MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dadfe6c54e7000472e145b38e7410fbfef963566a06811ede626705a9e98a53e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dadfe6c54e7000472e145b38e7410fbfef963566a06811ede626705a9e98a53e
SHA3-384 hash: 36a693e4e965a3a57997fd30cc530054767763237809d3cb795dfb989754598522c1173a654eaa47ec9378999833f9ba
SHA1 hash: b0eb4013382bdc3ca6e2bc76755054f5ff6553e6
MD5 hash: 8796aaccd780a02dad7b9d67af5dc964
humanhash: hotel-freddie-california-lemon
File name:8796aaccd780a02dad7b9d67af5dc964
Download: download sample
Signature Formbook
Create hunting rule
File size:1'091'584 bytes
First seen:2022-03-03 04:12:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:5rT3UkkO/XBH7mI9sfP7trGkdhnLSMwxOUqn/Kb:FYO/XBHhKkkGMwxOBn/
Threatray 14'478 similar samples on MalwareBazaar
TLSH T153354A9C365072EFC857C976CAA81C64FA60747B970BD203A06312ED9E0DA9BDF154F2
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/246658/
Detection(s):
Win.Packed.Pwsx-9939857-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/62204057b94fb38cb43ed5db/reports/a645148c-9129-4fbb-8ff7-08f996a8a20a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e0612228-7174-40de-bb7d-f265e3a1c39b
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/949647
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 582128 Sample: QDkncAz6l3 Startdate: 03/03/2022 Architecture: WINDOWS Score: 100 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 50 6 other signatures 2->50 9 QDkncAz6l3.exe 3 2->9         started        process3 file4 26 C:\Users\user\AppData\...\QDkncAz6l3.exe.log, ASCII 9->26 dropped 52 Tries to detect virtualization through RDTSC time measurements 9->52 54 Injects a PE file into a foreign processes 9->54 13 QDkncAz6l3.exe 9->13         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 13->56 58 Maps a DLL or memory area into another process 13->58 60 Sample uses process hollowing technique 13->60 62 Queues an APC in another process (thread injection) 13->62 16 cscript.exe 13->16         started        19 explorer.exe 13->19 injected process8 dnsIp9 34 Self deletion via cmd delete 16->34 36 Modifies the context of a thread in another process (thread injection) 16->36 38 Maps a DLL or memory area into another process 16->38 40 Tries to detect virtualization through RDTSC time measurements 16->40 22 cmd.exe 1 16->22         started        28 attomstyle.com 192.254.235.73, 49792, 80 UNIFIEDLAYER-AS-1US United States 19->28 30 www.tycoolmoney.online 203.170.80.250, 80 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU Australia 19->30 32 5 other IPs or domains 19->32 42 System process connects to network (likely due to code injection or exploit) 19->42 signatures10 process11 process12 24 conhost.exe 22->24         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dadfe6c54e7000472e145b38e7410fbfef963566a06811ede626705a9e98a53e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-25 11:47:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
070264132f92fc5cb01521385e73bf36954d4093da205c59821e844abed68b5f
Formbook
28c28db28e96276f72ce38a60d04f0711388d3f93ecb34d4721dc94fc2bf9f07
Formbook
5645d9e38c998f5db43ae93e35339d7dca0a96b81f806b370624e7410e2eea0a
Formbook
96077c533e59e3b8cf38826e5e37e35f1f2eb44d356eae6575223158b565198e
Formbook
9655ee4ca1167f87d9245041ab59e861d6b3bdde7897a3b4cb2deee8550bdaaa
Formbook
9d42e6621d13c43c63721e4f9b4f63c00ef1d7e97cb0fe061bd19cbcc6e2e735
Formbook
9e41bc1734c4bc894acdc9c08568cb2f1cd01078fa9b5f30d6f18c6383c22863
Formbook
aea459fb282282fc886f02283b2cfe1da12a6208e14859ffeb7f84a45a452bba
Formbook
ea94995d23d53a98a949a242022cbd9bc5b7a4320c3fb6c045370b15704e4004
Formbook
f725b6a2466a6f4c7084eeab5994e30b8ef836633c1a84d85c1899deb1808d3c
Formbook
+ 14'468 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:hedi loader rat
Link:
https://tria.ge/reports/220303-es4n3aaheq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
c48729b0f668bdc88da794039d058bfaf3a9bd6ec6a56dfc07cc81789725677a
MD5 hash:
7534f1f8df145da4a39941c0c0a6cd7e
SHA1 hash:
d05f169ac144f4c717e1731906d9d07ac2d73cab
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/aa14540e-a677-4b84-8fc7-7d17b057e9af/
Parent samples :
47cc3c7db66ce48b1eabd6a99f466273d38f1f9a92fef1ab09dca033e354ea00
dadfe6c54e7000472e145b38e7410fbfef963566a06811ede626705a9e98a53e
SH256 hash:
caca58c402adff09bbc6907211050ce93ba1ca9de7e272d9d0f37f101e6fa340
MD5 hash:
3880b837a1470737da64d3b682136cb0
SHA1 hash:
7670a024e615341a0c1f9c38ba088781210167fb
Link:
https://www.unpac.me/results/aa14540e-a677-4b84-8fc7-7d17b057e9af/
SH256 hash:
836d67254c42912727855ac2211ed2823f73c5f4509aa0dd82dc79ee76f768b6
MD5 hash:
9e9a1b2524b697ee7223da3db85534d4
SHA1 hash:
ae19cc54995bd4d22b008b342d2f1216eb0c3787
Link:
https://www.unpac.me/results/aa14540e-a677-4b84-8fc7-7d17b057e9af/
SH256 hash:
e3bdaf9e98eb65a070cf4424bc123e57ade151c41e4a0d375e769749155c1715
MD5 hash:
78a25e75b94923e889ecd100349facbe
SHA1 hash:
6b3f8db525d3c98f92ed480e664ab8ee9458340b
Link:
https://www.unpac.me/results/aa14540e-a677-4b84-8fc7-7d17b057e9af/
SH256 hash:
6ea7f57b08100039c758650e9f70a7673383b6cba2cce6143e9872d1d483a5f9
MD5 hash:
dfb9b33c30a46e46f29c4b53ff692173
SHA1 hash:
5630b0e272527f2bc533cd3227f3c07f1210215e
Link:
https://www.unpac.me/results/aa14540e-a677-4b84-8fc7-7d17b057e9af/
SH256 hash:
dadfe6c54e7000472e145b38e7410fbfef963566a06811ede626705a9e98a53e
MD5 hash:
8796aaccd780a02dad7b9d67af5dc964
SHA1 hash:
b0eb4013382bdc3ca6e2bc76755054f5ff6553e6
Link:
https://www.unpac.me/results/aa14540e-a677-4b84-8fc7-7d17b057e9af/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/dadfe6c54e70/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/dadfe6c54e7000472e145b38e7410fbfef963566a06811ede626705a9e98a53e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe dadfe6c54e7000472e145b38e7410fbfef963566a06811ede626705a9e98a53e

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/246658/

Comments


Avatar
zbet commented on 2022-03-03 04:12:34 UTC

url : hxxp://198.23.174.115/ewa.exe