MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d04b778ed37e364a57dca3b1ba40dfa60435fd9b1c18da6981a386b7be04437c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	d04b778ed37e364a57dca3b1ba40dfa60435fd9b1c18da6981a386b7be04437c
SHA3-384 hash:	224ddaf7d4054c5cda0ae606cd0c51b4f23d6cb952356bd1d955869030f02e85467dfb5db277ee2aaca866b268281096
SHA1 hash:	93844c51779a4dee3c8f8d365b4e9112d1fbf4d0
MD5 hash:	1b5cbbf5d84d5dd8e565ada6124e778b
humanhash:	princess-bravo-timing-music
File name:	SecuriteInfo.com.W32.AIDetectNet.01.6455.2953
Download:	download sample
Signature	Formbook Create hunting rule
File size:	649'216 bytes
First seen:	2022-07-04 05:34:10 UTC
Last seen:	2022-07-04 10:01:46 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:VuOeIpaPg7tF85cQD5Q6S7iXLdZV01D2z/K0uesaPOfWTwDM:JOghF8Oa+iXJ01DEy0ues3WTqM
TLSH	T1F9D4F12DFFB6DE12C6981373C4C3442843B1E8869262DB1B358D1AA65E03B77DCC569B
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

238

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.6455.2953.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62c27c4322ab9d0aa0fdd074/reports/664be042-9481-4436-a94a-2bf2f5f4f513/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b1912303-ca9e-422e-9c3f-cbfe4d5db04d

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1023869

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d04b778ed37e364a57dca3b1ba40dfa60435fd9b1c18da6981a386b7be04437c/

Threat name:

ByteCode-MSIL.Spyware.SnakeLogger

Status:

Malicious

First seen:

2022-07-04 02:25:04 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2bfxpdwtpy3euv64uoy3uqg7uycdl7m3dqmnu2mbuodlppqein6a._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader loader rat

Link:

https://tria.ge/reports/220704-f9z8msegep/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Unpacked files

SH256 hash:

639d3b4681e9118751e83c431c91025cdd30b4f218be3d48115bf40c39d089ce

MD5 hash:

2acd9cdef2949a8840f9a22addb8ce7e

SHA1 hash:

38f5335bbd7f63050733ddaafb1934248f04c5d4

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/90cac196-8e6a-48e2-8592-dd1e8c9fb9a4/

Parent samples :

d04b778ed37e364a57dca3b1ba40dfa60435fd9b1c18da6981a386b7be04437c
f6db3a2b3160b40742b164c6bbe0496368f4fc52d1a16757a49d023f5189b428
5a9b8bab36f3ad09f3bb0ecd4939ac86bdfb331b6847986020cb9f2ad6357870
61f2a87a69b42545e21404b9d231ef83df880356dbe7a6ce320de40e3ec604eb
55d0997c1a57e39f7de4f2b571524d65069a56a063cf9be315c88a24a72e2bc1
66c846022acacc0aaa6c5a6ff2f69985ff799b390108ef0e31b5629843309ec1

SH256 hash:

e56e99140062317000672461d4337898db9f532a5592117bc87a142fa80f7e30

MD5 hash:

b017f8d9bb6c94a898816e26ae23a4e1

SHA1 hash:

e2e23412cde9a30f88edc8b3afc4a27cee7b55bd

Link:

https://www.unpac.me/results/90cac196-8e6a-48e2-8592-dd1e8c9fb9a4/

SH256 hash:

ee679e9dd4660954fdaca1f32bc949a8b5d111d87f1c5910e75241119234e76f

MD5 hash:

68d920a660c36982e3302e1aeb0ea56e

SHA1 hash:

aa120bdcf057afed63c64ec96d8efe330ff2ebb6

Link:

https://www.unpac.me/results/90cac196-8e6a-48e2-8592-dd1e8c9fb9a4/

SH256 hash:

70bb4f8aa7d0a33f8206f78c845fa2bd686c2a0f2b3bd50cd0b6b887a45398ca

MD5 hash:

30d61a3a3e26c2bca2eb766990132d7c

SHA1 hash:

94f9742d5f21b13f7d8d194fe938193cbb6a0d4d

Link:

https://www.unpac.me/results/90cac196-8e6a-48e2-8592-dd1e8c9fb9a4/

SH256 hash:

3b59fe180dd50e3f3d4fdcbdd4e7a2d4e3e1c85ae43cb4f3716c4be41e9ec2ae

MD5 hash:

9ea556e333e216a65aa09c102f36004f

SHA1 hash:

814c07f1dc68bd61840384aac3aa8346d9f8148f

Link:

https://www.unpac.me/results/90cac196-8e6a-48e2-8592-dd1e8c9fb9a4/

SH256 hash:

c34aa4e6acbce558a855aa95fe29570c9902ad0df46b7c90cf1633d30ff715d4

MD5 hash:

272f771948ec9cb577002cb94fd33dd6

SHA1 hash:

58c6e802f7d3c944fa95e7117bf81474d3c8f300

Link:

https://www.unpac.me/results/90cac196-8e6a-48e2-8592-dd1e8c9fb9a4/

SH256 hash:

d04b778ed37e364a57dca3b1ba40dfa60435fd9b1c18da6981a386b7be04437c

MD5 hash:

1b5cbbf5d84d5dd8e565ada6124e778b

SHA1 hash:

93844c51779a4dee3c8f8d365b4e9112d1fbf4d0

Link:

https://www.unpac.me/results/90cac196-8e6a-48e2-8592-dd1e8c9fb9a4/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d04b778ed37e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample