MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d28ec863f551e43cf222a709ffea536ae6ab72833ede819c28db0dc91f50f024. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	d28ec863f551e43cf222a709ffea536ae6ab72833ede819c28db0dc91f50f024
SHA3-384 hash:	f3606854376975b2ca13af3257cbdb012ed578362150e190b40d0bae56ab52909e1e6c6166144d8a560a7199a252e800
SHA1 hash:	4af836edb5ecb9e0518cb0a48cd0e49e2ec2ef5c
MD5 hash:	7a0c06cf30eeea3885ca20a372ba85cf
humanhash:	minnesota-gee-failed-paris
File name:	SecuriteInfo.com.W32.AIDetectNet.01.28602.883
Download:	download sample
Signature	Formbook Create hunting rule
File size:	611'328 bytes
First seen:	2022-05-23 05:32:57 UTC
Last seen:	2022-05-23 06:08:30 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:QTy+Lw1U5InfSooK0Yn31JEWbakR0YParja1g7:8gbz0i31Jbayhf2
Threatray	15'716 similar samples on MalwareBazaar
TLSH	T14CD41210769CAF6AC89E073AEC1462DC13F05E10BE92E707DF9A75DF2932390C25665B
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.3% (.SCR) Windows screen saver (13101/52/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	688e33f0e8e071b2 (10 x AgentTesla, 8 x Formbook, 7 x SnakeKeylogger)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

230

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.W32.AIDetectNet.01.28602.883

Verdict:

Malicious activity

Analysis date:

2022-05-23 05:39:45 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f1a2c6c4-8408-4d47-b180-119b0596c898

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/273507/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

expand.exe obfuscated packed replace.exe

Link:

https://www.filescan.io/uploads/628b1ccd054dcf0ecae17715/reports/acd1c54d-041a-4afd-9715-d1d318d2acb8/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/38b5179b-624d-405a-82c9-a5ae3b66e2a3

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/999500

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/d28ec863f551e43cf222a709ffea536ae6ab72833ede819c28db0dc91f50f024/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-05-23 03:52:48 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2khmqy7vkhsdz4rcu4e772stnltkw4udh3pidhbi3mg4sh2q6asa._file

Verdict:

malicious

Label(s):

formbook

Formbook

4ac982ea35522a13de30ff7ddbbec9becf2c7528a48f0aff377e3d6758a7ae7b

Formbook

6eef88d9b2ada286ff5f0ee740bd12a593a6111f2e29e0b86cc43dc437701edf

Formbook

a5ee0630cbe521aa9279b50a655a04ca59ed837919cdf94c8cafb30e4c39598c

Formbook

adaa16ed962f30078fc9bae10e80f8fa2f3fa062e8a115ceb0e5326e9feca24c

Formbook

b01852366a757d7a668950fe78fe78113c184d24db59aefe7dd52c44eaed2c77

Formbook

bbf76a25feb60b000b42552adce5f72d871a82d6c6ed3bb72a7f8d94c8886f4d

Formbook

d951d78db324f840c3dd3233c7900a8193329d769550cbf1c8857d5ef3fb5252

Formbook

ea02ed6d1f37b7f0fd8b2f02ebf1b41ba2ca81c755f3590f95b509f45f45ae21

Formbook

+ 15'706 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:heds loader rat

Link:

https://tria.ge/reports/220523-f8vxjabge8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Unpacked files

SH256 hash:

90eb3b67fe88efdcaefaecd2f8f238f2c7da65ea46775f15fa5c6b9c13056ad7

MD5 hash:

97dc1517ccbd11aab5766486834bd21f

SHA1 hash:

3d4f76c1fc1d210e0d527798b4aa30ae848d9845

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/fcc7a55d-1332-497d-a93a-39e6b6fc703d/

Parent samples :

d28ec863f551e43cf222a709ffea536ae6ab72833ede819c28db0dc91f50f024
edcbff4e011d46b1c1918479985c8bb094d02cdf9494f87903df9faeb6555c09
49ba8d495c9c41fc5312136f664fc1853f7b40d0f8e418953aca83ed90fd768c
813b1c80e4ae56eeeed84af1dc6a79df452cb2c9bea229b02fb06db4b0df2df6
0eea1c3e9ddad19891fb28dcd1eea6df38781a429f4634cdcfd69d1b5426b318
87575e80cf3f6f017daa1c03d530359bf2cffeaecc5b88d12af4f4f9b85111fd
6b7c57bf4436d26fb957f0bdbd399df30e7e5b20f2c78f01b47cf0c06f3fa54f
f827090da9859f703f3dd6326513af9b0486ef412c9088d823816910d6be8e0d

SH256 hash:

fdd10fb67e6276b3d848c92d4686f56b2ecbea1d629795a241ca6306a2f62d55

MD5 hash:

f20fd214bbda1a459a3eb415eec86017

SHA1 hash:

c658f61e4f308a69a4509649439814166c655e84

Link:

https://www.unpac.me/results/fcc7a55d-1332-497d-a93a-39e6b6fc703d/

SH256 hash:

1fd0f399b0584741ecdae1f30132bf02000b7983f3168c3e51e22eb3a28b3061

MD5 hash:

5eec1359266bd8ac3541c1f287daa368

SHA1 hash:

63ecf99133b9792b8d28261256359c2b9608a22c

Link:

https://www.unpac.me/results/fcc7a55d-1332-497d-a93a-39e6b6fc703d/

SH256 hash:

364ffd27af4b3588d3912c646f4c19cd2d949747d28237faaf809c694d488437

MD5 hash:

00f291ea318ad08d1d346137e9430cb8

SHA1 hash:

3af581ca348163e0fbeb6f9e19f930224364b467

Link:

https://www.unpac.me/results/fcc7a55d-1332-497d-a93a-39e6b6fc703d/

SH256 hash:

1ee81ac6ab816772bf2c5a99bc899b1218c7b5609f52e49fce7cd99e8f84a099

MD5 hash:

d55e0324b04500488c7e041d2ab1b31a

SHA1 hash:

2b2f5a9414f8869e08ba7800354a4c534212e6ec

Link:

https://www.unpac.me/results/fcc7a55d-1332-497d-a93a-39e6b6fc703d/

SH256 hash:

d28ec863f551e43cf222a709ffea536ae6ab72833ede819c28db0dc91f50f024

MD5 hash:

7a0c06cf30eeea3885ca20a372ba85cf

SHA1 hash:

4af836edb5ecb9e0518cb0a48cd0e49e2ec2ef5c

Link:

https://www.unpac.me/results/fcc7a55d-1332-497d-a93a-39e6b6fc703d/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d28ec863f551/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/d28ec863f551e43cf222a709ffea536ae6ab72833ede819c28db0dc91f50f024

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/273507/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample