MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d234c88f0c47386bc8960ff667f0fe2d42bfc8a2f1ffcfea401f875ee3c5b23b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d234c88f0c47386bc8960ff667f0fe2d42bfc8a2f1ffcfea401f875ee3c5b23b
SHA3-384 hash: 1df6da253d79bcf4731be3741a9d9c3a449b34f09729322911422f04284cf599338b5d979b1b572e62d52090fe80237b
SHA1 hash: 2e0713ce4fa60d7aa8c18c6e2d5f03fcf7422e90
MD5 hash: 3390204f3547142d63983aedcc1a7400
humanhash: river-twenty-romeo-cold
File name:SecuriteInfo.com.Trojan.Win32.Save.a.1601.17424
Download: download sample
Signature Formbook
Create hunting rule
File size:900'608 bytes
First seen:2021-04-08 12:53:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:V/cIIK2eES2R08gkS/m5Xk6JabFu6PxdoYFpzQBcYml6VZQNBZIKUPke:VHIVTngkkIXk6JguUdV0VCqCdIc
Threatray 7'567 similar samples on MalwareBazaar
TLSH 361517E27518FB3ACC0407F26C9734E7CAB36C1B901DC7AD24E6A1D52C995A68C3F265
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.Win32.Save.a.1601.17424
Verdict:
Suspicious activity
Analysis date:
2021-04-08 16:23:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5396ffad-c429-431a-a5e3-60e5efe847ad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/133206/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.1601.17424.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/670183
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d234c88f0c47386bc8960ff667f0fe2d42bfc8a2f1ffcfea401f875ee3c5b23b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-08 12:04:57 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
26d86609838feaa6357a71b0801ad4b9cb8efb31aaf76f6a7a8bf012ab60b262
Formbook
3488d309b21afbc3b481320bcf1209908813e2eb8a63df772f740426034b9958
Formbook
45fda70b08542ae52a8228a61e317973f42b477583841e384e9817d7d2dd3709
Formbook
4bc0559cbf4ec33e38c556bc91fca79005454ec4b72e1101638fc4e2bfcbbb70
Formbook
5101663e1850401504dd1e56231725be9a3001ed01e99fa88d348b9511c52f4d
Formbook
7a4de78c5eed937a8aa4e3149fac38d38fd0275ddc45b2a481f266c421230e5d
Formbook
8f5dfe8e291d0fd6aa44d6b06358b1f571f9c1a6172ca2f82a2db10327d0dee8
Formbook
9ab3bb93a6d39ab709c9b2369cde749ccbe7f3796c7c3e2fc39aa4715c3bb0fd
Formbook
da51c0642c1d22815991ec7f4da9f27206352ee2c5419d29af09cb69688b0b47
Formbook
f7dc24b214db050895707a8e89d730f2230d3b235eb5d19b65807139a82c49b1
Formbook
+ 7'557 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210408-tsbg9waj7s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.paintersdistrictcouncil.com/vu9b/
Unpacked files
SH256 hash:
c5519ef771321d62260735c62622297b284e823d97b29eed0dae704d89bb4c5f
MD5 hash:
0158502a4a1ee47ae2abfe604f2fd748
SHA1 hash:
3dec24548c89d943f3fe9a4dd0b8663cbdcf6e0d
Link:
https://www.unpac.me/results/940fa540-ffcf-4b34-9d09-c6cfb280a0c5/
SH256 hash:
d234c88f0c47386bc8960ff667f0fe2d42bfc8a2f1ffcfea401f875ee3c5b23b
MD5 hash:
3390204f3547142d63983aedcc1a7400
SHA1 hash:
2e0713ce4fa60d7aa8c18c6e2d5f03fcf7422e90
Link:
https://www.unpac.me/results/940fa540-ffcf-4b34-9d09-c6cfb280a0c5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/d234c88f0c47386bc8960ff667f0fe2d42bfc8a2f1ffcfea401f875ee3c5b23b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe d234c88f0c47386bc8960ff667f0fe2d42bfc8a2f1ffcfea401f875ee3c5b23b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1104226/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/133206/

Comments