MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbe60fd82914adaba830f4406aba6ffe15d4fe3a1cd9993d0a16b0003b090058. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cbe60fd82914adaba830f4406aba6ffe15d4fe3a1cd9993d0a16b0003b090058
SHA3-384 hash: 6d66304aaa7f6579d87d0b73a47312653bd78059f3dc79ba1dc54e72a79e4562d867434c319afba42407201a88c43e4c
SHA1 hash: bd42f42eaffe36ca6573ad35b8d0f4cc7acd9980
MD5 hash: e118a1d7bbf4325151c74d4a6efb32b7
humanhash: september-july-indigo-single
File name:e118a1d7bbf4325151c74d4a6efb32b7
Download: download sample
Signature Formbook
Create hunting rule
File size:388'096 bytes
First seen:2022-02-24 18:58:54 UTC
Last seen:2022-02-24 20:48:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:NVSctpz7e/N7fy36mt7tHJXt5o3uai9BJ8f/W8ewIoGAlkNLdLvN34Q8a6:NV1pURfy36oZFtW3uaan2/WU6DNVFca
Threatray 13'916 similar samples on MalwareBazaar
TLSH T16084CF50F3948896F97F67B2D4768510036ABD6D997BD70E298B7FAD08B33820443B1B
File icon (PE):PE icon
dhash icon 992d6d4d3443cd4d (1 x Formbook)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
226
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/244424/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.14056.23546.1904.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
DNS request
Launching a process
Launching cmd.exe command interpreter
Sending an HTTP GET request
Searching for synchronization primitives
Reading critical registry keys
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/6217d5813b743d74eee77dc4/reports/b1c104ac-ba31-4703-94dc-e8e1e24b8679/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f4df8b34-7556-4756-bd23-7ba8f9e7ffbf
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/945978
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cbe60fd82914adaba830f4406aba6ffe15d4fe3a1cd9993d0a16b0003b090058/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-02-24 18:59:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
26
AV detection:
22 of 28 (78.57%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zpta7wbjcsw2xkbq6ragvotp7yk5j7r2dtmzspikc2yaaoyjabma._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0da36b7f7e4b44b640ab5769532fdd7599032ca2b1d6b57807ba48ad1fa76780
Formbook
28562d1e97597dbe302d550277e91bd4aa6869bd3d356668bc7c48b2b6eaa3d1
Formbook
41baa5cad8fb3ecbaa97116421042ba41a024823638e9b7608c5ac2e2a339525
Formbook
502303edd5a9de57b3667146e84f15fc4957242ca2ef8f75f5e503946c452ee2
Formbook
75e51d5e7662ad2c7ee23822ebf5246ce2d3257734ef87883f57bbcffe13c5d2
Formbook
779f51468b459d7e4fa2fb6dafabd1771416f00bdd0ad587b1f3119da41edd5e
Formbook
9050768f69225078f05d535401510a5b361dd071430e40639e869c7247621908
Formbook
982e727a53a27d2bfbaea608209b315bc892947a1ef954033f1b29c687b6e001
Formbook
9f35e751b58fdca3b7156eba1bf2a56c88d3d5ce5e35de6b2797e6c8ba6ec0d8
Formbook
e649ef1ecf0e0daefe140fa78271435271c8d55607f8365ddef4d94b66bfdfdd
Formbook
+ 13'906 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader campaign:tk66 loader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220224-xm3hxsdec5/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Xloader Payload
Formbook
Xloader
Unpacked files
SH256 hash:
3d0f07d953832ea31aadae7164373700907f55f4bd8a604c25c1dc2317e12fa8
MD5 hash:
0e347f9781d6b0d9839a68b8944033a9
SHA1 hash:
b4e719fc9807d98cfeb35c2a68b8a48289ef8b06
Link:
https://www.unpac.me/results/f70c27c8-8b48-418c-a514-52366b17f2e3/
SH256 hash:
0144820631094930fd82613b1d9f52fa75ccd007c6b933ad087059dcef8f95f7
MD5 hash:
a9553f662b42fa4e2141ecce43a82a03
SHA1 hash:
935f68eb0b67935f7994ecfacfbd41871ab53710
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/f70c27c8-8b48-418c-a514-52366b17f2e3/
SH256 hash:
cbe60fd82914adaba830f4406aba6ffe15d4fe3a1cd9993d0a16b0003b090058
MD5 hash:
e118a1d7bbf4325151c74d4a6efb32b7
SHA1 hash:
bd42f42eaffe36ca6573ad35b8d0f4cc7acd9980
Link:
https://www.unpac.me/results/f70c27c8-8b48-418c-a514-52366b17f2e3/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/cbe60fd82914/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cbe60fd82914adaba830f4406aba6ffe15d4fe3a1cd9993d0a16b0003b090058

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe cbe60fd82914adaba830f4406aba6ffe15d4fe3a1cd9993d0a16b0003b090058

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2058393/
Cape
Cape
https://www.capesandbox.com/analysis/244424/

Comments


Avatar
zbet commented on 2022-02-24 18:58:56 UTC

url : hxxp://107.174.224.196/docs/127.exe