MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c87415b188828e354d7f87edc4184c94adb757258e79ab5e1e6e200a8c8df52c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments 1

SHA256 hash:	c87415b188828e354d7f87edc4184c94adb757258e79ab5e1e6e200a8c8df52c
SHA3-384 hash:	beb0e47d8d1b871108b164b033f64c1a89def04e7a1a24f199ddc7a9aae2a6f8843b4484497d32702f8786867f96137a
SHA1 hash:	f399fbab1d1db9c10294a3cb23d71c33947d286b
MD5 hash:	940fb7ef71682b6110d7c2d37a92f5df
humanhash:	oven-helium-jig-mango
File name:	940fb7ef71682b6110d7c2d37a92f5df
Download:	download sample
Signature	Formbook Create hunting rule
File size:	358'912 bytes
First seen:	2021-10-22 09:12:31 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	25e96726029c322936cf0033b6a07058 (11 x RedLineStealer, 2 x Smoke Loader, 1 x Formbook)
ssdeep	6144:n7+kn6p2xtxqlkFx6MPLYp7q9LwvzIn+fPlkFQob7aLaArbEk0vJtEW:7+k6c1qK2kY7btABbmHbVIJtE
Threatray	9'144 similar samples on MalwareBazaar
TLSH	T1A774AF10AAA0C035F1B752F84AB693ACB93E7EA16B6455CF52D427EE47346E0EC30717
File icon (PE):
dhash icon	ead8ac9cc6e68ee0 (118 x RaccoonStealer, 102 x RedLineStealer, 46 x Smoke Loader)
Reporter	zbetcheckin
Tags:	32 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

291

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/199334/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Launching the default Windows debugger (dwwin.exe)

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/6172809fdb358dd15ed338f7/reports/8846602d-56b6-43ed-9ef0-34cbf622eb12/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5d9207ca-d9ce-461b-a67a-aed729995402

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/875095

Signature

C2 URLs / IPs found in malware configuration

Found detection on Joe Sandbox Cloud Basic with higher score

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c87415b188828e354d7f87edc4184c94adb757258e79ab5e1e6e200a8c8df52c/

Threat name:

Win32.Packed.Generic

Status:

Suspicious

First seen:

2021-10-22 01:20:36 UTC

AV detection:

18 of 45 (40.00%)

Threat level:

1/5

Verdict:

malicious

Label(s):

formbook

Formbook

12fa6c4f9dc345eca587fe606caf9a5eccfcdc5456b2617ec17b1b1f1e06d24a

Formbook

26506e7d3f4821066fc1989a5c79afb4d1a316aa428f9e4a920644d93a80b495

Formbook

35204f1850b1439ef9a8fd958d6c3045edae69378aa3593021795d0600fc5a01

Formbook

7a12f38cc2bd503f9667620f86315281e8319f9f2dca72aa19eb19ff6f3629a6

Formbook

c6106fc0a5a8a0fb4a2245bd159b22ed22ec40840826b51b585f78f97f860be8

Formbook

d3a9a3edb7bf2c1c0bee319acb384b4ea0d27a72c09ee0781996ecc4b6637fef

Formbook

+ 9'134 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:bs8f loader rat

Link:

https://tria.ge/reports/211022-k6qx1sccdq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Xloader Payload

Suspicious use of NtCreateProcessExOtherParentProcess

Xloader

Malware Config

C2 Extraction:

http://www.rwilogisticsandbrokerage.com/bs8f/

Unpacked files

SH256 hash:

437f71eeac365ed438585d7f81b4aad3fc2728bcb08984b584d8e1dc9b953951

MD5 hash:

717be70bab2a5981683648761ff810f6

SHA1 hash:

bb8dee942ce1f5de1aedf3d6ac404ae1bce28497

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/d366c238-68c3-430f-a4f1-0b630af2e6eb/

Parent samples :

c6bd41deb507046a69d680f7ce7c06ec255fc0ca19223d57788bca61cc14beb9
c87415b188828e354d7f87edc4184c94adb757258e79ab5e1e6e200a8c8df52c
66ebc2bbaf8ea07be988cce296542d9e1d7d24fbfe4523894bfd5a8c4474502e
bc8d2b7c7d534633d3e80f50a21ddbc634c0800ce6469bfbaaf40a5d8e0de466
86c0bfd6c4dd8c077a022db87078ebaec7414ee55ed205b0efe836854614519a
77582ba5bb0a7e0894a64d832ead70cd8572cb49f21fcdc10d8904d68343798d
8ea8f9f842988640002c282c9a79c67b13429fe061b9067ca79e7ad36132d05e
4a04094a64a2ebdd9b6f8ef3345b1308e36fdc434741a9f3f17003109ba9341f
7efe7d38b841aac0c56e86c8c6698743dd7cc5d70b3546b416a23f4e7712c9df

SH256 hash:

c87415b188828e354d7f87edc4184c94adb757258e79ab5e1e6e200a8c8df52c

MD5 hash:

940fb7ef71682b6110d7c2d37a92f5df

SHA1 hash:

f399fbab1d1db9c10294a3cb23d71c33947d286b

Link:

https://www.unpac.me/results/d366c238-68c3-430f-a4f1-0b630af2e6eb/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c87415b188828e354d7f87edc4184c94adb757258e79ab5e1e6e200a8c8df52c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe c87415b188828e354d7f87edc4184c94adb757258e79ab5e1e6e200a8c8df52c

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1707256/

Cape

https://www.capesandbox.com/analysis/199334/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2021-10-22 09:12:35 UTC

url : hxxp://202.55.132.29/007/vbc.exe