MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bdf8f0fe0af3da8a08f2d5ba8baeec69b75565cf09fb160d58297b6b33a956b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments 1

SHA256 hash:	bdf8f0fe0af3da8a08f2d5ba8baeec69b75565cf09fb160d58297b6b33a956b6
SHA3-384 hash:	bcb46776c81881d7b49ee967450476e4506151bd56ccb4086b422e8ff259cb12967a32c38ec9a63377fcaed3e4f1f2cb
SHA1 hash:	d81923cfc43eb5595b6eed8450f64a18b8c5aaf3
MD5 hash:	262fc001fb4b7001adc2cdc393344393
humanhash:	twelve-double-october-bulldog
File name:	262fc001fb4b7001adc2cdc393344393
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'120'768 bytes
First seen:	2022-05-10 15:59:15 UTC
Last seen:	2023-08-27 09:07:24 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:grKQfxt7J0aCf5WN02UK97HOh/p3XHD67Lgz77EJIBraZjgSLhlDV1piLgcseObl:eh25T2FROZVHDKLgz7zBraZjgyk
Threatray	15'372 similar samples on MalwareBazaar
TLSH	T1ED3517987254F9EEC817C175CA685CF0AA207C66C32B820B50173D9EB97E783DF119B6
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	f26efec4b6c2c00c (24 x AgentTesla, 14 x Loki, 12 x Formbook)
Reporter	zbetcheckin
Tags:	32 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

345

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

262fc001fb4b7001adc2cdc393344393

Verdict:

Suspicious activity

Analysis date:

2022-05-10 16:45:54 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/773b5f3e-d136-4dd7-b35d-60f288f6c02f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/269490/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.331.18699.21285.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed update.exe

Link:

https://www.filescan.io/uploads/627a8c0cbe0219041a8e53b9/reports/836ed0b0-e806-4942-b263-78ded1bbf398/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d4661f1c-0dd3-46b9-96f8-3f66b2fdabf0

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/991158

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Self deletion via cmd delete

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/bdf8f0fe0af3da8a08f2d5ba8baeec69b75565cf09fb160d58297b6b33a956b6/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2022-05-10 15:13:24 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

Formbook

365513da20efb05517fcb10a348acb39e3391a5ec8cb44c8a6f15253e661b401

Formbook

3cc9b252ff025191c7ca6413ec68089630073126ae82ee276acec334903a07c2

Formbook

46956dd9cd5e3f62c79127e5e8bcd3b420695a0112df256aa07364bc6a32e697

Formbook

513624286483a4e172511b412b82445a06eefc904d54de75da656ec1a6f8ae99

Formbook

c229dfc2fbeae18ab1517a096e4b53639144648a9e6d1bd74d0174ce90a4ecb6

Formbook

cb4f0f68dacf3b0deddf62a86e6d8d4963ba941f6aadf2f874ece8ee3768ab54

Formbook

d7dc569e0cf8cc6afc0a4a922263195ea12051b1db428fcf9fba724d90261a5e

Formbook

+ 15'362 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:eido loader rat

Link:

https://tria.ge/reports/220510-tfm8wadfbk/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Unpacked files

SH256 hash:

b1ba9ce6d4c9a6897a10ac89103e5c96e27b75699f0527fc47e370fd13d584ff

MD5 hash:

536063b115caa606e6201f3d6c76666b

SHA1 hash:

84c068cae2c5651bb1c675b141e8b858ea29806f

Link:

https://www.unpac.me/results/8f0d97be-3274-4774-8950-364f11c2ccd9/

SH256 hash:

73110b1abcfa8e8c29f1aeeaeee8a0233fd20f02acbecf00c55cb2faeae2da26

MD5 hash:

0674d29fca2d0b42ab2f0ee1f6da1980

SHA1 hash:

bb259ce7a5b87b26be113cecddb34719985f691b

Link:

https://www.unpac.me/results/8f0d97be-3274-4774-8950-364f11c2ccd9/

SH256 hash:

0fe6785147ba1d6d389b8bf4198326fb1ab2dd6b993627ff3bc964ebca671f39

MD5 hash:

3c5b15644181f7995988caf71f1e573a

SHA1 hash:

d6416df735128bec510ab064717715606415a616

Link:

https://www.unpac.me/results/8f0d97be-3274-4774-8950-364f11c2ccd9/

SH256 hash:

24dababb2670cdb4fdc98f11ab48e8fc0a44ce20aea877fb745280f853f9a63c

MD5 hash:

bc6f922c2742d7fcf828a0d4d0276750

SHA1 hash:

069353b0142b81289358f492e886798610f4a438

Link:

https://www.unpac.me/results/8f0d97be-3274-4774-8950-364f11c2ccd9/

SH256 hash:

4907531cb3c3168e39aadcf80ab4f183bfbd91e08a2d3e6b1c883510d53b08d9

MD5 hash:

24f396af757b10174e698438701ae11d

SHA1 hash:

9ac5166a357ca3d91208378e441b8c11dcc84972

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/8f0d97be-3274-4774-8950-364f11c2ccd9/

Parent samples :

cb4f0f68dacf3b0deddf62a86e6d8d4963ba941f6aadf2f874ece8ee3768ab54
513624286483a4e172511b412b82445a06eefc904d54de75da656ec1a6f8ae99
bdf8f0fe0af3da8a08f2d5ba8baeec69b75565cf09fb160d58297b6b33a956b6
4ae196ba20257faedeeb359b17525e17cd4eff1b25eb171ca7c2a93ea3cd526c
532c1d4404b76c16ac1e3a39bd1c1f9588f9ea9ced3ad01d6dfdc2f239996229

SH256 hash:

bdf8f0fe0af3da8a08f2d5ba8baeec69b75565cf09fb160d58297b6b33a956b6

MD5 hash:

262fc001fb4b7001adc2cdc393344393

SHA1 hash:

d81923cfc43eb5595b6eed8450f64a18b8c5aaf3

Link:

https://www.unpac.me/results/8f0d97be-3274-4774-8950-364f11c2ccd9/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/bdf8f0fe0af3da8a08f2d5ba8baeec69b75565cf09fb160d58297b6b33a956b6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.