MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc438754d878645082b6c4a5df470954bf5eeb09d193dad5e59e8a47eb9abbcb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc438754d878645082b6c4a5df470954bf5eeb09d193dad5e59e8a47eb9abbcb
SHA3-384 hash: 202dcf0e7015af3a4f3ec8bef39b238826ea66e9b59b35b96085df854749f42100c733258fa42ca2bf2952fb4ace6161
SHA1 hash: c9dfc78734d5569f95f0641509b2d027c84268e1
MD5 hash: 97f5fbaf3ca032af6ac15595beed482b
humanhash: six-mockingbird-foxtrot-quiet
File name:97f5fbaf3ca032af6ac15595beed482b
Download: download sample
Signature Formbook
Create hunting rule
File size:1'024'512 bytes
First seen:2021-12-08 16:31:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:tBGRGkE5i+jTQsC7rGb4xVIXk2/N96oa0znfx:tpMEcsCeQVYN9ja09
Threatray 12'124 similar samples on MalwareBazaar
TLSH T13F25232A7DE3DC62D1762537ECEF812413BC740EA501F62B35BD92BC1ED376604A2298
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
166
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
97f5fbaf3ca032af6ac15595beed482b
Verdict:
Malicious activity
Analysis date:
2021-12-08 16:49:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c5237fbb-6c25-4463-abec-ac1ee6e55fbf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/212561/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61b0de064d8e6f3a5e19c5c2/reports/ec6cf0df-4fed-4182-94f4-3ae8b225dbf6/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/55335fe1-0ceb-4dfb-bf62-7e8f5f8bca63
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/904029
Signature
.NET source code contains potential unpacker
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 536517 Sample: dhnWfCaXNb Startdate: 08/12/2021 Architecture: WINDOWS Score: 100 34 Malicious sample detected (through community Yara rule) 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected AntiVM3 2->38 40 3 other signatures 2->40 10 dhnWfCaXNb.exe 3 2->10         started        process3 file4 32 C:\Users\user\AppData\...\dhnWfCaXNb.exe.log, ASCII 10->32 dropped 50 Tries to detect virtualization through RDTSC time measurements 10->50 14 dhnWfCaXNb.exe 10->14         started        17 dhnWfCaXNb.exe 10->17         started        signatures5 process6 signatures7 52 Modifies the context of a thread in another process (thread injection) 14->52 54 Maps a DLL or memory area into another process 14->54 56 Sample uses process hollowing technique 14->56 58 Queues an APC in another process (thread injection) 14->58 19 explorer.exe 14->19 injected process8 process9 21 msdt.exe 19->21         started        signatures10 42 Self deletion via cmd delete 21->42 44 Modifies the context of a thread in another process (thread injection) 21->44 46 Maps a DLL or memory area into another process 21->46 48 Tries to detect virtualization through RDTSC time measurements 21->48 24 cmd.exe 1 21->24         started        26 explorer.exe 1 149 21->26         started        28 explorer.exe 43 21->28         started        process11 process12 30 conhost.exe 24->30         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cc438754d878645082b6c4a5df470954bf5eeb09d193dad5e59e8a47eb9abbcb/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-08 13:04:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
4821bcd8c5a1fefc28edf3a349e6aca22741054c27045ed12838d721e68d8d97
Formbook
516601b7a328bcee918e8c52e46f71b39437045489bdaaf90136c9f899197bc8
Formbook
6abf7f59336bf7fcaaf2825e7ae569441c21f9ba09bc53e8a4ff0489e50cdade
Formbook
75772375acbcfb6cb668fc2449671a6a83afe1434184ac7c01fd895825fcf5e6
Formbook
7bfabb3e53f70e2ad39155a8af8d7e27a07ec01b0ba8faed52cb569e4f78142f
Formbook
8a0fb297baf6f3affb73e0c20116dec0bbbae0292fcbffc3948051555df5099d
Formbook
c1657f01ccef85f3f46740a96704bc5dccfb4cf8fc9ac09abcfd7aa6660448f7
Formbook
cd1a6d25a6ecd13b937b860ddbe024fa1927d9ca766121d54eac046c5511cad4
Formbook
e9c47cd72f9ee1fa189d8be6e0b8609613e27c3882b3f9aa6b3e5a2a21fe4246
Formbook
f0a7fa8da49f99f47a5e45bfe09792d043a58fb366098ba3aaec126611e0f043
Formbook
+ 12'114 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:bu3e loader rat
Link:
https://tria.ge/reports/211208-t1ykcagda6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.junpincn.com/bu3e/
Unpacked files
SH256 hash:
8e4b3f53ca21888a334b36c942f35780d39a03fc8ef3c16f7f6a414131bb3052
MD5 hash:
2997d10e8c98ba3f1d3e7c2cf5506627
SHA1 hash:
74bf5b3ed5d2a83466b5b54333e251bdabd611e3
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/cf227af0-e86d-4d58-b815-dcb663477908/
Parent samples :
1bfbd2e312bd1fe323ff5b8fb10d7b275d5716d5d0dd375c93fd914c14b35dd8
cc438754d878645082b6c4a5df470954bf5eeb09d193dad5e59e8a47eb9abbcb
7b499b9228bbfa5ab9cdacfbcec34d63d0ded4710ca778dae42a18f9e1535964
SH256 hash:
f7d51c8842f37e688f3122f0ef59ce5a8e0976a9b9f8f4bf992ddc6910359dc3
MD5 hash:
ee840d7803c71069b4e4cb49184e4009
SHA1 hash:
ee77030f3e194368a525559ea9371dbee2c4393b
Link:
https://www.unpac.me/results/cf227af0-e86d-4d58-b815-dcb663477908/
SH256 hash:
9cd82dba6c55d901ac7d7007b7a04a30146ad7c297400d44f9d96b90c5ca25d4
MD5 hash:
d9477c36da677507cd33c6eef325d694
SHA1 hash:
330dc88b5041ca9edf57542f5a30c37eef6f11b1
Link:
https://www.unpac.me/results/cf227af0-e86d-4d58-b815-dcb663477908/
SH256 hash:
cc438754d878645082b6c4a5df470954bf5eeb09d193dad5e59e8a47eb9abbcb
MD5 hash:
97f5fbaf3ca032af6ac15595beed482b
SHA1 hash:
c9dfc78734d5569f95f0641509b2d027c84268e1
Link:
https://www.unpac.me/results/cf227af0-e86d-4d58-b815-dcb663477908/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/cc438754d878/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/cc438754d878645082b6c4a5df470954bf5eeb09d193dad5e59e8a47eb9abbcb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe cc438754d878645082b6c4a5df470954bf5eeb09d193dad5e59e8a47eb9abbcb

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1866163/
Cape
Cape
https://www.capesandbox.com/analysis/212561/

Comments


Avatar
zbet commented on 2021-12-08 16:31:52 UTC

url : hxxp://23.94.174.144/hxxp/reg/vbc.exe