MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9acad219b9fa52e4258fafd8c85b9e473b8f99435f4d9af4dbb953fae94a17d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9acad219b9fa52e4258fafd8c85b9e473b8f99435f4d9af4dbb953fae94a17d
SHA3-384 hash: ff9205b337b53080115605d29c420dfc6ef45dbafe6dc87f427c53af03150ad8d529e8215fb3a268dcb01c3d6782ed41
SHA1 hash: d052f14e1fa2f4c56ea840fd21b150740d42f743
MD5 hash: fdc51916875811dd16bc68b728d06a2a
humanhash: lamp-floor-bakerloo-robert
File name:triage_dropped_file
Download: download sample
Signature Formbook
Create hunting rule
File size:791'552 bytes
First seen:2021-11-16 12:24:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1825a6fb598ec6fc9725ba8c7a08f1f5 (3 x Formbook, 1 x NetWire, 1 x DBatLoader)
ssdeep 12288:Sol54/49rtv00LHDPPoE8+N18rKZcT5VFSl5liL63F:SAy+tv00LHLPFVKKgVFSl5liLc
Threatray 11'590 similar samples on MalwareBazaar
TLSH T13DF47CA3F6D5A23FD0526D394D0A612C5573FF241873B04279EDAEDDAA78340663E322
File icon (PE):PE icon
dhash icon 1130767c64360841 (4 x Formbook, 2 x AveMariaRAT, 1 x NetWire)
Reporter malwarelabnet
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/206415/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Sending an HTTP GET request
Creating a window
Sending a UDP request
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger packed
Link:
https://www.filescan.io/uploads/6193a3224912a8c920a03364/reports/125f0ffa-eaae-4cfd-8c9f-dfef77ebf3ae/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/2ddf3ac8-21eb-416b-aed4-ee45aa08f533
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/890337
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Execution from Suspicious Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 522808 Sample: HTiQ6EoENC.exe Startdate: 16/11/2021 Architecture: WINDOWS Score: 100 44 www.fumiccho.com 2->44 46 www.mcrosfts-update.cloud 2->46 74 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->74 76 Found malware configuration 2->76 78 Malicious sample detected (through community Yara rule) 2->78 80 3 other signatures 2->80 11 HTiQ6EoENC.exe 1 18 2->11         started        signatures3 process4 dnsIp5 60 upqwba.bl.files.1drv.com 11->60 62 onedrive.live.com 11->62 64 bl-files.fe.1drv.com 11->64 40 C:\Users\Public\Libraries\...\Hwvhyvxu.exe, PE32 11->40 dropped 42 C:\Users\...\Hwvhyvxu.exe:Zone.Identifier, ASCII 11->42 dropped 92 Tries to detect virtualization through RDTSC time measurements 11->92 94 Injects a PE file into a foreign processes 11->94 16 HTiQ6EoENC.exe 11->16         started        file6 signatures7 process8 signatures9 66 Modifies the context of a thread in another process (thread injection) 16->66 68 Maps a DLL or memory area into another process 16->68 70 Sample uses process hollowing technique 16->70 72 Queues an APC in another process (thread injection) 16->72 19 explorer.exe 2 16->19 injected process10 process11 21 Hwvhyvxu.exe 14 19->21         started        25 WWAHost.exe 19->25         started        27 Hwvhyvxu.exe 16 19->27         started        29 help.exe 19->29         started        dnsIp12 48 upqwba.bl.files.1drv.com 21->48 50 onedrive.live.com 21->50 52 bl-files.fe.1drv.com 21->52 82 Injects a PE file into a foreign processes 21->82 31 Hwvhyvxu.exe 21->31         started        84 Self deletion via cmd delete 25->84 86 Modifies the context of a thread in another process (thread injection) 25->86 88 Maps a DLL or memory area into another process 25->88 34 cmd.exe 1 25->34         started        54 upqwba.bl.files.1drv.com 27->54 56 onedrive.live.com 27->56 58 bl-files.fe.1drv.com 27->58 90 Tries to detect virtualization through RDTSC time measurements 27->90 36 Hwvhyvxu.exe 27->36         started        signatures13 process14 signatures15 96 Modifies the context of a thread in another process (thread injection) 31->96 98 Maps a DLL or memory area into another process 31->98 100 Sample uses process hollowing technique 31->100 38 conhost.exe 34->38         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d9acad219b9fa52e4258fafd8c85b9e473b8f99435f4d9af4dbb953fae94a17d/
Threat name:
Win32.Downloader.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-11-16 12:25:07 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  3/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0c22acaa973cbb781aea92dc1fb5a8c7cc1fd2abd403f2a6b9703f8f1e1c8657
Formbook
19428f9c431fb0f8d6fbd9ca194589bacf9d9d3e475717031373b71982bea2a5
Formbook
21350c749a15b06efda33cae533086eab02ef83685d539556407633676de94bb
Formbook
5c175aad872d219fa23de0c83ea085fbdca8d76601167089b4e55ee66d520276
Formbook
b7b66b6a4f361469fabac82e4802b30059229fae232e46ef887c3f8a32828f2b
Formbook
c11992880daecda35958fd14fcf3b6e5d32a6bda8c904a888ede0dcbb1f91aa6
Formbook
d544f115e860d3282bd996d7b12ac92c10097d68d135667cca0f847ca754f8ef
Formbook
d78094f3b6eac87e2d4249671bdc4e044afb31e2e78aac8f2db7186c6d5b6db1
Formbook
f8d9fbcef6907460baa7c91e53d1a40865901bb50906b5519cba440fdbc65032
Formbook
+ 11'580 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ht02 loader persistence rat
Link:
https://tria.ge/reports/211116-pll6jsdgd5/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.nslbeauty.com/ht02/
Unpacked files
SH256 hash:
884d99b457e14d78d737b3ac26748c6a4aa834de2317acbe0fb87fcb5d23f65e
MD5 hash:
422adab412b2bc9eda31361e676cb23a
SHA1 hash:
0f23391f7d7c36b4623f33f4046c009344221b2d
Detections:
win_temple_loader_w0
Create hunting rule
Link:
https://www.unpac.me/results/acfbbdf2-5f32-4643-b3b2-e8bd8fe4d8e7/
Parent samples :
0593cdcb398c7b41a48babc22d84ede200329ced43988cd5695ee43ef806a314
1fc33c4cccbeac1f2a0a7a4145ab2248848d349ec89f0594a564aa6ef7704a89
e6729c12a687adf7245a883c5443a07a3cb01b22eb00484f96a63ccc9c3206e3
907e137a557e977c328f24618862f46dc2c508fad2568d4c171ba4e4cc42e8da
ef2754157037c661f6acf043f9af565be640a4bf7cc569fd38ae605c919e60e3
5e04368cce9500421ade8062e6c27a7ce3c027d2cb8538b7b0d4515823c6e491
74825f8f5dd7d626ff09e1805dc75ecdf92271b8d2148a9bbc8f5cb01b56703a
c8d54eac34afd28839ae109f0813ed54f21ee9d17a8ae54e5b12a11ec9250999
8a25ceb505dd2a4edf42f9be624def15d5f501c0dfebd0f8ed53b7ada0c56df4
d758edb6fa48c621458fd03dfbf78c5ac5df1dc26e749341dbdd588f3bd1ed30
918f98e66f1aae5bebe260cd5ddb4336318dc9a4193f130ac680ce3847bdfa9f
745918c719c623204c2c339cc9c2073260f833c4082d15bcb890a6848d872b71
04c53261b1220a894a02f5ffb39cdfd73f93481c0b5c8106d21c91b20205c62d
045a680f5cff3aa889bd6e366a1445dc6c9f066b6601ba69f973c77cf37a5bd2
284d63bee40558dcdd96057cbc0a07fba210b2de0111da57530ff2083d0d57f9
3ccb4131b2f8cf9a54cf003e6d29e841d83425aaa3b1c2fcc1bd253e855ff106
9a476d9eaca8d1c370dd3b25a1b99fd202321df9ef39e1254ddf6170d29e700c
75d58f5b4293ffc19d29586f96508fe473b3688503ab75a9fecf8b280af3b55a
41d511392fc1e9e37a96d7e0d1e2a947d3de3da299d1a0fab9f522b98e38b659
3f9fd47a1850bb51e06ce78cabb32d839b4d4f68daf028aa0465d7cb85099b1a
f26f9e3fccab0e855f132f00715cfdbaa9efbbc923fc702961d826987d7c15aa
51480df228e943d128557273a4b3f6917ced7ddc84210fafb9054459f5303757
d87618f7840361408c1bd318a1977714dedc8b346684986842e0f32cdc94f758
9f1a46f25ff46ddc69bb64b4bffbf628e41eb6c4820c617bfb06fd287e8cd08a
eaa933474582c1c4544da0f4d1f8e53e4b54937b8fa147ab9f88af2e1371477b
9f87aa938179953b88e6d47d4f2d07f82ec683a90ff0d77d8f50ad67ab55ad89
2ff7e6416c11b63082a3be7e742dff8da9fe4e174103d3034c7dc1e897f58b8c
7e7b60d769a5b99a90bd993f08a8b9175273e35d9447f91da28e61b05a746a99
480f201b5183d8ddf826462569bcf719750368df95907ee93aa3fe3cd8212acf
c9fad97fbc7d306ae0a8b6ba457d295786934e6580b279e40ab2ca7ad5bd818c
d544f115e860d3282bd996d7b12ac92c10097d68d135667cca0f847ca754f8ef
6ca5731b4511041dfe859ec3c1739ae2e1b1485481229e40446c9cdb58fd04e7
387e7195e10a2add7c9dce1051be7520ed0fa188794a710eea6a43845a36ce4a
677890096bad46b0e589094bc7bf25ec5ce8f54161422548da6a253dd387655d
cc387181593d803a367fcf95d0ed8ca7929d0c5b383c4d960f5a44d4cadb2c4f
0c5302d501f9872ff027d1486416daceb8a5b9af7eefb6268fd78d38bb6c8b37
84c89b2859b386f60a109593eeb9068e52b10f435872d2e7abe76bffb4e9d564
d0d6952f4459c50159f7a9142da641df17cae7dc758c9a34bdcd19765bea37bc
b88385613d90ebbd240b11a3847fc2117c0d832fdf7a3c45f1ed68692ed68038
ad4419aaf4f9f6eb21b32e26972b15edffd65e794eccbb85819701894da33a3a
8432944d28cd034b5fa922a2bec2f1b16f9df5de133d51437096d3c321d130af
4b376277cce9c1e365afb51b78046354176a443b45bb6bc123a3ea69710c6c65
955e25e69ec794dcd2a45b79f3eeecf71c734eb675e8a3e14691bbc8fbca5f52
cc2894394da12ab098b78a9ca9fa5c462f294a6c678d584d6d283c6d436d88c4
d9acad219b9fa52e4258fafd8c85b9e473b8f99435f4d9af4dbb953fae94a17d
c0e8dcedbd14b2822b8a673edef16a50fecb54ebbef846532cd6cf78da1127d6
76e7e27f4fcf15610764d121949f84e3b415376bfc5e88c08d85b613013ba87f
48667ddc42d9eadc23dddc65f60f0de6e58afb6857953f282f7b02c115e9eed4
fd74ae5599070fa447bf1f0451a88673f3b0a6285dbc69ecae11d6ec7cedbdf4
92f3596778824929bff1a64b43bc00c97f229de8d136dd6751a4972bba237bf3
2a8e3c217313095f5159adee7d90a5a2e0f1db12cb8977d9e073086ea0b62f21
d89aec551f2358a723b7419c767a401daf6f62fc22f20edacdbf0e6851c99c3f
51cf8bad7a9dfffdab43a17761c29b9d1bd1004675a4e9fa6965e5430a6e371b
8968808899b3e810e675fc87e6ff0f61c82b444183fd7f8febdb276eee05e683
7212dd968ce2504f6835fb5cdcc868f9315ba35ce8f4e1162fc6fe339271a27b
71f1357b11f35eef18854a9a7c33b65ce665b2b150ae5dd79aeaefc2691e9849
2495bc16feccab6c1e1a151993ca42fdb98caa81f11d5933226bf1f72bf7bf70
d888524b5e84e5afdfd32a627b1a5c5b55f04a72440d0260b8e430324c023009
62f36cc4ec3591ca9db78a063f6f215746f453f1181c64c0adda032ea86c53fd
1fbca7154111316e9d34ac02beb2377d20ca8426cc83669c89313a4a83358503
8d94a03c55cbee95ae76109eb888c7d86c02643059eed45234743f5bf30f9874
3da0a121182f06ffdc6e8305f04b89aa2bf57ef24befa9717b0bf3c138918339
2090f5fcafd8bc1938e4ddd869d911e1a89ac529ba984d914cc2f98fadcbc658
SH256 hash:
d9acad219b9fa52e4258fafd8c85b9e473b8f99435f4d9af4dbb953fae94a17d
MD5 hash:
fdc51916875811dd16bc68b728d06a2a
SHA1 hash:
d052f14e1fa2f4c56ea840fd21b150740d42f743
Link:
https://www.unpac.me/results/acfbbdf2-5f32-4643-b3b2-e8bd8fe4d8e7/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d9acad219b9f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d9acad219b9fa52e4258fafd8c85b9e473b8f99435f4d9af4dbb953fae94a17d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/206415/

Comments