MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cde48459298f55186a44da3a0dcfc73d646c1141c4d70deeebb5b7441b0be9b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cde48459298f55186a44da3a0dcfc73d646c1141c4d70deeebb5b7441b0be9b2
SHA3-384 hash: 52ad25501d28083f112e17998044abd3e46cd0ccb78f6cfa2e68be5d3d3c1cc536d9009123d98b6b8cd471b2b7d739f0
SHA1 hash: bf0c6403ed15131301124c16d046684365acd0eb
MD5 hash: 468db2d0bdeca6fa53020e8ddd148f83
humanhash: carbon-winner-oscar-undress
File name:xl.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'204'224 bytes
First seen:2022-03-21 06:58:56 UTC
Last seen:2022-03-21 07:00:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:NWLiwG7lLDBilYn5OX5pKntMdCPtCOLsTYXIXbUmHxvDkNFMe0CBWGKUtNiGibT6:sBoL9UsntMEoReM3G0Gi3mtkpWT4R/
Threatray 14'231 similar samples on MalwareBazaar
TLSH T11245A018279D5D71E47B4A308268536D8F73B710BAC7E3CE2538B06A4D723426E1E67E
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
189
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/253310/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.39286623.26885.26385.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Adding an access-denied ACE
Using the Windows Management Instrumentation requests
Launching a process
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Launching cmd.exe command interpreter
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/62382239dfdfa8501cc56667/reports/8d6a4edd-bed1-4051-8c51-a55b6fca7f95/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6f7b3eee-05bb-4a82-9472-5f05068837f2
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/960448
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cde48459298f55186a44da3a0dcfc73d646c1141c4d70deeebb5b7441b0be9b2/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-03-19 16:14:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
17 of 42 (40.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zxsiiwjjr5krq2se3i5a3t6hhvsgyekbytlq33xlww3uigyl5gza._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
108238536ab90b12dd6a5c654a1ddd27c2994b2d3fc39f87fc5f5e4847c1ec34
Formbook
21791c7eba15ff44e84b44080fa6c85cf824afafd5d987ce18d445dc942c34a2
Formbook
42c22b1ceff07541d20717e8b9fea63a1418dc92917303cdcf48cce246a7d29f
Formbook
a3a9320405303d369e0f915541fd2dffa46c96772840069b6c55b2c4051cf342
Formbook
a8d57222d66a26a6ef7fe2d8eeb11a8af7ea9693afcbb31eece3519379c07784
Formbook
b85b6101f5f24710f8c9d5a32a4fa4194c55d1088c8722b08653aac9e6a3007a
Formbook
bc7cf974c3cfb35a9e7f4abff78a9c68ae6a9ecb2eb78725adfd3ef6db6d6e0a
Formbook
d8aa0a0e024a8dbabf0ff61cb75a879e2dac0c2ca537049cb86a64071ecf6a33
Formbook
e3c2718738a6d4d07664a951dee401b2c4e9416ac6a989f6aa21c3564fdaf241
Formbook
+ 14'221 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:p1nr evasion loader rat
Link:
https://tria.ge/reports/220321-hr3l6ahgc7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Xloader Payload
Xloader
Unpacked files
SH256 hash:
8659119da5215c1519ce47a04375e33c315ec8e726fb37fcf2f0b62d13ca71bc
MD5 hash:
c5bd1924334b686e20695adc325cca66
SHA1 hash:
42d2e0d98d443b4a5b9d4e1054cae094ee742a8a
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/ea8f5f10-01e8-44bd-93b8-b88708f9b73b/
SH256 hash:
359c48128c7429a85cd7f06d83bfeaef2daf8503821644705166aed2c50b4e96
MD5 hash:
eb6fd7fdfc6244e08b23349837b4d820
SHA1 hash:
09f8656320823afbb060fe46437f741499ce70a7
Link:
https://www.unpac.me/results/ea8f5f10-01e8-44bd-93b8-b88708f9b73b/
SH256 hash:
92861e6de24bf7b434c7e938428c47a1457891edf6c78661f5e66419d5d33286
MD5 hash:
e44bf937f72775944a1d75a1ab283237
SHA1 hash:
fd5a4f9fa35edf05a53c495c9a54bde2dc5746a0
Link:
https://www.unpac.me/results/ea8f5f10-01e8-44bd-93b8-b88708f9b73b/
SH256 hash:
af67477f5de219a8a1f539120a9fc7aceb3cb2f6da28fd3d18a7c3c030605d05
MD5 hash:
db1a9ce9f9e2546ae86abb4d64efa2b0
SHA1 hash:
bca8c5923f24f778591b66ff2e1a73ef5ee6b28d
Link:
https://www.unpac.me/results/ea8f5f10-01e8-44bd-93b8-b88708f9b73b/
SH256 hash:
70b785e5cb5b2e61c0f5da4a71ab0bbd14d9a0849387f037e0d75cc1ffe0a082
MD5 hash:
5951b52c9b4d11ca7f4f33e5a3fb2c31
SHA1 hash:
0bc54fd699fff7b93e5c447a141c0d904924ab0d
Link:
https://www.unpac.me/results/ea8f5f10-01e8-44bd-93b8-b88708f9b73b/
SH256 hash:
cde48459298f55186a44da3a0dcfc73d646c1141c4d70deeebb5b7441b0be9b2
MD5 hash:
468db2d0bdeca6fa53020e8ddd148f83
SHA1 hash:
bf0c6403ed15131301124c16d046684365acd0eb
Link:
https://www.unpac.me/results/ea8f5f10-01e8-44bd-93b8-b88708f9b73b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cde48459298f55186a44da3a0dcfc73d646c1141c4d70deeebb5b7441b0be9b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe cde48459298f55186a44da3a0dcfc73d646c1141c4d70deeebb5b7441b0be9b2

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/253310/

Comments