MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c14df711aaf2fdf1fe7eb19d5c8715190cfc4c99e535a044d6df754e311ebfdb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c14df711aaf2fdf1fe7eb19d5c8715190cfc4c99e535a044d6df754e311ebfdb
SHA3-384 hash: ca1bee22f3aaf5d0d95200b8ad4aba158f4e9936bcb3c004f225560627ce0055825c03f78d9e4c82cb7db00cd23b7227
SHA1 hash: 2c4bfd09453710c23c8d1280637b958e88fe7090
MD5 hash: 6a049652dccbc682444088a9c910abed
humanhash: emma-lithium-bakerloo-lima
File name:6a049652dccbc682444088a9c910abed
Download: download sample
Signature Formbook
Create hunting rule
File size:288'768 bytes
First seen:2021-11-02 09:15:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b8ef4a428f658ada3d2d48117cace047 (5 x RedLineStealer, 2 x Smoke Loader, 1 x Formbook)
ssdeep 6144:6qYvRKoDXTYfvJ69UFF0FDO9VIB7008qX0A3ynVP:QKoDXTSyUneDEV8sA3S
Threatray 9'265 similar samples on MalwareBazaar
TLSH T19254E00032A1D43AD0B74E7049A5C6E1673ABCE3E67E558763D73A3F6F312B09962316
File icon (PE):PE icon
dhash icon fcfc94d4d4d4d8c0 (24 x RaccoonStealer, 21 x RedLineStealer, 9 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6a049652dccbc682444088a9c910abed
Verdict:
Suspicious activity
Analysis date:
2021-11-02 09:17:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c8d02dc3-7d87-4d74-b6d4-7893bed595e0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/201371/
Detection(s):
Win.Trojan.Generic-9904327-0
Create hunting rule

Win.Trojan.Generic-9904328-0
Create hunting rule

Win.Dropper.Raccoon-9904713-0
Create hunting rule

Win.Trojan.Generic-9904992-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lockbit overlay packed
Link:
https://www.filescan.io/uploads/618101d5bf51178dbe483d33/reports/c8ad1f35-e904-45cf-a9ac-382638523522/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f44fa325-0334-4b5b-afdb-8064257483d6
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/881124
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found detection on Joe Sandbox Cloud Basic with higher score
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c14df711aaf2fdf1fe7eb19d5c8715190cfc4c99e535a044d6df754e311ebfdb/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-10-27 12:15:54 UTC
AV detection:
34 of 44 (77.27%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
014fdffc1561ee767b1189c5b496f587d16ba7d394ca9d26d2e7d6f8541ebc92
Formbook
062a33046cca90bc6364cc29ccd47ae7f4165d388f5fb699bb88c35c4509bb90
Formbook
098a32bfcd332f71fdb65cf704994c70cf6390110340c809ae2cc66bddfbde04
Formbook
5852e0b1479d914e16a2f1cf21d61ff4e1f3d35b6fa5dbcf0055cfc2c9a89936
Formbook
75772375acbcfb6cb668fc2449671a6a83afe1434184ac7c01fd895825fcf5e6
Formbook
a5e44dd81280a7fbef17c18e528c9df4b1289144fbc107d011af282a69cc3062
Formbook
da0e2504009a426b799d9135979188e2c4533f69c2e981650afc51d5e8e320c2
Formbook
f792fdad86a8e30cb364d54392dd57b58b7699a17ef35b716f1a115516adfe10
Formbook
+ 9'255 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:n8rn loader rat
Link:
https://tria.ge/reports/211102-k8gr5ahbdq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Xloader Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Xloader
Malware Config
C2 Extraction:
http://www.catskillstnpasumo4.xyz/n8rn/
Unpacked files
SH256 hash:
c14df711aaf2fdf1fe7eb19d5c8715190cfc4c99e535a044d6df754e311ebfdb
MD5 hash:
6a049652dccbc682444088a9c910abed
SHA1 hash:
2c4bfd09453710c23c8d1280637b958e88fe7090
Link:
https://www.unpac.me/results/cfeb597e-7d3e-4782-b615-cdeea88a3ad5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c14df711aaf2fdf1fe7eb19d5c8715190cfc4c99e535a044d6df754e311ebfdb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe c14df711aaf2fdf1fe7eb19d5c8715190cfc4c99e535a044d6df754e311ebfdb

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1738675/
Cape
Cape
https://www.capesandbox.com/analysis/201371/

Comments


Avatar
zbet commented on 2021-11-02 09:15:11 UTC

url : hxxp://104.168.32.50/008/vbc.exe