MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8e0fd32eb51496e7f66b76ff106753742988dee2974cf885825a6d9aa8ee5f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 1 File information Comments 1

SHA256 hash:	d8e0fd32eb51496e7f66b76ff106753742988dee2974cf885825a6d9aa8ee5f3
SHA3-384 hash:	be461e05f0140792cc56e19250b729c4c40ac470f65d9bfff7a7b2cc202c8b7062e934c167c013848f1a930a949b41be
SHA1 hash:	406403455110b5e12c4b77a45df38672a5a9113e
MD5 hash:	61be5168cca3b1d728229f863b9f1162
humanhash:	jig-lactose-oklahoma-december
File name:	61be5168cca3b1d728229f863b9f1162
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'389'080 bytes
First seen:	2022-05-20 13:18:00 UTC
Last seen:	2022-05-20 13:40:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	3ec3dfdccc2e2dd2d4c62887f00d1d00 (3 x Formbook)
ssdeep	24576:TQGYT2NYwIeM8Q4eBAE5OdsoPUK3jhTi+sOo+spOYRo7tTK:TIuYheMp4zddskUkjhTi+kppOYRF
Threatray	15'670 similar samples on MalwareBazaar
TLSH	T1115523947AAA9072D01937B94DBFFB84173575961170A80B75C8230C9FFBAC6B823B17
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	9b2565696965293f (3 x Formbook)
Reporter	zbetcheckin
Tags:	32 exe FormBook signed

Code Signing Certificate

Organisation:	livecode.com
Issuer:	cPanel, Inc. Certification Authority
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-03-29T00:00:00Z
Valid to:	2022-06-27T23:59:59Z
Serial number:	5c37e321f7fa9d7df439d21b78b11e64
Intelligence:	3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	458983402cc95dca53a698e3087285a16ff616430042a3cbb887a902886687c7
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

275

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

61be5168cca3b1d728229f863b9f1162

Verdict:

Malicious activity

Analysis date:

2022-05-20 19:36:31 UTC

Tags:

formbook trojan stealer

Link:

https://app.any.run/tasks/c2aff4fd-c576-47f2-97f5-eeac9dc59d25

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/273051/

Detection(s):

SecuriteInfo.com.Variant.Jaik.74944.10420.19538.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Launching a process

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/19237/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionGetTickCount

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

crypter greyware overlay packed wacatac

Link:

https://www.filescan.io/uploads/62879521abd12523507e14b3/reports/d9f346ee-abce-44b0-bed6-ff15212800e6/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/0ee9b3ac-b364-4e01-947f-3367f9f976cb

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/998609

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses netstat to query active network connections and open ports

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/d8e0fd32eb51496e7f66b76ff106753742988dee2974cf885825a6d9aa8ee5f3/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2022-05-20 13:18:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3dqp2mxlkfew473gw5x7cbtvg5bjrdpoff2m7ccyewtntkuo4xzq._file

Verdict:

malicious

Label(s):

formbook

Formbook

1fa17f6996cc7efdabe3099d0543ec457cff4f54d246c089d6d7dd8e72eee1c9

Formbook

2ce3bb2f2bdd62386f03aad4fba2cf7f57fd4cf165a8205eccff61986ddd42d5

Formbook

3e20e05dc0f89bd2a37936b5e3a2631af6cdb687218275731b6f7e7f79febc9e

Formbook

4daead502dfca41fa6e5789eb458e5bc60ed7da6c8af2229596e1e0697f50701

Formbook

adaa16ed962f30078fc9bae10e80f8fa2f3fa062e8a115ceb0e5326e9feca24c

Formbook

ade283e1dc7b88a52ca2c0ac149af10ff68dff1709a27dd800936a7345cc6b56

Formbook

bea7dde650c823aa2887bc7065abd818c02e573c041ea69c1ea60c43fe1a79df

Formbook

f156099a9282dcdcab3acbf57c50bc1d0121a6e9714d43ba69ab9934ab0d9439

Formbook

+ 15'660 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:uu0p loader rat suricata

Link:

https://tria.ge/reports/220520-qjx1psddf4/

Behaviour

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Unpacked files

SH256 hash:

58df16cc5b2735cc50d681f19689767ebab5275134f9e45d2e87c106921a697c

MD5 hash:

179cbf05f2e766cb5e561d348a18ed94

SHA1 hash:

067be928ccc2b973d2b0c2e355a66f592e95176c

Link:

https://www.unpac.me/results/aab09923-53ec-4e81-886a-68e4b91755d2/

SH256 hash:

0bd5fa031ec4bb4bc9ceaad0f987283a2a910aebd293d42f9128e8ee8e482c6d

MD5 hash:

2a20efbc2981ac9058a0125f983b01a3

SHA1 hash:

b3a0eb4657093115bc5a01640c7187f7a93ec32b

Link:

https://www.unpac.me/results/aab09923-53ec-4e81-886a-68e4b91755d2/

SH256 hash:

d8e0fd32eb51496e7f66b76ff106753742988dee2974cf885825a6d9aa8ee5f3

MD5 hash:

61be5168cca3b1d728229f863b9f1162

SHA1 hash:

406403455110b5e12c4b77a45df38672a5a9113e

Link:

https://www.unpac.me/results/aab09923-53ec-4e81-886a-68e4b91755d2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.92

Link:

https://yomi.yoroi.company/submissions/d8e0fd32eb51496e7f66b76ff106753742988dee2974cf885825a6d9aa8ee5f3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.