MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dafe42f172204ac9777c502bf75a2aa9d621c5bba23080815439446f10b74cab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments 1

SHA256 hash:	dafe42f172204ac9777c502bf75a2aa9d621c5bba23080815439446f10b74cab
SHA3-384 hash:	5c30ef1cc0568935176b1b896e6ab394f48efd5b260d48ca191761d9c46187946bdf4e728ad6bd0641a0f1c62acaf26b
SHA1 hash:	9f5d1cc551734119ea408d375e1864c75eec49ea
MD5 hash:	c197f0089f58e99b1bfccf2a7cc35c2a
humanhash:	fish-hot-bravo-apart
File name:	c197f0089f58e99b1bfccf2a7cc35c2a
Download:	download sample
Signature	Formbook Create hunting rule
File size:	610'259 bytes
First seen:	2021-11-11 18:40:37 UTC
Last seen:	2021-11-11 22:27:44 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep	6144:ibE/HUTo6i/cErKHhhqFDAnfvxpvgrEKF/vOhrCAU5nkA9dYC8PYQSrVQA:ib1RwmeF8f5pvgrEKF/GhGA3c3eSht
Threatray	11'301 similar samples on MalwareBazaar
TLSH	T1F5D4E9D1F19088DAED6B09F2BD2BA53024D7BE9D54A4410C569DBB1B76F3342209FE0E
File icon (PE):
dhash icon	eeacac8cb6e2ba86 (561 x SnakeKeylogger, 142 x AgentTesla, 40 x Formbook)
Reporter	zbetcheckin
Tags:	32 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

144

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/205110/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.37985418.4492.94.UNOFFICIAL

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/618d63c2175442ca93aca53e/reports/e178254b-d978-4fdd-be73-8686449bca39/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7d9a7c8e-451b-475b-a2ef-4b0ceae5bd91

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/887719

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Self deletion via cmd delete

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/dafe42f172204ac9777c502bf75a2aa9d621c5bba23080815439446f10b74cab/

Threat name:

Win32.Spyware.Noon

Status:

Malicious

First seen:

2021-11-09 15:14:14 UTC

AV detection:

18 of 26 (69.23%)

Threat level:

2/5

Verdict:

malicious

Label(s):

formbook

Formbook

19428f9c431fb0f8d6fbd9ca194589bacf9d9d3e475717031373b71982bea2a5

Formbook

2a9f1febdc4e074beaa1b6b761d09900377204da7a9f1cdba39284d568e2ddc8

Formbook

84bbdc0b303d03c1ef4ee6d48dedd94181d8fc5650a20b557a555b0917aaf879

Formbook

ac4a0328d512526f20122f0399d557b1334f3b2ac264d9e749d6d2788e956b2e

Formbook

d78094f3b6eac87e2d4249671bdc4e044afb31e2e78aac8f2db7186c6d5b6db1

Formbook

da0e2504009a426b799d9135979188e2c4533f69c2e981650afc51d5e8e320c2

Formbook

f8d9fbcef6907460baa7c91e53d1a40865901bb50906b5519cba440fdbc65032

Formbook

+ 11'291 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:bcwg loader rat

Link:

https://tria.ge/reports/211111-xbrmaahaem/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.golfyouth.com/bcwg/

Unpacked files

SH256 hash:

dafe42f172204ac9777c502bf75a2aa9d621c5bba23080815439446f10b74cab

MD5 hash:

c197f0089f58e99b1bfccf2a7cc35c2a

SHA1 hash:

9f5d1cc551734119ea408d375e1864c75eec49ea

Link:

https://www.unpac.me/results/1632852c-e9cf-4b89-8bc5-3f734d65c7c6/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/dafe42f17220/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/dafe42f172204ac9777c502bf75a2aa9d621c5bba23080815439446f10b74cab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Formbook Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time