MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d80d56cfde862aefb9ea4a4195b12cafc5e93f60bb13d2e1a8a1a5b6fe49d9c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d80d56cfde862aefb9ea4a4195b12cafc5e93f60bb13d2e1a8a1a5b6fe49d9c5
SHA3-384 hash: bd2d3a8edad5b94be8d682f8be402e5469397b0d82530586f82fea2dfc0ebb9d804c19d364e69fca9c64340bfed7d509
SHA1 hash: 2d9bf0b46cd37f89be12d12c36ed833894e8e749
MD5 hash: b5c5e59e2ced576d7897a76f8e2bcca5
humanhash: speaker-zulu-uranus-pluto
File name:SNO22 595406_RACX-159814.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:838'656 bytes
First seen:2022-01-25 12:49:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:rEedoZHGu0/e2NQGGAGBMePjW6zAK0SgqavThbTpLvqxdDODIg6Zkm:rEeeqeAQGGAGBbWIavdfVqdDODj2
Threatray 12'844 similar samples on MalwareBazaar
TLSH T12905E0047BA4C762C13A6BF814F220148BB9795BA63DD1D96CCB52DB4BFAF208465F07
Reporter malwarelabnet
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SNO22 595406_RACX-159814.exe
Verdict:
Malicious activity
Analysis date:
2022-01-25 13:06:35 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/64794bd9-0bb8-4ed5-9f71-2d51652006b8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/222449/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.13267.4745.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61eff201f81da814afa3c8ac/reports/be45d691-963e-4b31-9fd8-dc6751aced82/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c401cbaf-b832-4c24-aabe-d9474b96e909
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/927100
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 559580 Sample: SNO22 595406_RACX-159814.exe Startdate: 25/01/2022 Architecture: WINDOWS Score: 100 36 www.staffremotely.com 2->36 38 www.archer-claims.com 2->38 40 5 other IPs or domains 2->40 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 8 other signatures 2->50 11 SNO22 595406_RACX-159814.exe 3 2->11         started        signatures3 process4 file5 28 C:\Users\...\SNO22 595406_RACX-159814.exe.log, ASCII 11->28 dropped 14 SNO22 595406_RACX-159814.exe 11->14         started        process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 14->60 62 Maps a DLL or memory area into another process 14->62 64 Sample uses process hollowing technique 14->64 66 Queues an APC in another process (thread injection) 14->66 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.ginamodernart.com 54.38.220.85, 49819, 80 OVHFR France 17->30 32 www.electric-cortex.com 52.217.169.125, 49821, 80 AMAZON-02US United States 17->32 34 3 other IPs or domains 17->34 42 System process connects to network (likely due to code injection or exploit) 17->42 21 explorer.exe 17->21         started        signatures10 process11 signatures12 52 Self deletion via cmd delete 21->52 54 Modifies the context of a thread in another process (thread injection) 21->54 56 Maps a DLL or memory area into another process 21->56 58 Tries to detect virtualization through RDTSC time measurements 21->58 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d80d56cfde862aefb9ea4a4195b12cafc5e93f60bb13d2e1a8a1a5b6fe49d9c5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-25 12:42:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3agvnt66qyvo7opkjjazlmjmv7c6sp3axmj5fyniugs3n7sj3hcq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0be58a33d1ccbb74ef24592d2d16009bd56638aef6c294af7793e57588e04ef6
Formbook
37182811d9f3a0a2b3126266dc70a5253c4745de7e18e75a4c29393fbdedb142
Formbook
69beb963daa43dd4f918d96934484b37b091ba40a9697519c9803db38a2146cd
Formbook
76d73723ac1e30fad92d7f3fdbb0a87c1d8854ad4e7d3d728805a3f26843085c
Formbook
838646bc9841804d7671fb25b3fd5d3e67e91c1d341c7125ce63ad436ada5f26
Formbook
a8d5e1d38de4f19b6e861c8f6f6f7061954ef9c132201984650a6f47fa1c0496
Formbook
a8ffb883609ff6d5a39170b1061077440637b40fc0f5a9db98cd85a6f4f2a95d
Formbook
c08281aad469530583f8216b4e4fa73c2f94807b680ae7407662ea08641dc8e1
Formbook
d36d73e78b048c34b8ed4b2c1035f27c0c1857ae8eb5f1167942981139138b35
Formbook
d89ceaf1e34dd42cef063ecb6b8e219479f276c6cc30e2ab6ae8c881a8d60633
Formbook
+ 12'834 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:p8ce loader rat
Link:
https://tria.ge/reports/220125-p2x8ragbh6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Unpacked files
SH256 hash:
ccb5f0b543560f4a5cd65e4b22502bf80ddc82c8e3eb184acc28a28bc844b4b5
MD5 hash:
4ebd9d3b5bb46e5e601cc40aa605bbfa
SHA1 hash:
e6a285910a8a34c50543a1630c28a15f7d1a2752
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/1f668d9b-07fa-4a08-baea-5fdcf626121d/
Parent samples :
4724b55ca938b0bbdc393ddfecec9ccad30b911490e9fc1922546596526cdb04
22c8527c55a52f56653e38bf1f2dbc8ccc06ab0f0ab16879138f30037b710b0a
d80d56cfde862aefb9ea4a4195b12cafc5e93f60bb13d2e1a8a1a5b6fe49d9c5
58fb47124bf49f4190852baec863af03f73216cbba65c7eaa527f6ec6612e42b
af662c52d97d2590fa9a275d02feaf5aab3c18365e002a288efd862bd09aa6b4
SH256 hash:
4c0ef8615f838fce4b4bf470e1146392c5edcbcfa9a98af9b7e604cabd706131
MD5 hash:
53eacef36583acf62a25534ffecb16c0
SHA1 hash:
f900a1244902dd08eaad1a6d797bad6b5a907064
Link:
https://www.unpac.me/results/1f668d9b-07fa-4a08-baea-5fdcf626121d/
SH256 hash:
f02bd4183c7549d44448aeb9b6be4018d3f33c483dc76f18dca58d2ea5375cf2
MD5 hash:
8fd465f73792cdf5cf197c5c278240fa
SHA1 hash:
b5cf1cc2a8fc04993c0e537c4cf97a3583612bf2
Link:
https://www.unpac.me/results/1f668d9b-07fa-4a08-baea-5fdcf626121d/
SH256 hash:
8325a5cf7942bb46ac528c836b79180c05d71a4e7de108693d303d56bcc5def1
MD5 hash:
efdf2c54a74297c24bc73285376c432b
SHA1 hash:
564f25afb6c5599cdcd5fafaff32c1475e581af4
Link:
https://www.unpac.me/results/1f668d9b-07fa-4a08-baea-5fdcf626121d/
SH256 hash:
d80d56cfde862aefb9ea4a4195b12cafc5e93f60bb13d2e1a8a1a5b6fe49d9c5
MD5 hash:
b5c5e59e2ced576d7897a76f8e2bcca5
SHA1 hash:
2d9bf0b46cd37f89be12d12c36ed833894e8e749
Link:
https://www.unpac.me/results/1f668d9b-07fa-4a08-baea-5fdcf626121d/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d80d56cfde86/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/d80d56cfde862aefb9ea4a4195b12cafc5e93f60bb13d2e1a8a1a5b6fe49d9c5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/222449/

Comments