MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc94f855af63f2b711742d13249e36791c034b6369ecdc79878c04de8a4dbd6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bc94f855af63f2b711742d13249e36791c034b6369ecdc79878c04de8a4dbd6b
SHA3-384 hash: 9c6708705d310d24c679caef579858cde6ae10fefabbd4f56ed704dbc6e9a16f3bc4fdfc48a7bc99b7f586167f94b3b3
SHA1 hash: 11b44384a9cb09bf5f6c92e5ff14380c9655a784
MD5 hash: ad5f62c4fbd80e1c75c0442faa2eda1d
humanhash: aspen-pennsylvania-blossom-saturn
File name:ad5f62c4fbd80e1c75c0442faa2eda1d
Download: download sample
Signature Formbook
Create hunting rule
File size:254'298 bytes
First seen:2022-01-31 13:20:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 6144:owiaIjCPljYVh70fNm1QtMRl46HN/8vHJ8roMs:mPOjGMwQtMRl4gJ8vHJ8roz
Threatray 13'109 similar samples on MalwareBazaar
TLSH T12244121A5684C483D2AE4A764A76AF4FE7FF80061B53231F0F541F6E3E3538BA509257
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
165
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Swift Copy.xlsx
Verdict:
Malicious activity
Analysis date:
2022-01-31 12:05:59 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/29915dc3-5cc6-4ee9-9d84-26ac563bcc17

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/228445/
Detection(s):
SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/61f7e247d7fd65ae55fcc6a8/reports/79bc9fef-e29b-4a7a-971a-cfec9425837d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/81e55b4e-bdc2-4937-aed8-968f2222fc54
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/930858
Behaviour
Behavior Graph:
n/a
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bc94f855af63f2b711742d13249e36791c034b6369ecdc79878c04de8a4dbd6b/
Threat name:
Win32.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2022-01-31 13:21:13 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
22 of 43 (51.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xskpqvnpmpzloelufujsjhrwpeoags3dnhwny6mhrqcn5csnxvvq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
01222693e4698149f19d31ac66567a9815f89509bac13d690de8a5afda2bee08
Formbook
67bf345a4ea3e03b4b58a7d9e47f9d31a93f79fefe4e69067ee6c15250930169
Formbook
786698eab83f77c1fdc3d37daf49966befe788b0e85167083726354225176d1f
Formbook
959b7ce61e82bc7f837042b10627c2d87442d52a243eafa8b837419ec0174418
Formbook
adbb0a2d948271b626589d5e305bdda36bad62e00b58847d0a7dae3688d5c376
Formbook
cfd1a77378decd68cd7a59307b77b93247bdd91e00de5111ecae6b5658c8665f
Formbook
e64b071b483c1bb818812cedb781acb23cb0f791d6485525f6fded9040537ce3
Formbook
+ 13'099 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:3a4h loader rat
Link:
https://tria.ge/reports/220131-qlnj2shgf3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Xloader Payload
Xloader
Unpacked files
SH256 hash:
bc94f855af63f2b711742d13249e36791c034b6369ecdc79878c04de8a4dbd6b
MD5 hash:
ad5f62c4fbd80e1c75c0442faa2eda1d
SHA1 hash:
11b44384a9cb09bf5f6c92e5ff14380c9655a784
Link:
https://www.unpac.me/results/8840aea8-ef52-4bcf-a65b-03c82a459485/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/bc94f855af63/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.33
Link:
https://yomi.yoroi.company/submissions/bc94f855af63f2b711742d13249e36791c034b6369ecdc79878c04de8a4dbd6b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe bc94f855af63f2b711742d13249e36791c034b6369ecdc79878c04de8a4dbd6b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2018343/
Cape
Cape
https://www.capesandbox.com/analysis/228445/

Comments


Avatar
zbet commented on 2022-01-31 13:20:45 UTC

url : hxxp://107.174.138.158/101/vbc.exe