MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc42c1e528e70d0f4152e78278ed1a0e4bacf4cab8bb21da9ea8f99a48676355. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bc42c1e528e70d0f4152e78278ed1a0e4bacf4cab8bb21da9ea8f99a48676355
SHA3-384 hash: e5498ac69ca91375100423ca3a6590c3c91a7bc053de389c723d0bf1a9d087a6260cb8b51764defbf07fe195627b60d9
SHA1 hash: 254274c5ccdd0e94590d89a9d852a462584eb482
MD5 hash: e80b384d4465c98720ae1c0d2e965a5a
humanhash: blossom-winter-carolina-four
File name:e80b384d4465c98720ae1c0d2e965a5a
Download: download sample
Signature Formbook
Create hunting rule
File size:740'864 bytes
First seen:2021-11-26 19:14:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 01f42bb56bd8196b0da3b3826e73efd5 (4 x Formbook, 1 x RemcosRAT, 1 x DBatLoader)
ssdeep 12288:HOYMYlxIimj6qr9wMiE+wGFYjA2KY59roDBM6nGplGJY:HOJYMimv+9wGqfKY59cM6GplGJ
Threatray 11'940 similar samples on MalwareBazaar
TLSH T1DBF4AE75F9838435C6770D7E790E6B145224BE882BA5B43F16E8FC4D4BB4396283A237
File icon (PE):PE icon
dhash icon 74f0888a8c8880b4 (5 x Formbook, 2 x RemcosRAT, 2 x DBatLoader)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
146
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Item Receipt 40006.xlsx
Verdict:
Malicious activity
Analysis date:
2021-11-26 18:08:07 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/aa82389a-b75f-47cc-9054-00c219c6700e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Zusy.408309.14966.9919.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger packed
Link:
https://www.filescan.io/uploads/61a1323cf36138de3f3fa325/reports/e4a1f0e9-3a26-49ed-8662-d2fb338e385d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/be264869-c6dd-48f6-9dc4-3fd66215e521
Result
Threat name:
DBatLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/896937
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Sigma detected: TrustedPath UAC Bypass Pattern
Suspicious powershell command line found
Tries to detect virtualization through RDTSC time measurements
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 529415 Sample: GAc8yf7aFT Startdate: 26/11/2021 Architecture: WINDOWS Score: 100 68 onedrive.live.com 2->68 88 Multi AV Scanner detection for domain / URL 2->88 90 Found malware configuration 2->90 92 Malicious sample detected (through community Yara rule) 2->92 94 7 other signatures 2->94 12 GAc8yf7aFT.exe 1 26 2->12         started        signatures3 process4 dnsIp5 70 sejgnq.am.files.1drv.com 12->70 72 onedrive.live.com 12->72 74 am-files.fe.1drv.com 12->74 60 C:\Users\user\Contacts\Qfvepsqa.exe, PE32 12->60 dropped 62 C:\Users\user\Contacts\System32\UKO.bat, ASCII 12->62 dropped 64 C:\Users\user\Contacts\...64ETUTILS.dll, PE32+ 12->64 dropped 66 C:\Users\user\Contacts\...66ETUTILS.EXE, PE32+ 12->66 dropped 106 Writes to foreign memory regions 12->106 108 Allocates memory in foreign processes 12->108 110 Creates a thread in another existing process (thread injection) 12->110 112 Injects a PE file into a foreign processes 12->112 17 cmd.exe 1 12->17         started        20 mobsync.exe 12->20         started        file6 signatures7 process8 signatures9 80 Uses ping.exe to sleep 17->80 82 Uses ping.exe to check the status of other devices and networks 17->82 22 cmd.exe 3 17->22         started        25 conhost.exe 17->25         started        84 Maps a DLL or memory area into another process 20->84 86 Tries to detect virtualization through RDTSC time measurements 20->86 27 explorer.exe 2 20->27 injected process10 signatures11 98 Uses ping.exe to sleep 22->98 100 Drops executables to the windows directory (C:\Windows) and starts them 22->100 29 easinvoker.exe 22->29         started        31 PING.EXE 1 22->31         started        34 xcopy.exe 2 22->34         started        42 6 other processes 22->42 37 Qfvepsqa.exe 27->37         started        40 Qfvepsqa.exe 27->40         started        process12 dnsIp13 44 cmd.exe 1 29->44         started        76 127.0.0.1 unknown unknown 31->76 78 192.168.2.1 unknown unknown 31->78 54 C:\Windows \System32\easinvoker.exe, PE32+ 34->54 dropped 96 Multi AV Scanner detection for dropped file 37->96 56 C:\Windows \System32\KDECO.bat, ASCII 42->56 dropped 58 C:\Windows \System3258ETUTILS.dll, PE32+ 42->58 dropped file14 signatures15 process16 signatures17 102 Suspicious powershell command line found 44->102 104 Adds a directory exclusion to Windows Defender 44->104 47 powershell.exe 25 44->47         started        50 conhost.exe 44->50         started        process18 signatures19 114 DLL side loading technique detected 47->114 52 conhost.exe 47->52         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bc42c1e528e70d0f4152e78278ed1a0e4bacf4cab8bb21da9ea8f99a48676355/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-11-26 15:29:26 UTC
File Type:
PE (Exe)
Extracted files:
49
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xrbmdzji44gq6qks46bhr3i2bzf2z5gkxc5sdwu6vd4zusdhmnkq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2c81bc76bb2b34fc085a6ff0beb19fda2b1e400ad67341f55185b8d8b7351643
Formbook
46e51f41840a1a08e695f8b5dbd03efd3b3f7071edc00d9e916a73a02d8176a1
Formbook
4bb96dffcc0b4cba1f4ee2ed04e32d724e486c88b0e8492b3e5efb1ec0928c0e
Formbook
4c6f60ba070864a86dceaa5785b1dceb395cbe4667b9c539bc0675411b4e16a9
Formbook
5627d54b0f87a8fa0e9a33d2cbce145140eb0e88e77f1076e7658310b742aa83
Formbook
7415f5e7f8ae4514ca13ec7ae4e3b4005e93c63eaba82d03048de5f60eb784fa
Formbook
894f9fa39a5922cc3ec8d79c7957cfacbb99ce27c2b3babdb23e061a5a178ddc
Formbook
ba10b4ebe4ae3556a1320c7a9b8cb14da16042061c33f1ded73c193cbac8f346
Formbook
dce5f044b1f4396f33c3574667169dcbdeb3aebb037c9f53d7a8c38e095f576d
Formbook
eef137583da6deb4a1be9882cede6cec5112b74ae79c0773f45b13346c5b2890
Formbook
+ 11'930 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:hno0 loader persistence rat suricata
Link:
https://tria.ge/reports/211126-xx84fsecbj/
Behaviour
Enumerates system info in registry
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.heidecide.xyz/hno0/
Unpacked files
SH256 hash:
80862d46bdac152572d0faa96c99edb9bcb3d5d3ff5d1d41771f5cb8ad164a2c
MD5 hash:
7c09b28f7639c8b2a033e88db5d9df53
SHA1 hash:
fbcccc3c2d024228a3e1dab743b3912ed8ccbb3c
Detections:
win_temple_loader_w0
Create hunting rule
Link:
https://www.unpac.me/results/29e8eb97-298e-4d9a-af86-2e23453c4584/
Parent samples :
e50290f9b9cf781a2d64f7e3190de28d2b673cd24099675d3b65a80ab70cf9e1
a00a856f0d85fcb7f485777ae81a0b1c52974bb1cd2482ba5e987a7ce8207511
7c491171fbe25c5f47f560db3a857cfc716d0c4733466ac08660e8a8be9bc8cd
5627d54b0f87a8fa0e9a33d2cbce145140eb0e88e77f1076e7658310b742aa83
46e51f41840a1a08e695f8b5dbd03efd3b3f7071edc00d9e916a73a02d8176a1
bc42c1e528e70d0f4152e78278ed1a0e4bacf4cab8bb21da9ea8f99a48676355
62d54d23908b06fb851da8829798a3d82110e0c189a8794f9d7deb9642f1542d
91b5c318543587a212464565a4df06eae2ad2823338389134f06c4409047e18e
57e117773ebe7caaac7d1db9759f5c8313d15db896f7b736459c65164770a5f5
6c2c4e5bb1275643184f07bd2bce3f51722e3b3e0557fbf0d83c0dc6461c4a5b
2d086daa30c03800b673011e6ee10d5ccdfa56842f67188ac348e30ed5cc803c
SH256 hash:
bc42c1e528e70d0f4152e78278ed1a0e4bacf4cab8bb21da9ea8f99a48676355
MD5 hash:
e80b384d4465c98720ae1c0d2e965a5a
SHA1 hash:
254274c5ccdd0e94590d89a9d852a462584eb482
Link:
https://www.unpac.me/results/29e8eb97-298e-4d9a-af86-2e23453c4584/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/bc42c1e528e7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bc42c1e528e70d0f4152e78278ed1a0e4bacf4cab8bb21da9ea8f99a48676355

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe bc42c1e528e70d0f4152e78278ed1a0e4bacf4cab8bb21da9ea8f99a48676355

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1820906/

Comments


Avatar
zbet commented on 2021-11-26 19:14:18 UTC

url : hxxp://52.56.119.158/40004/we3.exe