MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c337a7a825db681ba33f4ddc9ba9cf108572d554f36708031c5909f3f5ffaae5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c337a7a825db681ba33f4ddc9ba9cf108572d554f36708031c5909f3f5ffaae5
SHA3-384 hash: 69e92690326fed4786ba8cdb8a70ce4fc7249e2b5982e9f00dbab061eab2f42d97754263796b3e495ef70064fb9e20d7
SHA1 hash: 9f654e80f521c09728838c4dc66bf211b42ae533
MD5 hash: b76d8a8a813f33369718dc8feb1b9f6a
humanhash: lamp-timing-utah-wyoming
File name:AWB728590890733.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:763'904 bytes
First seen:2022-07-28 13:27:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'664 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:norHugGpbf/2da5lRjur5+uTKrXXAiUCrhQC2vp0UcN5sneVTs2owqGLMbI9:Mkpfqah2+LrXXjHOU5sneVTDq8wI
TLSH T190F4015299A94232EC2EC77B8536147853B22C1511E7F32CBD9D3CEEA5BBB480D14AD3
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
370
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/294938/
Detection(s):
SecuriteInfo.com.Trojan.Zmutzy.Pong.2-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b87ee0f7-08be-41cd-999a-74959b07d940
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1042532
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 675025 Sample: AWB728590890733.exe Startdate: 28/07/2022 Architecture: WINDOWS Score: 100 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for URL or domain 2->44 46 Multi AV Scanner detection for dropped file 2->46 48 8 other signatures 2->48 10 AWB728590890733.exe 7 2->10         started        process3 file4 34 C:\Users\user\AppData\Roaming\fTckFUcQ.exe, PE32 10->34 dropped 36 C:\Users\...\fTckFUcQ.exe:Zone.Identifier, ASCII 10->36 dropped 38 C:\Users\user\AppData\Local\...\tmp83FB.tmp, XML 10->38 dropped 40 C:\Users\user\...\AWB728590890733.exe.log, ASCII 10->40 dropped 50 Uses schtasks.exe or at.exe to add and modify task schedules 10->50 52 Adds a directory exclusion to Windows Defender 10->52 54 Tries to detect virtualization through RDTSC time measurements 10->54 56 Injects a PE file into a foreign processes 10->56 14 AWB728590890733.exe 10->14         started        17 powershell.exe 25 10->17         started        19 schtasks.exe 1 10->19         started        signatures5 process6 signatures7 64 Modifies the context of a thread in another process (thread injection) 14->64 66 Maps a DLL or memory area into another process 14->66 68 Sample uses process hollowing technique 14->68 70 Queues an APC in another process (thread injection) 14->70 21 explorer.exe 14->21 injected 23 conhost.exe 17->23         started        25 conhost.exe 19->25         started        process8 process9 27 raserver.exe 21->27         started        signatures10 58 Modifies the context of a thread in another process (thread injection) 27->58 60 Maps a DLL or memory area into another process 27->60 62 Tries to detect virtualization through RDTSC time measurements 27->62 30 cmd.exe 1 27->30         started        process11 process12 32 conhost.exe 30->32         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c337a7a825db681ba33f4ddc9ba9cf108572d554f36708031c5909f3f5ffaae5/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-07-28 07:33:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
31
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ym32pkbf3nubxiz7jxojxkopcccxfvku6ntqqay4lee7h5p7vlsq._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader campaign:ouvk loader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220728-qqm43sgfgl/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Xloader payload
Formbook
Xloader
Unpacked files
SH256 hash:
17ba4ac36617ebbab083a09d64750d6eb2542973f6b5f205b14ef5041fc6f89f
MD5 hash:
9b7f453e225692c39b1beb42fe56bba5
SHA1 hash:
2d9826abfb94463156f25c4428ce6afe56f49076
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
XLoader
Create hunting rule
Link:
https://www.unpac.me/results/92d9ec93-283e-45d5-b069-7f2a01b96007/
Parent samples :
ffa56449f84c15094bd1d4c93fe2a6e472005df760d3b8af816d7b523fef7b65
b704daa4a8ddc8d03b453d35507dc2c77a42cd96b5ee0fce810a51dc00fdee6c
c337a7a825db681ba33f4ddc9ba9cf108572d554f36708031c5909f3f5ffaae5
446e8f3053729fa97bba0a0eca6913448184349f63cf409c23ca5d68ac164bb3
SH256 hash:
4f0b372fd44e7e5023a35dbfae69ae09e72ed0e1db7c5dc615993032d43502e6
MD5 hash:
44e62ab67d26342c1c7e6b47eb19c0f5
SHA1 hash:
e7cea6b1138d389f62541e1ef9d7e682d68d505d
Link:
https://www.unpac.me/results/92d9ec93-283e-45d5-b069-7f2a01b96007/
SH256 hash:
39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807
MD5 hash:
db51fe170a9e5d6ec5429a2fbd9d0353
SHA1 hash:
e30a58125fc41322db6cf2ccb6a6d414ed379016
Link:
https://www.unpac.me/results/92d9ec93-283e-45d5-b069-7f2a01b96007/
SH256 hash:
a9c5b2c628a47247402ff05d399855caf6f6a22146d44cd0fd9d7fc05a65ba66
MD5 hash:
228ff1006be83039e4de2b5e0475a5b0
SHA1 hash:
3adef5cc343067fa6b9d5e712114dc619c867a72
Link:
https://www.unpac.me/results/92d9ec93-283e-45d5-b069-7f2a01b96007/
SH256 hash:
cf5938596a0ac18413696133a65b8cad2b0aecaffd33c7648d13b74078a28aa3
MD5 hash:
91f0f35816205126c02da112b50098e8
SHA1 hash:
26194eb069c8ce80a6d05d76170efe193294a3c9
Link:
https://www.unpac.me/results/92d9ec93-283e-45d5-b069-7f2a01b96007/
SH256 hash:
c337a7a825db681ba33f4ddc9ba9cf108572d554f36708031c5909f3f5ffaae5
MD5 hash:
b76d8a8a813f33369718dc8feb1b9f6a
SHA1 hash:
9f654e80f521c09728838c4dc66bf211b42ae533
Link:
https://www.unpac.me/results/92d9ec93-283e-45d5-b069-7f2a01b96007/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c337a7a825db/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/294938/

Comments