MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d30db5b4b3087ae9f6dcfb18e0b85fa39ceb7bf182604418c4760cf32357cd1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	d30db5b4b3087ae9f6dcfb18e0b85fa39ceb7bf182604418c4760cf32357cd1d
SHA3-384 hash:	71774d717a3523ae2fff11e584f288f97183d37b8afa561d32984944bbc25dca9adc6a94cbdb7fb6e6c75c6c26cc6c21
SHA1 hash:	66fd100d26e8e16ffb1292073e3cca539d8e5d4d
MD5 hash:	d64f47ad1647d93473130d1e301adbb0
humanhash:	winter-july-fifteen-utah
File name:	SecuriteInfo.com.CIL.HeapOverride.Heur.3636
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'392'640 bytes
First seen:	2021-02-02 14:15:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:ML1uuOzAXMObC1Eq28JoZBwHfYrUXj7aaJy1taRVIzeI+Wqg/GAtGDfi/HW7ygfw:MAv1ZJgKfYoT7ry1tafCeDgeer4M5
Threatray	3'714 similar samples on MalwareBazaar
TLSH	AA55089D371371DFD45BD8768AA41C34AA717C6B73CB820BE05B32A8992D45ADE042F3
Reporter	SecuriteInfoCom
Tags:	FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

104

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

0113 INV_PAK.xlsx

Verdict:

Malicious activity

Analysis date:

2021-02-02 08:34:32 UTC

Tags:

encrypted opendir exploit CVE-2017-11882 loader

Link:

https://app.any.run/tasks/2af672a3-d957-4833-b73c-024225b6b672

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/115160/

Detection(s):

SecuriteInfo.com.CIL.HeapOverride.Heur.3636.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/596721

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM_3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/d30db5b4b3087ae9f6dcfb18e0b85fa39ceb7bf182604418c4760cf32357cd1d/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-02-02 13:29:50 UTC

AV detection:

15 of 29 (51.72%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

Formbook

48e5295db9ba78034bfd5ff510f893c40a6cddee73f99421aa5b77d566ed715a

Formbook

5551c39b0838a38711babfe60b36dda8855791ce1512553858fbaff025d31122

Formbook

7529675c4f443448e36de852d71111dc455009ccc66b516f898319ec2f7891bd

Formbook

a38cbbb16b9dda3d7aebcdcd033a8f5e56f17257c060859a3cdd2e1a8bb27ab9

Formbook

b3291d1f731c8e7408bbae7e36242e7223d24d7b3ef0fa2b7f07950be8dd3462

Formbook

b36c5718a19998ec936051a544a8831e85f7e08b4e7f9c5269e25e963ebabdd3

Formbook

b88d84be2994a05ac716dac99a689356d8c7ecbd541989a5339be403da909430

Formbook

b9a286880c70bf7b6b049c8be7b7b14d8318b6c38d04185eced4bc48795330ff

Formbook

fdc7a121571ec5e47773d3c837cd0d4e7234d00b6a7262b2500301c51ee5801a

Formbook

+ 3'704 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:formbook family:xloader loader rat spyware stealer trojan

Link:

https://tria.ge/reports/210202-kc1lzzryk6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Formbook

Xloader

Malware Config

C2 Extraction:

http://www.inreachpt.com/gqx2/

Unpacked files

SH256 hash:

ef8424b924d357536efc37f6ba3ed11e9db781dd4fdd418251af8164a345436f

MD5 hash:

b7395a6404a230051855ca1880898a95

SHA1 hash:

49c576525cf29dcdcc45fc40678b1c5e96a7d34d

Link:

https://www.unpac.me/results/5a39fed1-4d67-4aa8-bdae-8fc1bb135320/

SH256 hash:

e10314a9983e4dbf050e28a3b93794ad4b19bf6d2dee3a33e0cc9db94a87e57c

MD5 hash:

176476011e6a506da97c0b5e1cb2de15

SHA1 hash:

f49b9c5d985c438d7e003188977ebba845605fed

Link:

https://www.unpac.me/results/5a39fed1-4d67-4aa8-bdae-8fc1bb135320/

SH256 hash:

3e215d8d82233de2c29a24d35ccb0c8dea1ba1f25579497b075419843d36d17d

MD5 hash:

f66478d91fdabce95474a51a82eee285

SHA1 hash:

07008d10cd2d34ddb51767456d8b83a6674da3fb

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/5a39fed1-4d67-4aa8-bdae-8fc1bb135320/

Parent samples :

b88d84be2994a05ac716dac99a689356d8c7ecbd541989a5339be403da909430
b9a286880c70bf7b6b049c8be7b7b14d8318b6c38d04185eced4bc48795330ff
a38cbbb16b9dda3d7aebcdcd033a8f5e56f17257c060859a3cdd2e1a8bb27ab9
5551c39b0838a38711babfe60b36dda8855791ce1512553858fbaff025d31122
b36c5718a19998ec936051a544a8831e85f7e08b4e7f9c5269e25e963ebabdd3
fdc7a121571ec5e47773d3c837cd0d4e7234d00b6a7262b2500301c51ee5801a
7529675c4f443448e36de852d71111dc455009ccc66b516f898319ec2f7891bd
48e5295db9ba78034bfd5ff510f893c40a6cddee73f99421aa5b77d566ed715a
b3291d1f731c8e7408bbae7e36242e7223d24d7b3ef0fa2b7f07950be8dd3462
f29bebf4c348274359973039283bd9e56a8611f98847be2ab794f417ff706b3d
3ab5b91315aed3147ec6d8038d620caa9e068a1b200c9c1631a1fb036e839daf
d30db5b4b3087ae9f6dcfb18e0b85fa39ceb7bf182604418c4760cf32357cd1d
8ccda60ef18d8d5f5c5bfa7f1d141171871f51c906e44f363226b0d2a22a143b

SH256 hash:

d30db5b4b3087ae9f6dcfb18e0b85fa39ceb7bf182604418c4760cf32357cd1d

MD5 hash:

d64f47ad1647d93473130d1e301adbb0

SHA1 hash:

66fd100d26e8e16ffb1292073e3cca539d8e5d4d

Link:

https://www.unpac.me/results/5a39fed1-4d67-4aa8-bdae-8fc1bb135320/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d30db5b4b3087ae9f6dcfb18e0b85fa39ceb7bf182604418c4760cf32357cd1d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe d30db5b4b3087ae9f6dcfb18e0b85fa39ceb7bf182604418c4760cf32357cd1d

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/987827/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/115160/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample