MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0b711533265ba0808d1f7a5fc9b0dd17e19187c9566d9908763d27aaddf023c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c0b711533265ba0808d1f7a5fc9b0dd17e19187c9566d9908763d27aaddf023c
SHA3-384 hash: 6dd3b6984b982ae514eff26b00a140e0c85e8134d72c409fe33b14665e1431f7099215aa806f14a1f1c82a7fdc773216
SHA1 hash: 9ea012a3ee703fdb52ea68e78f9a1eadd2bc57fc
MD5 hash: 9db4d61aae959a5b9d2a4c3970a20e4b
humanhash: spaghetti-december-river-ack
File name:9db4d61aae959a5b9d2a4c3970a20e4b
Download: download sample
Signature Formbook
Create hunting rule
File size:831'488 bytes
First seen:2022-02-23 14:03:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:/1NK777777777777HyzsAmG3/B3oPyA5bTdZN0B9:a777777777777nAT/1oT5TzN0D
Threatray 13'975 similar samples on MalwareBazaar
TLSH T15805CF043DAB5F3DE5718B720DC5ECB4BAA8FB231C08B37D78956686C691B904D422B6
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/243807/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.NanoBot.mc.30336.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe obfuscated packed remcos replace.exe
Link:
https://www.filescan.io/uploads/62163ed9a2660f3bb93038d1/reports/c035627c-f040-49b2-b967-f7432fca704a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cd881575-6a96-4392-a9a9-396318d03d69
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/944814
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 577292 Sample: ex6DYnXMwL Startdate: 23/02/2022 Architecture: WINDOWS Score: 100 28 www.thebiggreen.today 2->28 30 www.lawyerjerusalem.com 2->30 32 9 other IPs or domains 2->32 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 7 other signatures 2->48 10 ex6DYnXMwL.exe 3 2->10         started        signatures3 process4 file5 26 C:\Users\user\AppData\...\ex6DYnXMwL.exe.log, ASCII 10->26 dropped 50 Tries to detect virtualization through RDTSC time measurements 10->50 52 Injects a PE file into a foreign processes 10->52 14 ex6DYnXMwL.exe 10->14         started        signatures6 process7 signatures8 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 17 chkdsk.exe 14->17         started        20 explorer.exe 14->20 injected process9 signatures10 34 Self deletion via cmd delete 17->34 36 Modifies the context of a thread in another process (thread injection) 17->36 38 Maps a DLL or memory area into another process 17->38 40 Tries to detect virtualization through RDTSC time measurements 17->40 22 cmd.exe 1 17->22         started        process11 process12 24 conhost.exe 22->24         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c0b711533265ba0808d1f7a5fc9b0dd17e19187c9566d9908763d27aaddf023c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-23 14:04:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
070264132f92fc5cb01521385e73bf36954d4093da205c59821e844abed68b5f
Formbook
503afb59d8192f6adb3e67db043eeb6459e8ec3fc117ef8e2f6690d5f0c4a12b
Formbook
70c6fd4de902c8ccce31380698b123def84b4d209c8b824e1065349a5aee9de2
Formbook
96077c533e59e3b8cf38826e5e37e35f1f2eb44d356eae6575223158b565198e
Formbook
ab12ca2a034e07fbdd6c9d6c31270f52173cd8559e12aad0aea593cc460867cd
Formbook
d6b928a4292c14dee552691c4955bdff07d038470ec1419c88a4018fb06bd399
Formbook
e649ef1ecf0e0daefe140fa78271435271c8d55607f8365ddef4d94b66bfdfdd
Formbook
f3a2d8b0fe1ccd8d1deb057efd255a123444b0298e24d0aabe385136580accdc
Formbook
+ 13'965 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:pvgu loader rat
Link:
https://tria.ge/reports/220223-rc9llaada8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
f2fd2a66520f0b0cd24cdbb0c1edafda47f03a1656b7edd5e84245c9a42ae5eb
MD5 hash:
9621f5b5322aa74769639b6104fdc6fc
SHA1 hash:
1501d2300eb134f73a53deaf751a9156fb2d0f87
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/149b5fcb-bd0a-4d8b-9735-03f69df6f929/
Parent samples :
c0b711533265ba0808d1f7a5fc9b0dd17e19187c9566d9908763d27aaddf023c
b55fdab1b973c44e6fb9e7689cd2f41e191a79078fc5c0c0a9d6c8387ea9340d
b7644594c68c21aa4731efc1d146a8546ee3915d338903cea20d56d28a49fe23
SH256 hash:
0ed7e24a8a1a9a8d1aba6fd05e21b4df77d17be2ef9bc02b2425d73a8ed1c2eb
MD5 hash:
1d35cd02df7a07ce7120c74186e713c1
SHA1 hash:
ac367e88591a4d95e7e7d2229231a30d9b770418
Link:
https://www.unpac.me/results/149b5fcb-bd0a-4d8b-9735-03f69df6f929/
SH256 hash:
e3bdaf9e98eb65a070cf4424bc123e57ade151c41e4a0d375e769749155c1715
MD5 hash:
78a25e75b94923e889ecd100349facbe
SHA1 hash:
6b3f8db525d3c98f92ed480e664ab8ee9458340b
Link:
https://www.unpac.me/results/149b5fcb-bd0a-4d8b-9735-03f69df6f929/
SH256 hash:
e7656546ed5886b54677c3cbfad3d7160c7c143ca9b388132589c54e24b2c2e7
MD5 hash:
e351b52e9c78ff95285b9f389adb6e8b
SHA1 hash:
1f18d7ccd196a62613fb08814c818e3e4c038ca4
Link:
https://www.unpac.me/results/149b5fcb-bd0a-4d8b-9735-03f69df6f929/
SH256 hash:
c0b711533265ba0808d1f7a5fc9b0dd17e19187c9566d9908763d27aaddf023c
MD5 hash:
9db4d61aae959a5b9d2a4c3970a20e4b
SHA1 hash:
9ea012a3ee703fdb52ea68e78f9a1eadd2bc57fc
Link:
https://www.unpac.me/results/149b5fcb-bd0a-4d8b-9735-03f69df6f929/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c0b711533265/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/c0b711533265ba0808d1f7a5fc9b0dd17e19187c9566d9908763d27aaddf023c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe c0b711533265ba0808d1f7a5fc9b0dd17e19187c9566d9908763d27aaddf023c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2055676/
Cape
Cape
https://www.capesandbox.com/analysis/243807/

Comments


Avatar
zbet commented on 2022-02-23 14:03:35 UTC

url : hxxp://198.23.212.228/SEbin.exe