MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d390d8a528c62a458cb66745b0245eaf4721c9e3f3cea7ba75d16fae31a392b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	d390d8a528c62a458cb66745b0245eaf4721c9e3f3cea7ba75d16fae31a392b4
SHA3-384 hash:	2846e5e5f7cc9831a55af952e504417d727d5b77ae231b0d9a81875c340c5a5d6f9218caf1e314d7d6c7aea8f2c7b6c0
SHA1 hash:	23a7a5dd2bad6931c491e15244bffb19e6d975fa
MD5 hash:	d973b6745ca038d514b04f5495348027
humanhash:	salami-louisiana-juliet-speaker
File name:	F2123122_quantity_increased,pdf.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	809'472 bytes
First seen:	2021-05-05 18:23:44 UTC
Last seen:	2021-05-05 19:03:28 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:RSH0/2Mmqbo7D4rSCxIDXVU1dH7Gm6opuW:RSH0/Gz1CiDFUvbGa
Threatray	5'135 similar samples on MalwareBazaar
TLSH	6605023C11986A16C83E177C267CD44827F5B92AA623EB0EBFC0257B5F737519B21623
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.624-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/712411

Signature

C2 URLs / IPs found in malware configuration

DLL reload attack detected

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/d390d8a528c62a458cb66745b0245eaf4721c9e3f3cea7ba75d16fae31a392b4/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-05-05 15:19:03 UTC

AV detection:

14 of 29 (48.28%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2oinrjjiyyveldfwm5c3ajc6v5dsdspd6phkpotv2fx24mndsk2a._file

Verdict:

malicious

Formbook

489e0e46a5df58a3144cd7a3ecb1fd0e29aa2db5060084ec774f1d2c8c763fd9

Formbook

5101663e1850401504dd1e56231725be9a3001ed01e99fa88d348b9511c52f4d

Formbook

686a52a491b7e31fb584231e38ed6ac4c1821a5843464ffd537c6288ef8427a1

Formbook

959b34597496ad489c8f8371ddc89fce086376f9fc966b97d2bdfa8967ca5e8e

Formbook

9a078cc450ad8a112283812c97c397a6440275925cde819407320829c655ba62

Formbook

d797bbe1f6d58628e5c9d45b38c10ff983064c3230f3222ffa3a17a80172be94

Formbook

dc5f7d89ab2465597ff7fa9f544326613aeaab2afa6e2e457ba5fc0da15bd450

Formbook

de7e8ed0bd9ad8231adb43f89717a72375e29c9360e2b78bbc918992093bc217

Formbook

edff9b174a171438f2433112957718f27abe1a825bfb7694362270d362c78911

Formbook

+ 5'125 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader loader rat

Link:

https://tria.ge/reports/210505-acc5zjwvbe/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.liancaiwangv5.com/oerg/

Unpacked files

SH256 hash:

bdf79e57b5574f9bafb56f6d0592f5ee429df7eb0ad536fbdb4f2956aae36f87

MD5 hash:

826b29e2a141b055a5491c9d7dc6eea7

SHA1 hash:

af4201362b8603bf7e4b6e2ead1cfb610dd7c0a9

Link:

https://www.unpac.me/results/46ec4f50-6b8f-4c8f-95c4-9a67adfd4ce2/

SH256 hash:

d390d8a528c62a458cb66745b0245eaf4721c9e3f3cea7ba75d16fae31a392b4

MD5 hash:

d973b6745ca038d514b04f5495348027

SHA1 hash:

23a7a5dd2bad6931c491e15244bffb19e6d975fa

Link:

https://www.unpac.me/results/46ec4f50-6b8f-4c8f-95c4-9a67adfd4ce2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/d390d8a528c62a458cb66745b0245eaf4721c9e3f3cea7ba75d16fae31a392b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample