MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d53203021ea88e690e9254aff60634fbafd324c69bebcd705506046e0647eb88. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	d53203021ea88e690e9254aff60634fbafd324c69bebcd705506046e0647eb88
SHA3-384 hash:	7aace97053b47fb61a6fb745e2a27b1ac6af1ea149de432a0358f5e58836d6019d2b7e12bf82f9f2048213a44fb158e2
SHA1 hash:	d5e480da955c0d05d97b0503ee124a2ab71dd7c0
MD5 hash:	7640721fe6a93120fbbacf85c93836b7
humanhash:	quiet-hamper-georgia-bulldog
File name:	COMMERCIAL INVOICE & BILL OF LADING_PDF.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	484'017 bytes
First seen:	2022-01-24 09:54:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep	6144:NwW3I/rWDFjhxNcHMqhlA++EraacVgTCNL0H+VyR0vrL9CB5FIO:L3IrWDHxNYthL+EmzCTCNRourLq
Threatray	10'408 similar samples on MalwareBazaar
TLSH	T187A4CFF23D1842D6F87F52B1B91EA96616E16C3EE9E0200E516FF01BC5F2357026F61A
File icon (PE):
dhash icon	0f696a86630786cd (3 x Formbook)
Reporter	lowmal3
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

184

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/221882/

Detection(s):

SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file

Unauthorized injection to a recently created process

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Searching for the window

DNS request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/61ee777c0f8c757253e17731/reports/47a7031a-e1d7-430a-8fb8-4bd84f0a26bd/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fbcd81fc-e647-48f1-8d22-6a5f779a502b

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/926175

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Executable has a suspicious name (potential lure to open the executable)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/d53203021ea88e690e9254aff60634fbafd324c69bebcd705506046e0647eb88/

Threat name:

Win32.Trojan.GenericML

Status:

Malicious

First seen:

2022-01-24 08:37:24 UTC

AV detection:

11 of 43 (25.58%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2uzagaq6vchgsdusksx7mbru7ox5gjggtpv424cvaycg4bsh5oea._file

Verdict:

malicious

Label(s):

formbook

Formbook

194eecb866b404241cc14abfccf3ece512927dafff1e64248e1b1fb4e4acbd26

Formbook

29e7d7eec0c8b07eac1b67b2875c1942104495e5e37f8b08fd788d4157376b1b

Formbook

4f64511b423d79682dfad8f6b516516d32e801f0031f07b7e3c6c19798a64b95

Formbook

6846492babd6809fcbf6d1a30ebd47db29061bc23237069ff85a86b406b1abb0

Formbook

9e6a92df11bb23b335d5bbf85731a1ea96f6c4038a24c2e4edb28e2169804c30

Formbook

b6766af1afb815c61741089760278a15e9089ae7b14a3537faa4ca6e4ebfdffc

Formbook

c0904a36e97e50225bc8ab11f7a9c588ebc758b1dc624d39d94da1f5268b847e

Formbook

c7eeea84c68c73b96a2bc816b9738ca8c9c2abe93f7705ec07f8d1205422d86e

Formbook

cfdf477d386cab73129ac775a953d693466176d4d4854d06d580125a8f20f9e6

Formbook

+ 10'398 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:quc5 loader rat

Link:

https://tria.ge/reports/220124-lxswpaebfk/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Loads dropped DLL

Xloader Payload

Xloader

Unpacked files

SH256 hash:

2016760276966e7d0a1b3ce5eb62661ee8e92f66e5c04da23d3862c7c2e463f2

MD5 hash:

2cb4c00b5b6341dba4b67aa976efbbd2

SHA1 hash:

0d35ccfebfa45994f925c133ef0477cb33619a24

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/828a494b-1323-43ad-8b10-21f9b4cdb4ba/

Parent samples :

088cc7491fc68b14d1e883a36a411b992ef71a038526e9b15b820985d3bbb7d2
d53203021ea88e690e9254aff60634fbafd324c69bebcd705506046e0647eb88
2eba3f9d82559ae0f8d15c141d3844ad3ae4e98c786ab6720506ab3e80565d8f
07569721866b0b2b3d83ec0db9d400f9cd623c51ea30706aaef9e032ec64795e
db9a46ce4d2d56fb75e4990521c1e905526268b1a6f51311bb8ed6cc6a3ee7b1
ffbd8cb5a8779c934324bbee870d6b1d7549d4c6eb358cd67b923aa8a5b21a36

SH256 hash:

da1de38b3cf25ad5bfe79ee6964b80efe45d1a272d7471ed10732aefa497d186

MD5 hash:

ff9580289a7ca8117e7e6a6a5497d088

SHA1 hash:

b00edc36765493b999e8aeab48978f7d4ccf8dd4

Link:

https://www.unpac.me/results/828a494b-1323-43ad-8b10-21f9b4cdb4ba/

SH256 hash:

97ee503a91fa86f380e251bb83d055056b46e03a4368020393fd64b6cc09ca04

MD5 hash:

d8372cb1348f4502f714b3f0f455d99e

SHA1 hash:

9954970c9a2f2be2f022550eae3b782a21801ab4

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/828a494b-1323-43ad-8b10-21f9b4cdb4ba/

SH256 hash:

d53203021ea88e690e9254aff60634fbafd324c69bebcd705506046e0647eb88

MD5 hash:

7640721fe6a93120fbbacf85c93836b7

SHA1 hash:

d5e480da955c0d05d97b0503ee124a2ab71dd7c0

Link:

https://www.unpac.me/results/828a494b-1323-43ad-8b10-21f9b4cdb4ba/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/d53203021ea8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.53

Link:

https://yomi.yoroi.company/submissions/d53203021ea88e690e9254aff60634fbafd324c69bebcd705506046e0647eb88

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe d53203021ea88e690e9254aff60634fbafd324c69bebcd705506046e0647eb88

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/221882/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample