MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dab182eded2109cec4a816aa101c68a8d91777fa896afe0c73ca5ba0da98978a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dab182eded2109cec4a816aa101c68a8d91777fa896afe0c73ca5ba0da98978a
SHA3-384 hash: bdfeff85c372f388f55da9dd0b76948c1cde313f837ed977641c4d3758904da54da3e7ac50f895d0fbdcc3f75b49e0eb
SHA1 hash: 44f8cdf013121dd29f61111a8fbb63cf235f5452
MD5 hash: e30086e30ceef09d5e2776fdefea898e
humanhash: avocado-burger-gee-butter
File name:e30086e30ceef09d5e2776fdefea898e.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:663'552 bytes
First seen:2022-12-21 17:58:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:82iNaRPFC1XliZJRMQo6ew0DgpjR4FRl8j:81w61XliZJRS6fpt4nl8j
Threatray 20'930 similar samples on MalwareBazaar
TLSH T199E4F15F19D1B525FFD42630C352BCA81AB31B1899F6F94C5C932C3F2920AAC6EA454F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
170
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e30086e30ceef09d5e2776fdefea898e.exe
Verdict:
Suspicious activity
Analysis date:
2022-12-21 18:09:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4232411b-ea4b-4524-ad52-e97758c52acf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/348820/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63a34968818a052f5d8dd609/reports/77aa7127-9408-429e-995f-997d93bdc081/overview
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3ac70de2-c887-4e7d-bd35-ddce0e892fa1
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1138884
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 771616 Sample: twx3mIxgUn.exe Startdate: 21/12/2022 Architecture: WINDOWS Score: 100 34 Malicious sample detected (through community Yara rule) 2->34 36 Antivirus detection for URL or domain 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 7 other signatures 2->40 10 twx3mIxgUn.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\...\twx3mIxgUn.exe.log, ASCII 10->28 dropped 50 Tries to detect virtualization through RDTSC time measurements 10->50 14 twx3mIxgUn.exe 10->14         started        signatures5 process6 signatures7 52 Modifies the context of a thread in another process (thread injection) 14->52 54 Maps a DLL or memory area into another process 14->54 56 Sample uses process hollowing technique 14->56 58 Queues an APC in another process (thread injection) 14->58 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.checkssuanalong.com 154.218.88.29, 49699, 80 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 17->30 32 www.fyndme.net 3.87.129.210, 49700, 80 AMAZON-AESUS United States 17->32 42 System process connects to network (likely due to code injection or exploit) 17->42 21 colorcpl.exe 17->21         started        signatures10 process11 signatures12 44 Modifies the context of a thread in another process (thread injection) 21->44 46 Maps a DLL or memory area into another process 21->46 48 Tries to detect virtualization through RDTSC time measurements 21->48 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dab182eded2109cec4a816aa101c68a8d91777fa896afe0c73ca5ba0da98978a/
Threat name:
Win32.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2022-12-21 14:44:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
20 of 39 (51.28%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3kyyf3pneee45rfic2vbahdivdmro572rfvp4ddtzjn2bwuys6fa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
28536d1922092efcff0c3a6281b52de198083fefb2af4b98f60f08e7953aa48a
Formbook
3bec2ad5a6dbafa13278a3020a14eaaae64449a527727fb701e7f5215141b4a9
Formbook
64f30bdf5f94a96237075b1c61bc5c93a7f73517f9bdf3f16601cd517713e2b6
Formbook
6a7ff71acd2cc6939ab146d4f7f74477dab1695467a630a54ae2320ceb736d47
Formbook
7e1f215877d458883e98c874ce1226b561f0ddd5114dad6baef44d66d33a98a6
Formbook
927d959485316e208b976de49016c3ce3d6adeef143b9b6eedd1310d5484d561
Formbook
95eea6606746af642726f423f651e78b52dc8652033b9ca6439a95248df0fde2
Formbook
b97d675cc03e2f033970f5357f256e461792111b78d27944225ba91558ca14cc
Formbook
cded1c33014c3c2eba1b606613b29b0095f33f91747a98e9e1b4df9d752162e2
Formbook
d82f08e067b6680bac42531431b0fcfd5af63c079b095349080e3d4ef84186fa
Formbook
+ 20'920 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:vr84 rat spyware stealer trojan
Link:
https://tria.ge/reports/221221-wkrg7scg77/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook payload
Formbook
Unpacked files
SH256 hash:
7132f0959b739a251c216e4336f932cf18246fe6ea035aaec2abe3aa05783727
MD5 hash:
8ca73030a86029ba36aaa8834bacfd3f
SHA1 hash:
fa35cf7166ed1d257ac828bba341cadbce80aa97
Detections:
FormBook
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/192165c6-cfa3-41b7-8bd9-c097b6b7d24f/
Parent samples :
7e1f215877d458883e98c874ce1226b561f0ddd5114dad6baef44d66d33a98a6
bd344049eb9c425e6b20e2fc4db9d18015afe7360c870acbd8c2e1272f34f8f3
cded1c33014c3c2eba1b606613b29b0095f33f91747a98e9e1b4df9d752162e2
3bec2ad5a6dbafa13278a3020a14eaaae64449a527727fb701e7f5215141b4a9
ca8ec49395ef001d05cbbbe1a69f1bb155cedaa9735bcb311755b872ccbc4186
927d959485316e208b976de49016c3ce3d6adeef143b9b6eedd1310d5484d561
6a7ff71acd2cc6939ab146d4f7f74477dab1695467a630a54ae2320ceb736d47
bb41e25dd34a4a329211ca72ba9a6437163a582be6f0f12ecd776515464570bd
b97d675cc03e2f033970f5357f256e461792111b78d27944225ba91558ca14cc
a4faadc7e9c3befad66d0e11a0365d0cb642ffdd11fc9170b02b096f658c354e
28536d1922092efcff0c3a6281b52de198083fefb2af4b98f60f08e7953aa48a
d82f08e067b6680bac42531431b0fcfd5af63c079b095349080e3d4ef84186fa
64f30bdf5f94a96237075b1c61bc5c93a7f73517f9bdf3f16601cd517713e2b6
952aefa69a84c3c3f6c3d2fb74059ea0dbe400e12bf7f7bbddf1f18d7b3406f0
dab182eded2109cec4a816aa101c68a8d91777fa896afe0c73ca5ba0da98978a
95eea6606746af642726f423f651e78b52dc8652033b9ca6439a95248df0fde2
b036b3544f5ee91e85a53bc9f458f5c70792bc57b98d87beb8a350728ee012fd
13b3e8cb037ad76af405c4c7d0d73aecd0041a2a0e4c977052ffeba0e843aebd
913b4c5b56c9810727dd256451bfc8e687905102bd503ec814bc26baef7dec13
6308b07bcc8c760adc57f971a862b1852b22fba23d6050498e36ca67be5633fe
3f16eb429f1147ce1e377b5b0823eaa70070b969869f3c3179ca7e8351dffd50
63ec01839919b7f832954e17b9259a74fe90e0217f178dbd5f7661454af4c91f
5f9ceb570c01eb7213c58013ee63325fcb6e8e77295fb848e06a4ad37295c5cd
2889978f4abcf96d44331904f7d7b865253872c5cad23a7ed9dc8bb61eb3e8f1
653e14efb8db68b8c88248cbd93a0fad02c12b6bbbb757e4c3e9418e0b8a8191
8ac965774bef91af710f65245ac06f9f5de2fea89c1e782c8af0f8f3c2139d7d
fd2d6f4dde8890571f6ce012b12fb0f015d01f02b8cab115a86674eef43fae29
f51bdb3c0026435904048abffb411be8b57143de59d0e66a3e2dfa3f2e5692ad
83ea7959343eed6e0dd2a3c8ac6ef3ad8229cc01c79f911c2cc634ee57f7e2cf
843c93a950a42ce6ccdd4debb3b505ee31a696637c523aa3cde37876a940d1d1
0d6176e7f7745ff010f186e65cc89fefbd3ce331ca37a2b02e7a42ed4fc6c44f
0cb30d7e5f9476afb6ff37eeac4dcc524fe63105433d7388ca709ba6e9a0539e
SH256 hash:
fc6485350cf55dc14ecbfd9b91b7a9979f61023b4104101e9f351caa6c73abaa
MD5 hash:
6c3fdb2b5d93cf814ea1b6ca05a0efcf
SHA1 hash:
f8ae5f9fa1c9b6b0e47b2f0873d2ee3373e0ebf5
Link:
https://www.unpac.me/results/192165c6-cfa3-41b7-8bd9-c097b6b7d24f/
SH256 hash:
8081d6eab72911a6507dfd158fdb28f4185e56d66525427e49bbce6ed7a3960d
MD5 hash:
eb5f9173480ce03c66b98e44f84a064a
SHA1 hash:
2af4942fbd0de00949a9e0e88b628d0dc53de478
Link:
https://www.unpac.me/results/192165c6-cfa3-41b7-8bd9-c097b6b7d24f/
SH256 hash:
ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747
MD5 hash:
89ac57478044c57c7195943116a521e0
SHA1 hash:
1ff2bafeed795423e3538d810bda8e1e3fcdcfa5
Link:
https://www.unpac.me/results/192165c6-cfa3-41b7-8bd9-c097b6b7d24f/
SH256 hash:
a9403368a5dd483b162510bd5866a30ecde728f1e4cdd49ecf6c239c76cbf41b
MD5 hash:
3663f65680ccdd74a358fbe90a5941c3
SHA1 hash:
0bf1ae7300fdce838dd4665a93e05bbe4b2915b7
Link:
https://www.unpac.me/results/192165c6-cfa3-41b7-8bd9-c097b6b7d24f/
SH256 hash:
dab182eded2109cec4a816aa101c68a8d91777fa896afe0c73ca5ba0da98978a
MD5 hash:
e30086e30ceef09d5e2776fdefea898e
SHA1 hash:
44f8cdf013121dd29f61111a8fbb63cf235f5452
Link:
https://www.unpac.me/results/192165c6-cfa3-41b7-8bd9-c097b6b7d24f/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dab182eded21/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/dab182eded2109cec4a816aa101c68a8d91777fa896afe0c73ca5ba0da98978a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe dab182eded2109cec4a816aa101c68a8d91777fa896afe0c73ca5ba0da98978a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2403250/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/348820/

Comments