MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7dae1d41bdbc82c9162dc6d129670c05d5e80dc83783a48df90616099ca507d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d7dae1d41bdbc82c9162dc6d129670c05d5e80dc83783a48df90616099ca507d
SHA3-384 hash: fb97863c79e64ec381d5fe7fdcb44fc58f0a0ded472be8e2ffcf47a8e172fbd0f1a11dda2b4b435679371a8edca29dd3
SHA1 hash: 750cec00b9f8b8298436e41bf8083c7842b95b05
MD5 hash: 4b86af1f12bcc05b5586eec0f26e0ef9
humanhash: burger-lamp-summer-december
File name:4b86af1f12bcc05b5586eec0f26e0ef9
Download: download sample
Signature Formbook
Create hunting rule
File size:897'536 bytes
First seen:2022-06-29 08:32:24 UTC
Last seen:2022-07-22 10:07:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:mnVRaVBN/bcN+yFGpXYxd5scwK8mbpWvVA:jBN/S+y9jacwK82O
TLSH T14F15AE18A7E86E97C4AF437EF4512A190375F244EB47EB4B1398B5FE2C92394DE50283
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
4
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/284176/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/62bc0e44a17f249ae3e58fd1/reports/58325643-8a24-4b5c-94ab-2ce9d135b0f1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f9c80200-26fc-4fc3-b616-a2ccb5ff52f9
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1021738
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 654236 Sample: 77b0ZNgySG Startdate: 29/06/2022 Architecture: WINDOWS Score: 100 34 www.thisismyhomevalue.com 2->34 42 Snort IDS alert for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 9 other signatures 2->48 11 77b0ZNgySG.exe 3 2->11         started        signatures3 process4 file5 32 C:\Users\user\AppData\...\77b0ZNgySG.exe.log, ASCII 11->32 dropped 64 Tries to detect virtualization through RDTSC time measurements 11->64 15 77b0ZNgySG.exe 11->15         started        18 77b0ZNgySG.exe 11->18         started        signatures6 process7 signatures8 66 Modifies the context of a thread in another process (thread injection) 15->66 68 Maps a DLL or memory area into another process 15->68 70 Sample uses process hollowing technique 15->70 72 Queues an APC in another process (thread injection) 15->72 20 explorer.exe 15->20 injected process9 dnsIp10 36 www.shermans8.com 162.213.253.133, 49719, 80 NAMECHEAP-NETUS United States 20->36 38 www.hg-jewelry.com 149.29.96.215, 49720, 49721, 49722 COGENT-174US United States 20->38 40 2 other IPs or domains 20->40 50 System process connects to network (likely due to code injection or exploit) 20->50 52 Performs DNS queries to domains with low reputation 20->52 24 control.exe 12 20->24         started        signatures11 process12 signatures13 54 Tries to steal Mail credentials (via file / registry access) 24->54 56 Tries to harvest and steal browser information (history, passwords, etc) 24->56 58 Modifies the context of a thread in another process (thread injection) 24->58 60 2 other signatures 24->60 27 cmd.exe 2 24->27         started        process14 signatures15 62 Tries to harvest and steal browser information (history, passwords, etc) 27->62 30 conhost.exe 27->30         started        process16
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d7dae1d41bdbc82c9162dc6d129670c05d5e80dc83783a48df90616099ca507d/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-06-29 00:43:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=27nodva33peczelc3rwrfftqybov5ag4qn4dusg7sbqwbgokkb6q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:nn40 loader rat
Link:
https://tria.ge/reports/220629-kfxb4sgbdk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
eb34d25f79cf69105cc87e8e8f902fce7bc2dc4c80d5c1dc510cf60b3859dfb3
MD5 hash:
f8fbac0b58d026c8dd80df878e2e7774
SHA1 hash:
69de8ce161c2fdd0d10aee01a20a1e3b2b51237c
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
XLoader
Create hunting rule
Link:
https://www.unpac.me/results/2dded98f-a250-4ea9-adf6-dffee7489e23/
Parent samples :
9628397359b089bca7436b3618a5358d06f73ec0a99f356dcea30a99df793538
4413a2e6e778cdc5dd839816a62d25e68095be325a28036b45f85716405a2d18
c9777cb78779de98104f1a01584f9df07e39b7ace7d5e6686d225e7261bd9447
0cfac9ebd9e0bb5a2f128f38b9879e4f103208c8559a68a18bb099fa2b8bf18e
1d9fc02237d06ae3ee5ea85ae14a05ab41ee99f03ac660e3f6360ac6864bf7fd
d7dae1d41bdbc82c9162dc6d129670c05d5e80dc83783a48df90616099ca507d
35ddf428695769bb87459e0848cfae7eb62a86c91c8bb33a2caa23c5fbc43b73
d9953c25aba720427a7122609ba2ec3ed42861e9acd631dc5f2a0deb3d8508b5
SH256 hash:
5723367d7cd48b98eb468740ee30085b10bfa3d6a9774e36936e6026aa58af05
MD5 hash:
ccb0686ddfcd782f6adaab81f29a9348
SHA1 hash:
fb2138780442d54c9b367ae901c7150c1d21f087
Link:
https://www.unpac.me/results/2dded98f-a250-4ea9-adf6-dffee7489e23/
SH256 hash:
6bed4a053f449f050bef24802fe504ae1c06a5ef1f0502f90e387ca2ae7c7495
MD5 hash:
ab58ef37af8f300122f8962d77fcc6f6
SHA1 hash:
e1337523c9f70c80303b42282e32278ff3e2e54e
Link:
https://www.unpac.me/results/2dded98f-a250-4ea9-adf6-dffee7489e23/
SH256 hash:
ee1f9aa07b4242268ed4b1e6b7a873a6a0354cb63da791863bfdda41fedf520e
MD5 hash:
707104746f5fc4ad64dad55a11b2364e
SHA1 hash:
d8f8632147a32b2aa912914df9b800a4ef4f3591
Link:
https://www.unpac.me/results/2dded98f-a250-4ea9-adf6-dffee7489e23/
SH256 hash:
0cb6aef1fa57d11408e47ae071485ef8f48c2982997b8d74b47a4151d85b978c
MD5 hash:
843aa6edf83bff7b61c6a5369ef41e95
SHA1 hash:
d1bfeec8eaac9a1dacf2f7062ce964d8e7d77085
Link:
https://www.unpac.me/results/2dded98f-a250-4ea9-adf6-dffee7489e23/
SH256 hash:
d7dae1d41bdbc82c9162dc6d129670c05d5e80dc83783a48df90616099ca507d
MD5 hash:
4b86af1f12bcc05b5586eec0f26e0ef9
SHA1 hash:
750cec00b9f8b8298436e41bf8083c7842b95b05
Link:
https://www.unpac.me/results/2dded98f-a250-4ea9-adf6-dffee7489e23/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d7dae1d41bdb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d7dae1d41bdbc82c9162dc6d129670c05d5e80dc83783a48df90616099ca507d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe d7dae1d41bdbc82c9162dc6d129670c05d5e80dc83783a48df90616099ca507d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2252338/
Cape
Cape
https://www.capesandbox.com/analysis/284176/

Comments


Avatar
zbet commented on 2022-06-29 08:32:26 UTC

url : hxxp://107.172.76.188/c/tis.exe