MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c08281aad469530583f8216b4e4fa73c2f94807b680ae7407662ea08641dc8e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c08281aad469530583f8216b4e4fa73c2f94807b680ae7407662ea08641dc8e1
SHA3-384 hash: 1050012572e59e25734b6b61dc324eccf0cdef2029d55af054f3ea70ca9f70edd1059eb32265c31a1401446992526943
SHA1 hash: 46f5ac2b51916112f2a941294fd78ab10bdf5ace
MD5 hash: 35a4dbe8fc377c105e08f9a500a22569
humanhash: mango-papa-maryland-oranges
File name:35a4dbe8fc377c105e08f9a500a22569
Download: download sample
Signature Formbook
Create hunting rule
File size:427'520 bytes
First seen:2022-01-25 10:29:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:fzrTXnk0XvJs0IXgTR6ZMCIn5HA5fD81G:fzrTfJ7R9rM
Threatray 13'040 similar samples on MalwareBazaar
TLSH T19594F14C7294729FC5A7CE7ADDA01C44B3A2B9765313D347B48F626D990E38B8F016B2
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
35a4dbe8fc377c105e08f9a500a22569
Verdict:
Suspicious activity
Analysis date:
2022-01-25 10:43:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8ecdeeee-6dcf-4e7a-9527-db0d09e8350e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/222356/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
keylogger obfuscated packed
Link:
https://www.filescan.io/uploads/61efd134f81da814afa333e2/reports/e4e5c0e7-6715-456c-8ddd-a3e4a8602521/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/060f26c1-b6e4-4430-909e-71e716fe5661
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/926970
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 559445 Sample: V2PhGxIgsE Startdate: 25/01/2022 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 5 other signatures 2->48 9 V2PhGxIgsE.exe 3 2->9         started        process3 file4 30 C:\Users\user\AppData\...\V2PhGxIgsE.exe.log, ASCII 9->30 dropped 50 Tries to detect virtualization through RDTSC time measurements 9->50 52 Injects a PE file into a foreign processes 9->52 13 V2PhGxIgsE.exe 9->13         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 13->54 56 Maps a DLL or memory area into another process 13->56 58 Sample uses process hollowing technique 13->58 60 Queues an APC in another process (thread injection) 13->60 16 cmd.exe 13->16         started        19 explorer.exe 13->19 injected process8 signatures9 34 Self deletion via cmd delete 16->34 36 Modifies the context of a thread in another process (thread injection) 16->36 38 Maps a DLL or memory area into another process 16->38 40 Tries to detect virtualization through RDTSC time measurements 16->40 21 explorer.exe 1 150 16->21         started        24 cmd.exe 1 16->24         started        26 explorer.exe 102 16->26         started        process10 dnsIp11 32 192.168.2.1 unknown unknown 21->32 28 conhost.exe 24->28         started        process12
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c08281aad469530583f8216b4e4fa73c2f94807b680ae7407662ea08641dc8e1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-25 01:38:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0be58a33d1ccbb74ef24592d2d16009bd56638aef6c294af7793e57588e04ef6
Formbook
10ff5c8bac827b012bc5b6f789e7c23913b662453cd0bcc7f3f5192260d7a950
Formbook
37182811d9f3a0a2b3126266dc70a5253c4745de7e18e75a4c29393fbdedb142
Formbook
459c86bf11535b9d62c895a6677a5eb40d8f0cf3136477e5da746045bf3fb6a3
Formbook
69beb963daa43dd4f918d96934484b37b091ba40a9697519c9803db38a2146cd
Formbook
838646bc9841804d7671fb25b3fd5d3e67e91c1d341c7125ce63ad436ada5f26
Formbook
889a99efe47a7cd2f2ee5797086d76e5811f9502047d9be1c6cbc1dc815c57fe
Formbook
996cc6827a24a8d9ecce1b82269dbbfefd30142f72de61e723173422121c892d
Formbook
a8ffb883609ff6d5a39170b1061077440637b40fc0f5a9db98cd85a6f4f2a95d
Formbook
+ 13'030 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:gvqa loader rat
Link:
https://tria.ge/reports/220125-mjvc2aecc5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
e65c73e9eab9ed8b93e593bbba731194d926bf35481cdbc27bb7a5d43d893845
MD5 hash:
73a765b94d5061861a3820d5e49dde08
SHA1 hash:
8ced5ed7a0d29bbd5054e13b5e68e28966b029a9
Link:
https://www.unpac.me/results/05f6bee6-b44b-4a84-9964-ba26896e5ae8/
SH256 hash:
a829c1da56aa4ba00c754d0d14ecf77d556e27aff0dbf8def6bc20252ed3eb27
MD5 hash:
08e6ecd0b28b5ec1fc9ba816acd67da1
SHA1 hash:
7c4b8b9be48be9b76b5ce092655788f1d4334730
Link:
https://www.unpac.me/results/05f6bee6-b44b-4a84-9964-ba26896e5ae8/
SH256 hash:
c08281aad469530583f8216b4e4fa73c2f94807b680ae7407662ea08641dc8e1
MD5 hash:
35a4dbe8fc377c105e08f9a500a22569
SHA1 hash:
46f5ac2b51916112f2a941294fd78ab10bdf5ace
Link:
https://www.unpac.me/results/05f6bee6-b44b-4a84-9964-ba26896e5ae8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/c08281aad469530583f8216b4e4fa73c2f94807b680ae7407662ea08641dc8e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe c08281aad469530583f8216b4e4fa73c2f94807b680ae7407662ea08641dc8e1

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/222356/
  
URLhaus
https://urlhaus.abuse.ch/url/2004691/

Comments


Avatar
zbet commented on 2022-01-25 10:29:45 UTC

url : hxxp://sashapieterse.net/f9/rfq.exe