MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8dd8464008d24fe02938509eb3163f09749e1c76bff6dcfd25b1d3193357419. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c8dd8464008d24fe02938509eb3163f09749e1c76bff6dcfd25b1d3193357419
SHA3-384 hash: 0aa85763d824eb5516f3e08bcfdd7921d31ed77a319e317caf70941dbadf4e01fbcaaba349433f09bd53b53d29e6187b
SHA1 hash: 25796d8f144f0287c0218c7aa448f4f914891fc1
MD5 hash: 6dabcc4315aec87869a8f89f0207b9ec
humanhash: ohio-glucose-solar-jupiter
File name:0x0009000000023234-253
Download: download sample
Signature Formbook
Create hunting rule
File size:1'698'304 bytes
First seen:2023-12-30 10:57:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:q74oSZSYH/O+sIV8aUgibdu5Hrll117UXDpLAZCR1:q74xpRs7aUgibduNRlb0lH
TLSH T1D575E7FE55E994151672CBDE646C002C4AD7842F9A33B8AAB7853C1FCBC99CDDA2017C
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter e24111111111111
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
309
Origin country :
GR GR
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
c7bd91207ac565f362c9a9702bcf5cb278b414e8a5489087431a448011d32f47.exe
Verdict:
Malicious activity
Analysis date:
2023-12-30 11:33:52 UTC
Tags:
evasion asyncrat xworm
Link:
https://app.any.run/tasks/3c9adc9f-ceac-49cb-a648-f46f8bcacb5e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Creating a process from a recently created file
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a file in the Windows directory
Creating a file in the %temp% directory
Creating a window
Using the Windows Management Instrumentation requests
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Searching for synchronization primitives
Searching for the window
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/658ff7bfb290743934f02dbe/reports/3ea3b1a5-ca90-4c20-abab-a96dc24825e6/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/c8dd8464008d24fe02938509eb3163f09749e1c76bff6dcfd25b1d3193357419
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c60b7274-737a-4639-b0d8-9835422600e6
Result
Threat name:
AsyncRAT, DcRat, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1368239
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops PE files with benign system names
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Potential malicious VBS script found (has network functionality)
Protects its processes via BreakOnTermination flag
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected DcRat
Yara detected Generic Downloader
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1368239 Sample: 0x0009000000023234-253.exe Startdate: 30/12/2023 Architecture: WINDOWS Score: 100 47 maxcare.app 2->47 49 ip-api.com 2->49 51 fvia.app 2->51 83 Multi AV Scanner detection for domain / URL 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 Antivirus detection for URL or domain 2->87 89 14 other signatures 2->89 9 0x0009000000023234-253.exe 3 2->9         started        signatures3 process4 file5 37 C:\ProgramData\Seting.exe, PE32 9->37 dropped 12 Seting.exe 3 10 9->12         started        process6 file7 39 C:\Users\user\AppData\Roaming\ship.exe, PE32 12->39 dropped 41 C:\Users\user\AppData\Roaming\ntoskrn.exe, PE32 12->41 dropped 43 C:\Users\user\AppData\...\WindowsSecurity.exe, PE32 12->43 dropped 45 6 other malicious files 12->45 dropped 95 Antivirus detection for dropped file 12->95 97 Multi AV Scanner detection for dropped file 12->97 99 Potential malicious VBS script found (has network functionality) 12->99 101 3 other signatures 12->101 16 Registry Editor.exe 1 12->16         started        19 WindowsSecurity.exe 14 2 12->19         started        22 dow.exe 1 12->22         started        25 7 other processes 12->25 signatures8 process9 dnsIp10 61 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->61 63 Writes to foreign memory regions 16->63 65 Allocates memory in foreign processes 16->65 67 Injects a PE file into a foreign processes 16->67 27 RegAsm.exe 16->27         started        53 ip-api.com 208.95.112.1, 49711, 80 TUT-ASUS United States 19->53 69 Antivirus detection for dropped file 19->69 71 Multi AV Scanner detection for dropped file 19->71 73 Machine Learning detection for dropped file 19->73 75 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 19->75 31 WerFault.exe 19->31         started        35 C:\Windows\svchost.exe, PE32 22->35 dropped 77 Drops PE files with benign system names 22->77 55 maxcare.app 104.21.37.62, 443, 49710 CLOUDFLARENETUS United States 25->55 79 Windows Scripting host queries suspicious COM object (likely to drop second stage) 25->79 81 Potential dropper URLs found in powershell memory 25->81 33 conhost.exe 25->33         started        file11 signatures12 process13 dnsIp14 57 171.247.47.66, 4444, 49718, 49723 VIETEL-AS-APViettelGroupVN Viet Nam 27->57 59 fvia.app 104.21.34.141, 443, 49717, 49722 CLOUDFLARENETUS United States 27->59 91 Protects its processes via BreakOnTermination flag 27->91 93 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 27->93 signatures15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c8dd8464008d24fe02938509eb3163f09749e1c76bff6dcfd25b1d3193357419
Detection:
dcrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c8dd8464008d24fe02938509eb3163f09749e1c76bff6dcfd25b1d3193357419/
Threat name:
ByteCode-MSIL.Dropper.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2023-05-26 11:19:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
17 of 23 (73.91%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zdoyizaarusp4autque6wmld6clutyohnp7w3t6slmotdezvoqmq._file
Verdict:
malicious
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:xworm botnet:default persistence rat trojan
Link:
https://tria.ge/reports/231230-m2vfradefp/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Blocklisted process makes network request
Async RAT payload
AsyncRat
Detect Xworm Payload
Xworm
Unpacked files
SH256 hash:
f65e7a6d4e2874967bdac2e38721f7141ed3778feb74a07c82f8be2716e3e925
MD5 hash:
52c6c0a31da4b83b061ebe7409edb906
SHA1 hash:
ca0b545df3948b34f81f52ac08a64acef6bf096b
Link:
https://www.unpac.me/results/e03af0a1-7639-4367-ad32-1ed018fc82ec/
SH256 hash:
5d717d35b913ff6d13c408f294d899ca58bb321598426eca2bea71b9e6edd9ce
MD5 hash:
216ef921adac2bbb51ff6331f61b19e7
SHA1 hash:
90c3cfc3b78daa2bfa12d26dbd765fbfd4bc510d
Detections:
XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
Link:
https://www.unpac.me/results/e03af0a1-7639-4367-ad32-1ed018fc82ec/
Parent samples :
72ae820b13a8e8f73da2770b9c0bd9d0a6a42e2ba3dcaf1279359e2b2b221b12
80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21
994ea35144e43c0074f6d60ccff844cc70d0a2b34ad9b583a7316e17aec94e2f
8d11ec5c3f5b3d5eb57e75469ffc10721aee94ae56b3d432fafdee189bb0d6e8
c8dd8464008d24fe02938509eb3163f09749e1c76bff6dcfd25b1d3193357419
SH256 hash:
36396f627d6021cbc8d8b4e6f6cb0358c5ebca13c66b6b3b255bb612d9645db1
MD5 hash:
accf63a061756047dafce635c5cf57ef
SHA1 hash:
60549c55fe76cc0eeef403f6a56256d243a3e56a
Detections:
APT_ArtraDownloader2_Aug19_1
Create hunting rule
Link:
https://www.unpac.me/results/e03af0a1-7639-4367-ad32-1ed018fc82ec/
SH256 hash:
824e192a6e719525c9d66b0ae34188b8f5c37423390c4872ee5069f87c62f8c8
MD5 hash:
24abf7a786172f04265956cb823e7873
SHA1 hash:
f5f882034d7c07aa076f0871d72fc3fbf372920f
Link:
https://www.unpac.me/results/e03af0a1-7639-4367-ad32-1ed018fc82ec/
SH256 hash:
7bbe722f16c30b98a23901e3ce0b39600c2620983084f2e7c4f05506abad2971
MD5 hash:
2812210571ec21dfed8c1f9277020d4f
SHA1 hash:
363e645b3dae1774f0349182bc0453249ae1a64c
Link:
https://www.unpac.me/results/e03af0a1-7639-4367-ad32-1ed018fc82ec/
SH256 hash:
edda87df5c64d0669cd97592211838487afae0d4675a0f9e47b397c6dac90f82
MD5 hash:
598aa482794deb3d5b4edbdd68d07e9a
SHA1 hash:
d07734098f9717182d2d9b0fce98552c2a91b759
Link:
https://www.unpac.me/results/e03af0a1-7639-4367-ad32-1ed018fc82ec/
SH256 hash:
c8dd8464008d24fe02938509eb3163f09749e1c76bff6dcfd25b1d3193357419
MD5 hash:
6dabcc4315aec87869a8f89f0207b9ec
SHA1 hash:
25796d8f144f0287c0218c7aa448f4f914891fc1
Link:
https://www.unpac.me/results/e03af0a1-7639-4367-ad32-1ed018fc82ec/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c8dd8464008d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c8dd8464008d24fe02938509eb3163f09749e1c76bff6dcfd25b1d3193357419

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments