MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd00a7577088b67b52699f956275a3f563d623ca907feeeaee8d2f821d35de40. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd00a7577088b67b52699f956275a3f563d623ca907feeeaee8d2f821d35de40
SHA3-384 hash: 6ecc6776cc4004bf1a71761bf8a743ee9875202807294e321d1c14debd79eede7630c12e53e34cf336f40122e415b8f3
SHA1 hash: 7946006ca278892817b7a778eea1e04f5b2f948c
MD5 hash: e1c82191b678cea8f3c996887ddc1232
humanhash: leopard-kentucky-quiet-leopard
File name:bd00a7577088b67b52699f956275a3f563d623ca907feeeaee8d2f821d35de40.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:512'512 bytes
First seen:2024-10-13 17:13:13 UTC
Last seen:2024-10-13 18:48:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:kU43i+9MrOq5q7pN37VvbvH3pJJtlueGAmp8R6LqSY4JiFZlmM5Ki634:V4JZDhAWS2ZN
Threatray 1'557 similar samples on MalwareBazaar
TLSH T15AB428243DFB501AB173EFA69BE8799ADA6FB3733B06641A109103474B13981DEC153E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter Chainskilabs
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
365
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DealarOrDeadCode.exe
Verdict:
Malicious activity
Analysis date:
2024-09-19 16:14:45 UTC
Tags:
evasion telegram xworm amsi-bypass remote crypto-regex
Link:
https://app.any.run/tasks/980aaebe-6c2e-4585-82bb-f5a6a6fccc67

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.22843.5306.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=670bffdc707bcd8537fb5bed
Tags:
Powershell Autorun Cobalt
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
dcrat
Link:
https://www.filescan.io/uploads/670bffda9f3db0abfed37c46/reports/b8550d63-ca53-4f1a-84a2-605b45c4f557/overview
Verdict:
Malicious
Labled as:
MSIL.Krypt.Generic
Link:
https://www.hybrid-analysis.com/sample/bd00a7577088b67b52699f956275a3f563d623ca907feeeaee8d2f821d35de40
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a02c9053-8471-4b5d-a75a-c9c1ff473670
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1532627
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large strings
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Drops PE files to the user root directory
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs new ROOT certificates
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Schedule system process
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Suricata IDS alerts for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Telegram RAT
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1532627 Sample: mIURiU8n2P.exe Startdate: 13/10/2024 Architecture: WINDOWS Score: 100 68 subscribe-bond.gl.at.ply.gg 2->68 70 ip-api.com 2->70 96 Multi AV Scanner detection for domain / URL 2->96 98 Suricata IDS alerts for network traffic 2->98 100 Found malware configuration 2->100 102 36 other signatures 2->102 9 mIURiU8n2P.exe 5 2->9         started        13 powershell.exe 2 15 2->13         started        15 Deadsvchost.exe 2->15         started        17 Deadsvchost.exe 2->17         started        signatures3 process4 file5 60 C:\Users\Public\DeadXClient.exe, PE32 9->60 dropped 62 C:\Users\Public\DeadROOTkit.exe, PE32 9->62 dropped 64 C:\Users\Public\DeadCodeRootKit.exe, PE32 9->64 dropped 66 C:\Users\user\AppData\...\mIURiU8n2P.exe.log, CSV 9->66 dropped 128 Drops PE files to the user root directory 9->128 130 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->130 19 DeadROOTkit.exe 15 8 9->19         started        24 DeadXClient.exe 1 5 9->24         started        26 DeadCodeRootKit.exe 1 9->26         started        132 Writes to foreign memory regions 13->132 134 Modifies the context of a thread in another process (thread injection) 13->134 136 Found suspicious powershell code related to unpacking or dynamic code loading 13->136 138 Injects a PE file into a foreign processes 13->138 28 dllhost.exe 1 13->28         started        30 conhost.exe 13->30         started        140 Antivirus detection for dropped file 15->140 142 Multi AV Scanner detection for dropped file 15->142 144 Machine Learning detection for dropped file 15->144 signatures6 process7 dnsIp8 72 ip-api.com 208.95.112.1, 49730, 80 TUT-ASUS United States 19->72 74 api.telegram.org 149.154.167.220, 443, 49739 TELEGRAMRU United Kingdom 19->74 76 updates-full.gl.at.ply.gg 147.185.221.20, 49740, 49838, 49851 SALSGIVERUS United States 19->76 56 C:\Users\user\AppData\Local\DeadROOTkit.exe, PE32 19->56 dropped 104 Antivirus detection for dropped file 19->104 106 Multi AV Scanner detection for dropped file 19->106 108 Protects its processes via BreakOnTermination flag 19->108 122 4 other signatures 19->122 32 powershell.exe 19->32         started        35 powershell.exe 19->35         started        37 Deadsvchost.exe 19->37         started        78 subscribe-bond.gl.at.ply.gg 147.185.221.21, 28600, 49731, 49738 SALSGIVERUS United States 24->78 58 C:\Users\Public\Deadsvchost.exe, PE32 24->58 dropped 110 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->110 112 Machine Learning detection for dropped file 24->112 114 Creates multiple autostart registry keys 24->114 124 2 other signatures 24->124 39 schtasks.exe 24->39         started        116 Injects code into the Windows Explorer (explorer.exe) 28->116 118 Contains functionality to inject code into remote processes 28->118 120 Writes to foreign memory regions 28->120 126 3 other signatures 28->126 41 lsass.exe 28->41 injected 43 svchost.exe 28->43 injected 45 svchost.exe 28->45 injected 48 25 other processes 28->48 file9 signatures10 process11 dnsIp12 86 Loading BitLocker PowerShell Module 32->86 50 conhost.exe 32->50         started        52 conhost.exe 35->52         started        54 conhost.exe 39->54         started        88 Installs new ROOT certificates 41->88 90 Writes to foreign memory regions 41->90 92 System process connects to network (likely due to code injection or exploit) 43->92 80 api.telegram.org 45->80 82 updates-full.gl.at.ply.gg 45->82 84 subscribe-bond.gl.at.ply.gg 45->84 signatures13 94 Uses the Telegram API (likely for C&C communication) 80->94 process14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bd00a7577088b67b52699f956275a3f563d623ca907feeeaee8d2f821d35de40
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd00a7577088b67b52699f956275a3f563d623ca907feeeaee8d2f821d35de40/
Threat name:
ByteCode-MSIL.Trojan.IPCheckDCRat
Create hunting rule
Status:
Malicious
First seen:
2024-09-17 00:49:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xuakov3qrc3hwutjt6kwe5nd6vr5mi6ksb7652xoruxyehjv3zaa._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
r77
Create hunting rule
r77_installer
Create hunting rule
Similar samples:
14cf7648123e018dcdfc2aa386135a0510a9f7b12b8bc125ad4e32fd7f16999c
Formbook
25179f1c63031ba0b4daf7ff315f008d6f794eed2b5d486c796457cd4a8b4bce
Formbook
4b0446befa42f4a40fd06635aaa72fb34dfbaa7575fb1f811df6f4fad90f53b4
Formbook
7890c98fda5bae9bcb1b6d41a7635ed385682728d810bb86b7d41981cc2b5f88
Formbook
e560edabaaf6994cf185437eda9e4115bcc48a25d94ce402b610b949053c68c0
Formbook
error
Formbook
+ 1'547 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery evasion execution persistence rat trojan
Link:
https://tria.ge/reports/241013-vrzaysxhke/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Detect Xworm Payload
Modifies security service
Suspicious use of NtCreateUserProcessOtherParentProcess
Xworm
Malware Config
C2 Extraction:
subscribe-bond.gl.at.ply.gg:28600
updates-full.gl.at.ply.gg:60075
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/dea805e8-3ffe-4c38-8a9f-0c79361e1efc
Unpacked files
SH256 hash:
5e74cadc4c72f68cead0d54855ae4da3ca130314c5baf57d29ffa64ebddbbd4a
MD5 hash:
7a9d6790054767b0af9ad8b5d74dc7a9
SHA1 hash:
c2a8e6fd143626847b5ab66e8859621cc3b4e658
Link:
https://www.unpac.me/results/3e3c6ced-5718-44e1-ac26-13210e8fc24d/
SH256 hash:
18294ee5a6383a48d1bcf2703f17d815529df3a17580e027c3efea1800900e8f
MD5 hash:
b8479a23c22cf6fc456e197939284069
SHA1 hash:
b2d98cc291f16192a46f363d007e012d45c63300
Link:
https://www.unpac.me/results/3e3c6ced-5718-44e1-ac26-13210e8fc24d/
SH256 hash:
56f453a47d9ccf82e18e45d56e97af9b1893680f0c95b9f86bd3ec2ce50338a7
MD5 hash:
23bb4c4b213b1d05baa26755ac55e0a2
SHA1 hash:
7fb8d66042c7d7bc4cf5cba658568304c7cc0c02
Link:
https://www.unpac.me/results/3e3c6ced-5718-44e1-ac26-13210e8fc24d/
SH256 hash:
5711b50667b4de000c8031724427ec6cd00b41b760ca1608421dc47b549e2093
MD5 hash:
7dd98fc2976ee270a278e1a9a28eefae
SHA1 hash:
0497ee045226b2d310c7678ed055eeedbc88dc77
Detections:
XWorm
Create hunting rule
win_xworm_w0
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
win_xworm_simple_strings
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
win_xworm_bytestring
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
Link:
https://www.unpac.me/results/3e3c6ced-5718-44e1-ac26-13210e8fc24d/
Parent samples :
bd00a7577088b67b52699f956275a3f563d623ca907feeeaee8d2f821d35de40
202cb1021a1db9bd59a642ebee781bbafe284faf3fe1ba8e0ed1d89b3878ddbf
SH256 hash:
4353e37a3d60dd30beeec61a812a07ba6bfc174a18cdd5a95be98666db2f7cf6
MD5 hash:
f1976ea02bffaef5ac943c2abbb7426c
SHA1 hash:
deeee7d4f336d0ba898b5579720aaf630951a72f
Detections:
XWorm
Create hunting rule
win_xworm_w0
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
Link:
https://www.unpac.me/results/3e3c6ced-5718-44e1-ac26-13210e8fc24d/
Parent samples :
bd00a7577088b67b52699f956275a3f563d623ca907feeeaee8d2f821d35de40
202cb1021a1db9bd59a642ebee781bbafe284faf3fe1ba8e0ed1d89b3878ddbf
SH256 hash:
bd00a7577088b67b52699f956275a3f563d623ca907feeeaee8d2f821d35de40
MD5 hash:
e1c82191b678cea8f3c996887ddc1232
SHA1 hash:
7946006ca278892817b7a778eea1e04f5b2f948c
Link:
https://www.unpac.me/results/3e3c6ced-5718-44e1-ac26-13210e8fc24d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bd00a7577088/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bd00a7577088b67b52699f956275a3f563d623ca907feeeaee8d2f821d35de40

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments