MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d36aed39f3fb785951a4e948bcb4f86033a398ee0ddfef85040564751918b669. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	d36aed39f3fb785951a4e948bcb4f86033a398ee0ddfef85040564751918b669
SHA3-384 hash:	f016a85e0fa92f3fe184fd2a26bb5ba3afcf168afac0c98e41f2dc2ae609e5a5edca9158a2346ee9014677cb07112e78
SHA1 hash:	8429c96005743a8ff2f0b695811c39c92bd21c0c
MD5 hash:	06472f454140a4776078bb19c7d1f96e
humanhash:	fillet-shade-hot-solar
File name:	0716_220224092056.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	851'456 bytes
First seen:	2022-04-05 13:19:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:kO1GuyRoJkFA+bH2YC1FyO0Zoi/9rveDQMy:1I5PbH2nnw7eDx
Threatray	12'254 similar samples on MalwareBazaar
TLSH	T130051200B5E8295EDE2FFBF958FF1831573EAB22693DC51928B6B1C97A603805091773
File icon (PE):
dhash icon	71d49a6551b2cc71 (5 x Formbook, 3 x AgentTesla, 2 x SnakeKeylogger)
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

225

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/260947/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a process from a recently created file

Creating a process with a hidden window

Launching a process

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated packed update.exe

Link:

https://www.filescan.io/uploads/624c4208aa7e43c6a6bc603c/reports/047f1204-4e02-4331-b344-be29376e5688/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5643ef3c-fc12-4a8a-a562-08dd779f656e

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/970834

Signature

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/d36aed39f3fb785951a4e948bcb4f86033a398ee0ddfef85040564751918b669/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-04-04 12:38:45 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2nvo2opt7n4fsune5felznhymaz2hghobxp67bieavshkgiywzuq._file

Verdict:

malicious

Label(s):

formbook

Formbook

acafe0e95f56a3a9105873aa70599b60c7e05b99f68006c763b21d590cc03906

Formbook

bc5116cdc710b153d2c32a9ecb5bccd7f3ed3c4cee398b9eba9f482dc5c77cd1

Formbook

c232cf286c8156708491756db96442ab995cdaaea58875a7c63e3e496b30d0cf

Formbook

dc36fc5d4c108d54e3a2a4a5309f87093f484e4bc928158c0a749417052f6f56

Formbook

f469b5c967ff28b96444a48b6769ccde102417de9d59df1878bfe486ade890dd

Formbook

f4bef0754be1d8e60471746bb06004a86ab38cb0ffb281973fd45f81b610307e

Formbook

+ 12'244 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:ee3s loader rat

Link:

https://tria.ge/reports/220405-qk3btafhe2/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Checks computer location settings

Uses the VBS compiler for execution

Xloader Payload

Xloader

Unpacked files

SH256 hash:

77710db4fd14880886d0e77d163a7ed0f6a311b3fd61b859a0f2f2ef64e277cf

MD5 hash:

74fe265e2ea66172534ef558b23c19d6

SHA1 hash:

b831039199260d29a1de3a468b5ee9f26dae4959

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/1dddbf9c-6983-40f8-b926-ebffadb7af3e/

Parent samples :

d7e61a797f06ffccc8107b01d621197d674beb04dc0021c4a38675f6e7ff5680
5759b13137e1091398f834fc26b2b681adcce1dfaa83b9a0ab399b1566b9e69b
471429e2686887cf2416e11d6d9c2a36f639f7b971db1d7b013b933ae3f3bd6c
d36aed39f3fb785951a4e948bcb4f86033a398ee0ddfef85040564751918b669
66972078954fd71e073a89c4106dcd4a2bfa4f3ed89ab2ec638f0ba81c9bed30

SH256 hash:

2ad72d3a3fab596cdc06d15429b4cce1e1c6c13f14e1abd7eb6530c2bb79fb6a

MD5 hash:

fdc45f3b1051a26f154df33947b620f1

SHA1 hash:

aca195a0117a0ffa4a1d12e8f006d7f3b2b3cdcd

Link:

https://www.unpac.me/results/1dddbf9c-6983-40f8-b926-ebffadb7af3e/

SH256 hash:

d3c9d52d6aa5d384dc4ed6ab2ccf67f5fd50e46585d202b249760909ec47595b

MD5 hash:

8a6a0df77306b13e7baddab9fd33231c

SHA1 hash:

7c0b22d9d59e80a15126144a39f1ec23f8d01bb5

Link:

https://www.unpac.me/results/1dddbf9c-6983-40f8-b926-ebffadb7af3e/

SH256 hash:

71764eb60a83a17343af4a26bf3ec546c5ee08454722233fd5cf59693327b1a4

MD5 hash:

bfcf754fb9acba752f79f44817b7be23

SHA1 hash:

01af19456b6f97790973d0d67a97ecc362ab7aed

Link:

https://www.unpac.me/results/1dddbf9c-6983-40f8-b926-ebffadb7af3e/

SH256 hash:

d36aed39f3fb785951a4e948bcb4f86033a398ee0ddfef85040564751918b669

MD5 hash:

06472f454140a4776078bb19c7d1f96e

SHA1 hash:

8429c96005743a8ff2f0b695811c39c92bd21c0c

Link:

https://www.unpac.me/results/1dddbf9c-6983-40f8-b926-ebffadb7af3e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d36aed39f3fb785951a4e948bcb4f86033a398ee0ddfef85040564751918b669

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/260947/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample