MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1f610af3c46fff6c857be0136c696604eb8e7466b4a7e40f6b459cfa8339422. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1f610af3c46fff6c857be0136c696604eb8e7466b4a7e40f6b459cfa8339422
SHA3-384 hash: aa73ab37130ea63eb393300f57478a071e2c6476cc436e69448f1ae49d31a11e6acf0c8f07a28562e8dc15e6e26dc063
SHA1 hash: 58af3de1e2e55241141f05a3a82163ed2ef62339
MD5 hash: 3c1bcfc5e5d1327746d9e8d3fdb5b49f
humanhash: venus-chicken-fix-wolfram
File name:D1F610AF3C46FFF6C857BE0136C696604EB8E7466B4A7.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:3'972'145 bytes
First seen:2021-11-09 04:56:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:yG5CSRr8iMqvDG/gvVs86oR52IZUwZL+fjZPjifkqO2:yWv8Ix1UnfjZP2e2
Threatray 678 similar samples on MalwareBazaar
TLSH T1350633DC2510D493FA2ECF7267464FA1260FDD9D54B1EA1BA3CA534DFC12A0CE3196A2
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Formbook C2:
86.107.197.248:59530

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
86.107.197.248:59530 https://threatfox.abuse.ch/ioc/245919/

Intelligence

File Origin
# of uploads :
1
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/204349/
Detection(s):
Win.Packed.Jaik-9863991-0
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed ramnit
Link:
https://www.filescan.io/uploads/6189ffa0175442ca93a89591/reports/7be4e9a9-dc98-4125-8d2f-9254e8cc5bcb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b70c44ac-e004-444e-bffa-b61f3e86ce18
Result
Threat name:
Backstage Stealer FormBook SmokeLoader S
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/885722
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Backstage Stealer
Yara detected FormBook
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 518191 Sample: D1F610AF3C46FFF6C857BE0136C... Startdate: 09/11/2021 Architecture: WINDOWS Score: 100 90 88.99.66.31 HETZNER-ASDE Germany 2->90 92 162.159.130.233 CLOUDFLARENETUS United States 2->92 94 2 other IPs or domains 2->94 114 Malicious sample detected (through community Yara rule) 2->114 116 Antivirus detection for dropped file 2->116 118 Antivirus / Scanner detection for submitted sample 2->118 120 14 other signatures 2->120 13 D1F610AF3C46FFF6C857BE0136C696604EB8E7466B4A7.exe 10 2->13         started        signatures3 process4 file5 88 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 13->88 dropped 16 setup.exe 8 13->16         started        process6 file7 60 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 16->60 dropped 62 C:\Users\user\AppData\...\setup_install.exe, PE32 16->62 dropped 64 C:\Users\user\AppData\Local\...\libzip.dll, PE32 16->64 dropped 66 3 other files (none is malicious) 16->66 dropped 19 setup_install.exe 3 16->19         started        process8 file9 68 C:\Users\user\...\717d52c15560bcc853bc.exe, PE32 19->68 dropped 22 cmd.exe 1 19->22         started        25 conhost.exe 19->25         started        process10 signatures11 122 Adds a directory exclusion to Windows Defender 22->122 27 717d52c15560bcc853bc.exe 17 22->27         started        process12 file13 70 C:\Users\user\AppData\...\setup_install.exe, PE32 27->70 dropped 72 C:\Users\user\...\Mon07ff0d7433b64c.exe, PE32 27->72 dropped 74 C:\Users\user\AppData\...\Mon07fc7c8cf0a7.exe, PE32 27->74 dropped 76 12 other files (7 malicious) 27->76 dropped 30 setup_install.exe 1 27->30         started        process14 dnsIp15 110 104.21.43.244 CLOUDFLARENETUS United States 30->110 112 127.0.0.1 unknown unknown 30->112 142 Adds a directory exclusion to Windows Defender 30->142 34 cmd.exe 30->34         started        36 cmd.exe 1 30->36         started        38 cmd.exe 30->38         started        40 6 other processes 30->40 signatures16 process17 signatures18 43 Mon07ff0d7433b64c.exe 34->43         started        48 Mon074c57e5ff1f75.exe 36->48         started        50 Mon0709e45b7a78e6d7.exe 38->50         started        124 Adds a directory exclusion to Windows Defender 40->124 52 Mon075f891411c0.exe 40->52         started        54 Mon07def5b74567a.exe 40->54         started        56 Mon07fc7c8cf0a7.exe 1 40->56         started        58 powershell.exe 25 40->58         started        process19 dnsIp20 96 45.142.182.152 XSSERVERNL Germany 43->96 98 37.0.10.214 WKD-ASIE Netherlands 43->98 108 14 other IPs or domains 43->108 78 C:\Users\...\mB3pXGucMs0mRsMuKf2nFNLg.exe, PE32 43->78 dropped 80 C:\Users\...\3NPRuoTWJ6kKb_vH2srboXTf.exe, PE32 43->80 dropped 82 C:\Users\user\...\search_hyperfs_204[1].exe, PE32 43->82 dropped 86 37 other files (11 malicious) 43->86 dropped 126 Antivirus detection for dropped file 43->126 128 Tries to harvest and steal browser information (history, passwords, etc) 43->128 130 Disable Windows Defender real time protection (registry) 43->130 132 Detected unpacking (changes PE section rights) 48->132 134 Machine Learning detection for dropped file 48->134 136 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 48->136 140 3 other signatures 48->140 84 C:\Users\user\...\Mon0709e45b7a78e6d7.tmp, PE32 50->84 dropped 138 Obfuscated command line found 50->138 100 208.95.112.1 TUT-ASUS United States 52->100 102 45.136.151.102 ENZUINC-US Latvia 52->102 104 8.8.8.8 GOOGLEUS United States 56->104 106 192.168.2.1 unknown unknown 56->106 file21 signatures22
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d1f610af3c46fff6c857be0136c696604eb8e7466b4a7e40f6b459cfa8339422/
Threat name:
Win32.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2021-08-30 19:21:11 UTC
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2h3bblz4i377nscxxyatnruwmbhlrz2gnnfh4qhwwrm47kbtsqra._file
Verdict:
malicious
Similar samples:
18f74890fef60f1e18d5b1d0b43f100c69b430445187d672bbedf46aff687d09
Formbook
6bd2d5f2630ce91d3d93d5a686d0ea381b6efa2b25d0dbd0f509a17f7ed3788d
Formbook
74bafd56c1fb3cdebf0a63de4ffb6f16dc1d5cee38e11ab0d2bc2614538da65f
Formbook
7755e890ecb6b60a9cbed072a609fbe099968b1fbda51f1d1f940bbc581c9f70
Formbook
8896b158ac271c269cfea637cd9402db48676eeef02b9d694d5c9f0eaeb3dbb0
Formbook
d2d90f02ccd7c3fd1b46d667081529a1af8172e4a51feda461c8d250081c3548
Formbook
+ 668 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar family:xloader botnet:706 botnet:865 campaign:s0iw aspackv2 backdoor discovery evasion infostealer loader rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/211109-fk9qsabfcr/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Xloader Payload
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine Payload
SmokeLoader
Socelars
Vidar
Xloader
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Malware Config
C2 Extraction:
https://eduarroma.tumblr.com/
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
http://misha.at/upload/
http://roohaniinfra.com/upload/
http://0axqpcc.cn/upload/
http://mayak-lombard.ru/upload/
http://mebel-lass.ru/upload/
http://dishakhan.com/upload/
http://www.kyiejenner.com/s0iw/
Unpacked files
SH256 hash:
835c9b5e60ebf50a888e851d1c7218d436490613ec04a04055b73fbddf73edf3
MD5 hash:
6961557695f34a53cf8224be7c265fbe
SHA1 hash:
f52d34d0b1dbd181f2acb21f42d875d514afb6f7
Link:
https://www.unpac.me/results/bb482c01-b908-4bc0-bb65-769d12dde94c/
SH256 hash:
fbffb84931a267fab6c24cf08723fa029cb85c2315f01d5b1f41922350adb831
MD5 hash:
052270e8e9cfb3512932e0df484caef4
SHA1 hash:
85305fee690beea8458bab5d55d0368c47340501
Link:
https://www.unpac.me/results/bb482c01-b908-4bc0-bb65-769d12dde94c/
SH256 hash:
5141358e3cf7e38a08f24756b11c09e0aee1fec5f772fcdae2b76119499089cf
MD5 hash:
b51276d58889e5059fe2aebe2c9a7ffc
SHA1 hash:
818c793937698bea493e5f04113474b8b8b3b9f9
Link:
https://www.unpac.me/results/bb482c01-b908-4bc0-bb65-769d12dde94c/
SH256 hash:
7186da74d44112da792710745db3c83a0d658dad0674394250ebedb0fde4d71f
MD5 hash:
3ca784b7a97c042d7aff41e6c647879a
SHA1 hash:
6ff7edd1f23cbfa6fdbdbd135e587f580ed9d0bc
Link:
https://www.unpac.me/results/bb482c01-b908-4bc0-bb65-769d12dde94c/
SH256 hash:
7df0b5b088a31bdc67ec27021db2d5989d6fc94b687a8c9ca2e99d37d48bcf7c
MD5 hash:
73b349cee038050c112cb9baade84a05
SHA1 hash:
6efb55d022314386d28dd1d3fa03d475f0ddf3fc
Link:
https://www.unpac.me/results/bb482c01-b908-4bc0-bb65-769d12dde94c/
SH256 hash:
ed7a862de65a6965ed592dd5161aad62357de397a3746f39646fd24da9d29603
MD5 hash:
79c2881af69e29501dd5e042fd0cb652
SHA1 hash:
47e5275409a768ecb6f85e1300fe56e8666a727d
Link:
https://www.unpac.me/results/bb482c01-b908-4bc0-bb65-769d12dde94c/
SH256 hash:
9f49d2110ce857ad6bc5a59870ee37d02651dd381820320827a7477082836f3e
MD5 hash:
aba80c623dd45ad9f26e1474cece96af
SHA1 hash:
462562d51999490104300abd8999d25c03f359c7
Link:
https://www.unpac.me/results/bb482c01-b908-4bc0-bb65-769d12dde94c/
SH256 hash:
94f38f0034deb0d2fe29c30b991581dd90313b2b2cd8cf83c143d303b0a29d5e
MD5 hash:
cdde008d109db2d1e4342910af1ab4ab
SHA1 hash:
30c279f320de8296a7a2b27f0bde3677389e9639
Link:
https://www.unpac.me/results/bb482c01-b908-4bc0-bb65-769d12dde94c/
SH256 hash:
0d8bd8216e1c841b9d8836710cf783c2eb705cff636f6bf980e40b1c74a07458
MD5 hash:
58bd0ca48925971609c4fb401c3a967a
SHA1 hash:
2f1ff97987dc155fd781f69718e38150175899f9
Link:
https://www.unpac.me/results/bb482c01-b908-4bc0-bb65-769d12dde94c/
SH256 hash:
a18e5d223da775448e2e111101fe1f4ab919be801fd435d3a278718aa5e6ccba
MD5 hash:
0c6cae115465a83f05d3ff391fd009ac
SHA1 hash:
066ea93bb540ae4be0d2e522d4bb59eec74053ad
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/bb482c01-b908-4bc0-bb65-769d12dde94c/
Parent samples :
7755e890ecb6b60a9cbed072a609fbe099968b1fbda51f1d1f940bbc581c9f70
fc2e04d392ab5e508fdf6c90ce456bfd0af6def1f10a2074f82df8f58079d5e4
f29a3cecd0efa7f1f0c45c8572048c942090dcebdd968b9fcf4cce4380c01824
ddeebc8cccc58e25ce1709b0e9a519b2bd46472e928606bc4b0eee2553303203
22275b7c5a57111aca919f6bbfae171e5e99f5ef777d1043802deb672f5136a0
d1f610af3c46fff6c857be0136c696604eb8e7466b4a7e40f6b459cfa8339422
8f9cdf75c272fda7df367232756ea065600077804b16506ee5a4203571328217
0a7d966e66cbd260c909de1d79038c86a071f2f10a810f5890a150b67c4fd954
1b4c7144874551beb52bc3e864822c0b803d0967531addf9612f61898cf2394d
090f1369dc856e37b73969d22799341b1d328a235470ee608d3e32dd34df7022
4879803b6326f27bb8b68448fe7394b2358c2eeb25ec2c4c6a176313d003c29a
7227c5067dc82a381a3c7485a21c64b702f7e987a46d1349f95e269399e862eb
54bcd3308c140c8ec030f98697cc7f0e9d4585d54334a2eb77c58879510d5c8c
47e9b75457446a3b3c86622dd282065b0f88603e2c009670c1f7eaf00183a407
ada6977abf5caa24a75f0db17220267f6b05f11ed949757e8fc8beab3c720fc1
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
0f3752cdf6653a331205269e6bd6ca4e265247847eed5be677bf758f29235d08
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/bb482c01-b908-4bc0-bb65-769d12dde94c/
SH256 hash:
424eb094b40901ea9e2a8b53ce7ee29c9b9c2401cc85447a9117723d63789cbe
MD5 hash:
9846c1e317e308f46a807bf0ccd2f085
SHA1 hash:
23d85d7d9da727e048dd1c0349b35d2299f26d77
Link:
https://www.unpac.me/results/bb482c01-b908-4bc0-bb65-769d12dde94c/
SH256 hash:
1e47b0a87b714febf0f805a2c319a150cc8bd58d738669c76c975a64d40130ab
MD5 hash:
6cbca955ae2bb778cf9de6cef5d114a7
SHA1 hash:
527feb36a0cbd2c348df1862bb2d4516ed9bad6f
Link:
https://www.unpac.me/results/bb482c01-b908-4bc0-bb65-769d12dde94c/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/bb482c01-b908-4bc0-bb65-769d12dde94c/
SH256 hash:
f698132f4652196f2724cff4ae2d5dc6cbe8ec2b00b62fe0c47380b52542798c
MD5 hash:
0a00187594549de251bd1ca57782a14e
SHA1 hash:
381c3b00f5704345d21303899c2a8b3b1a2a8a66
Link:
https://www.unpac.me/results/bb482c01-b908-4bc0-bb65-769d12dde94c/
SH256 hash:
2d9a52aaff47bb2d832a9070a0bd67f408c9d1f558c0d6ed949a263ccf9c5558
MD5 hash:
fd0d9a550a573ab9be615e9272fc0f79
SHA1 hash:
a0fa3445f1835f1465f7855b88941e5c232f967e
Link:
https://www.unpac.me/results/bb482c01-b908-4bc0-bb65-769d12dde94c/
SH256 hash:
0fa0bfa978232f88f9204b39656799122244d5de37251e171e2f18d0333be629
MD5 hash:
44d2e5f04054341f2c32b59b5b74233a
SHA1 hash:
f5ffec6ca54013282f653a14e72ad3d673c74d2f
Link:
https://www.unpac.me/results/bb482c01-b908-4bc0-bb65-769d12dde94c/
SH256 hash:
b975b5c227ad1487f41b7708f86489ca7b742c22f4d061332ff439278ee72d66
MD5 hash:
002f43595f5aea812f25247c4df5b4e4
SHA1 hash:
e0f7831f4d28ce4586b4900faab1df9cecf81046
Link:
https://www.unpac.me/results/bb482c01-b908-4bc0-bb65-769d12dde94c/
SH256 hash:
32d7b41906dbbaa5e1d2ce38edac47e7f0cb1582c7666655e8c946138be47521
MD5 hash:
45ca9e29ac7389d803ac3ef11d063317
SHA1 hash:
8727280518067f50746d9d85ea906ea17cea08bd
Link:
https://www.unpac.me/results/bb482c01-b908-4bc0-bb65-769d12dde94c/
SH256 hash:
d1f610af3c46fff6c857be0136c696604eb8e7466b4a7e40f6b459cfa8339422
MD5 hash:
3c1bcfc5e5d1327746d9e8d3fdb5b49f
SHA1 hash:
58af3de1e2e55241141f05a3a82163ed2ef62339
Link:
https://www.unpac.me/results/bb482c01-b908-4bc0-bb65-769d12dde94c/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d1f610af3c46/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d1f610af3c46fff6c857be0136c696604eb8e7466b4a7e40f6b459cfa8339422

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/204349/

Comments