MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c029d185a694aa636fc5a085a2d1d77fe084a40d8c162740a1ef4868c9ce91eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c029d185a694aa636fc5a085a2d1d77fe084a40d8c162740a1ef4868c9ce91eb
SHA3-384 hash: f1234e4ee0cad690daec3dd047c016006f25c964e9d24546530eeee53caefa0a54c5b502b3ea3b87763f2c7d24fc2e23
SHA1 hash: 9baba28f2414bec7d84431ad9ded7930493f1c3e
MD5 hash: 031f0368fbb81830be1927a09afe2de0
humanhash: fish-glucose-december-beer
File name:Output.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:3'735'552 bytes
First seen:2025-03-16 05:48:20 UTC
Last seen:2025-03-16 11:48:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'656 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 98304:7qwSJV1+1wtRaer2K+U7X9zz9h9K1xWMvoiYW:ZSJP+1zer2K+Uj9zc0W
Threatray 324 similar samples on MalwareBazaar
TLSH T19F06017816EA82FAA1C660380CB554ED267EDFF1CFE98531362E6FC7A46D7681190F40
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter zhuzhu0009
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
669
Origin country :
RU RU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Output.exe
Verdict:
Malicious activity
Analysis date:
2025-03-16 04:03:24 UTC
Tags:
github remote xworm evasion autorun-startup autorun-reg
Link:
https://app.any.run/tasks/7220abcc-1be5-4548-83cd-74a1615e54c9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67d6755d3962f1a6f471cfb3
Tags:
asyncrat autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
DNS request
Connection attempt
Sending a custom TCP request
Creating a window
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Creating a process with a hidden window
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Connection attempt to an infection source
Setting a global event handler for the keyboard
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/67d66660d2c4beeae9260c73/reports/cbfa0c56-2ae2-4f7b-af4a-66cc003c6dfc/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/c029d185a694aa636fc5a085a2d1d77fe084a40d8c162740a1ef4868c9ce91eb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/19b0c4b4-395e-44e9-9e5c-0183749054cd
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1639745
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates multiple autostart registry keys
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1639745 Sample: Output.exe Startdate: 16/03/2025 Architecture: WINDOWS Score: 100 63 chat-poster.gl.at.ply.gg 2->63 65 raw.githubusercontent.com 2->65 67 2 other IPs or domains 2->67 81 Suricata IDS alerts for network traffic 2->81 83 Found malware configuration 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 12 other signatures 2->87 10 Output.exe 4 2->10         started        13 SolaraSupport.exe 2->13         started        16 test.exe 2->16         started        18 2 other processes 2->18 signatures3 process4 file5 55 C:\Users\user\AppData\Roaming\test.exe, PE32 10->55 dropped 57 C:\Users\user\AppData\...\SolaraExecutor.exe, PE32 10->57 dropped 59 C:\Users\user\AppData\...\Output.exe.log, CSV 10->59 dropped 20 SolaraExecutor.exe 4 10->20         started        24 test.exe 15 4 10->24         started        97 Antivirus detection for dropped file 13->97 99 Multi AV Scanner detection for dropped file 13->99 signatures6 process7 dnsIp8 51 C:\Users\user\AppData\...\SolaraSupport.exe, PE32 20->51 dropped 53 C:\Users\user\AppData\...\BootstrapperNew.exe, PE32+ 20->53 dropped 89 Antivirus detection for dropped file 20->89 91 Multi AV Scanner detection for dropped file 20->91 93 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 20->93 27 SolaraSupport.exe 15 6 20->27         started        32 BootstrapperNew.exe 17 20->32         started        69 chat-poster.gl.at.ply.gg 147.185.221.24, 41534, 49694, 49701 SALSGIVERUS United States 24->69 71 abolhb.com 185.172.175.125, 49698, 49702, 49705 HUGESERVER-NETWORKSUS Lithuania 24->71 73 raw.githubusercontent.com 185.199.109.133, 443, 49692 FASTLYUS Netherlands 24->73 95 Creates multiple autostart registry keys 24->95 file9 signatures10 process11 dnsIp12 75 193.161.193.99, 21764, 49710, 49712 BITREE-ASRU Russian Federation 27->75 77 ip-api.com 208.95.112.1, 49697, 80 TUT-ASUS United States 27->77 61 C:\ProgramData\SolaraSupport.exe, PE32 27->61 dropped 101 Antivirus detection for dropped file 27->101 103 Multi AV Scanner detection for dropped file 27->103 105 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 27->105 107 5 other signatures 27->107 34 powershell.exe 27->34         started        37 powershell.exe 27->37         started        39 powershell.exe 27->39         started        41 powershell.exe 27->41         started        file13 signatures14 process15 signatures16 79 Loading BitLocker PowerShell Module 34->79 43 conhost.exe 34->43         started        45 conhost.exe 37->45         started        47 conhost.exe 39->47         started        49 conhost.exe 41->49         started        process17
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c029d185a694aa636fc5a085a2d1d77fe084a40d8c162740a1ef4868c9ce91eb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c029d185a694aa636fc5a085a2d1d77fe084a40d8c162740a1ef4868c9ce91eb/
Threat name:
Win32.Exploit.Xworm
Create hunting rule
Status:
Malicious
First seen:
2025-03-16 04:03:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yau5dbngssvgg36fucc2fuoxp7qijjanrqlcoqfb55egrsooshvq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
075151678431e9ed1a6f26563f7a2143517bec7741c6dc53a106fbad4fe2d41a
Formbook
0e775d8ad0dede1acec67508e6bdc2b6940a63c937e3131262889ddb3beb309a
Formbook
65003b56f231e2913aed2ce8c6e5311778f03762263c43e10daafbb846d687cf
Formbook
72140c5148b70c098ce65045d1c2365ee9e85d904426ea8cd3f8f280c0d99ceb
Formbook
853141ecab59614b4bd0e5ecd204a79e5856cd2aaa8464a6084b4c1ba2960610
Formbook
87b2797f05debda5a97abab75511afdb42a2992fd8ca45e094b26bef558397cf
Formbook
9c8f662c94fb5178feb1af27980f736069689b039b32640df39c39e9438b0651
Formbook
a088b9f3b8936f8fc7ef1c26a30e38b6fed5a08f20aad35a69733f2b83b9bffd
Formbook
a7da92a8f1dde21271b0e4ca6dab609c97cde7d659582eef25e373fc9dd44610
Formbook
error
Formbook
+ 314 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm persistence rat trojan
Link:
https://tria.ge/reports/250316-gh3p5awpz9/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
193.161.193.99:21764
Verdict:
Malicious
Tags:
external_ip_lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/9ee89e0d-94fa-43a4-afa2-675b3d744931
Unpacked files
SH256 hash:
c029d185a694aa636fc5a085a2d1d77fe084a40d8c162740a1ef4868c9ce91eb
MD5 hash:
031f0368fbb81830be1927a09afe2de0
SHA1 hash:
9baba28f2414bec7d84431ad9ded7930493f1c3e
Link:
https://www.unpac.me/results/61552896-7b04-4dca-9ec6-5cdb6643656d/
SH256 hash:
d001bba614a32b298746b1d085559b108356ee6d7c37b76ebf9f83ad98f2f929
MD5 hash:
7eb582002ba21b6f17002f6cd21eba16
SHA1 hash:
21f602cc3cc9f4d6e3cf224ce78ca9b45fc210fc
Detections:
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
Link:
https://www.unpac.me/results/61552896-7b04-4dca-9ec6-5cdb6643656d/
SH256 hash:
08da7551995bad095ca9e22ad11264e565a023caf9ef799f298f4c235ec44d26
MD5 hash:
472fe7fe7163333db68640dc7827bc17
SHA1 hash:
35a127ed3c08379dd270761547f209bb56d6b9e8
Detections:
win_xworm_w0
Create hunting rule
XWorm
Create hunting rule
win_xworm_bytestring
Create hunting rule
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
Link:
https://www.unpac.me/results/61552896-7b04-4dca-9ec6-5cdb6643656d/
Parent samples :
c029d185a694aa636fc5a085a2d1d77fe084a40d8c162740a1ef4868c9ce91eb
4ece977efec20274f3da6f621bf59a1ced851eb0d571412d86d9e91af60c31aa
08da7551995bad095ca9e22ad11264e565a023caf9ef799f298f4c235ec44d26
2e92d49510ae3e2be370ef41079b314a8fcc936fe0cd220c7d88ed5895943af4
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c029d185a694/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c029d185a694aa636fc5a085a2d1d77fe084a40d8c162740a1ef4868c9ce91eb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/7220abcc-1be5-4548-83cd-74a1615e54c9

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments