2a4b8c10a2be6b5c0e5fccbe6f4e9a5eca3562983accd0b4d76c7

Dropping

SHA256 b29fb89932c2a4b8c10a2be6b5c0e5fccbe6f4e9a5eca3562983accd0b4d76c7

Cape

https://www.capesandbox.com/analysis/461966/

URLhaus

https://urlhaus.abuse.ch/url/2736854/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample