MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c252479bfb6cebbb01e698ade5db7a3cc8cd3a3e0ca118bedaf3f0c26721ee31. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c252479bfb6cebbb01e698ade5db7a3cc8cd3a3e0ca118bedaf3f0c26721ee31
SHA3-384 hash: da7ac8fb7dadb7f6cfd55874ceddc7361b97ab3e8e849f943c41e085824fd8aed5344aae9272bcf81810ac529b5db684
SHA1 hash: fb3ee5897133d6b263ace2029c10db152460dfaa
MD5 hash: 751738f515996f05e2e02db5a8f316e1
humanhash: minnesota-oxygen-artist-mango
File name:Dekont.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:487'108 bytes
First seen:2022-03-01 08:10:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 12288:LGfffffffffffffffffffffffffffffffQA8jzRMoS5y6jtlle:LGfffffffffffffffffffffffffffffi
Threatray 11'147 similar samples on MalwareBazaar
TLSH T1B6A4BF778C79D662C402A035F836286463996C5EA9EBFC7372E4D76C8830806D78DF5B
File icon (PE):PE icon
dhash icon 69e8d4a282d4d496 (1 x Formbook)
Reporter abuse_ch
Tags:exe FormBook geo TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
225
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/245623/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8259.8366.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Launching cmd.exe command interpreter
Searching for synchronization primitives
DNS request
Sending an HTTP GET request
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/621dd521b94fb38cb42c7fbc/reports/d0632d25-0c2a-4a94-ac09-4cd926831786/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eb18606f-036f-4a4f-b217-6319a63558d9
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/947969
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 580454 Sample: Dekont.exe Startdate: 01/03/2022 Architecture: WINDOWS Score: 100 34 www.tiz7ckbnmzjj.biz 2->34 36 www.flipkartsdealscart.xyz 2->36 38 6 other IPs or domains 2->38 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus detection for URL or domain 2->58 60 5 other signatures 2->60 12 Dekont.exe 18 2->12         started        signatures3 process4 file5 32 C:\Users\user\AppData\Local\...\hnspdeaw.exe, PE32 12->32 dropped 15 hnspdeaw.exe 12->15         started        process6 signatures7 70 Multi AV Scanner detection for dropped file 15->70 72 Tries to detect virtualization through RDTSC time measurements 15->72 18 hnspdeaw.exe 15->18         started        process8 signatures9 46 Modifies the context of a thread in another process (thread injection) 18->46 48 Maps a DLL or memory area into another process 18->48 50 Sample uses process hollowing technique 18->50 52 Queues an APC in another process (thread injection) 18->52 21 explorer.exe 18->21 injected process10 dnsIp11 40 skategrindingwheels.com 107.180.46.149, 49780, 80 AS-26496-GO-DADDY-COM-LLCUS United States 21->40 42 www.x-teknoloji.com 21->42 44 4 other IPs or domains 21->44 62 System process connects to network (likely due to code injection or exploit) 21->62 25 explorer.exe 21->25         started        signatures12 process13 signatures14 64 Modifies the context of a thread in another process (thread injection) 25->64 66 Maps a DLL or memory area into another process 25->66 68 Tries to detect virtualization through RDTSC time measurements 25->68 28 cmd.exe 1 25->28         started        process15 process16 30 conhost.exe 28->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c252479bfb6cebbb01e698ade5db7a3cc8cd3a3e0ca118bedaf3f0c26721ee31/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-03-01 08:11:16 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yjjepg73ntv3wapgtcw6lw32htem2or6bsqrrpw26pymezzb5yyq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
190845482673ae60d3df5d77f593e736e1e91a3bc5870e0d8057ac70c73e02ea
Formbook
42dc6cb1694709c1a2d33542a735b89ab39810fd2ac5a434fb74446b7edd56e5
Formbook
59158ffa159d5d00b762b547ba6f97a0c0d1c24bc16cb741d9dfe00191ab5629
Formbook
8c4a31342df6ff294593054eef07264ffd3e44f4daed25199b1fd1df92d4ff2f
Formbook
8e2fa281cc72512de1fc53eb27a9c04a524ce87c3cdf5932931ea3dc463a459a
Formbook
adcd734d11d1d4f1362c9acd526c0f4e224974d3b04257f9348ee475208b49ac
Formbook
bbbb4573dc583a2870aad1d30b310e6e61dae23c5652ae30207a392209d9dd6d
Formbook
ffe0056602a8dc93d86cb32aab64c4d76f1dcba72d9a4be86fb228bcf1229502
Formbook
+ 11'137 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:efa8 loader rat
Link:
https://tria.ge/reports/220301-j3bhgshbc5/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Xloader Payload
Xloader
Unpacked files
SH256 hash:
859036c9a7591655f904f6200de6b2adf050611ae7bd0fdb43eae6a7563ee5d9
MD5 hash:
e42357af1349fb977f15e2ee866ff5b4
SHA1 hash:
d2bfa9d97879d4151299bfd333bcf7d641af79fe
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/9994cb75-4f55-42ba-bf16-2f0b77e80dc9/
Parent samples :
adcd734d11d1d4f1362c9acd526c0f4e224974d3b04257f9348ee475208b49ac
42dc6cb1694709c1a2d33542a735b89ab39810fd2ac5a434fb74446b7edd56e5
36dc07d6b4c429cda1b5a6f01f54675575f8b2929a0999047f598c85c36b4bdf
2f5f6db578c19a5a380e6e95f5ac284b348d2cb1a28b980fcc3596852e25f618
c252479bfb6cebbb01e698ade5db7a3cc8cd3a3e0ca118bedaf3f0c26721ee31
SH256 hash:
63c4f39510bb8137c82ecb22d90d8718e4b39bdc6db723cc189d28be242f60ad
MD5 hash:
25ad0bbd9bd81f7423abf5da3bb1ac90
SHA1 hash:
8a12b6ff2064694af43822f412e003e20a226f18
Link:
https://www.unpac.me/results/9994cb75-4f55-42ba-bf16-2f0b77e80dc9/
SH256 hash:
c252479bfb6cebbb01e698ade5db7a3cc8cd3a3e0ca118bedaf3f0c26721ee31
MD5 hash:
751738f515996f05e2e02db5a8f316e1
SHA1 hash:
fb3ee5897133d6b263ace2029c10db152460dfaa
Link:
https://www.unpac.me/results/9994cb75-4f55-42ba-bf16-2f0b77e80dc9/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c252479bfb6c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c252479bfb6cebbb01e698ade5db7a3cc8cd3a3e0ca118bedaf3f0c26721ee31

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe c252479bfb6cebbb01e698ade5db7a3cc8cd3a3e0ca118bedaf3f0c26721ee31

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/245623/

Comments