MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc768179ba649419f687c42e8ffbd972d6667775e7cc48665a3f7d05a52cc0d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc768179ba649419f687c42e8ffbd972d6667775e7cc48665a3f7d05a52cc0d5
SHA3-384 hash: 99219a48a2d318bcf5d99e087d6dba80fd02f9bbddf875dddfc31a512e052a5f1b5868168883cc347902f06155d9d39d
SHA1 hash: 9fc101224a3ed65d93c19f46c3896bb105754505
MD5 hash: 367ffd87575710f945167bbe6bb40825
humanhash: alabama-fillet-quiet-maine
File name:SecuriteInfo.com.Trojan.MSIL.FormBook.EVF.MTB.24556.3819
Download: download sample
Signature Formbook
Create hunting rule
File size:887'296 bytes
First seen:2022-06-15 16:42:42 UTC
Last seen:2022-06-15 17:39:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:93hLuyyJOvJQ0cXRgFYXJaHShzRdGdkLsmx7F:9RLuyyJOvChgFgaHQlcdkNBF
Threatray 13'709 similar samples on MalwareBazaar
TLSH T1CD1512133AB8439BD5AC43B9E8324CE517366E59B550F76D2C853ECB1931B108C4EBA7
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
236
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/280237/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.FormBook.EVF.MTB.24556.3819.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit packed wacatac
Link:
https://www.filescan.io/uploads/62aa0c54b42c4b10d83e0916/reports/689aa5bc-c215-4a05-980d-958001e8f962/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/cef8c10d-75b5-4b83-8c77-a6bf5cd66be9
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1013847
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dc768179ba649419f687c42e8ffbd972d6667775e7cc48665a3f7d05a52cc0d5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-15 15:07:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3r3ic6n2mskbt5uhyqxi766zollgm53v47geqzs2h56qljjmydkq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
13b1055dba2d6d9ff9b2937ca9a051ac5ae3c9faff869d887deff0fdd53bd936
Formbook
213800d4309d521a4eca763503bf7fb6740e7a09848f3052e6f6cff23f6a6172
Formbook
38d9e46ffe8d5d1405ac99da1a744e591bc93232a51a89add6d10c00d0957710
Formbook
839e40ef075f127658162da621f67ed6dd8619b6ad48d9f6d0a06756adbb0e2e
Formbook
8832bdeb829156cdac6706c2a01dfe73c5e3b6ab9961175423a7a7738688d899
Formbook
9384b3c5ba07e22c69a0a681cb14f98e2f8d0274858e2ad12371d000c844ab4a
Formbook
c578a70b3fe2f788f59898f782658c68b0d7e2ebe1ac30de156b1e65c270c061
Formbook
f89fdaf70a745763294ddf8e9470b39a9575b5edb408fe40abc72531fdd89824
Formbook
ff073d05223a456c06707ad4be71853e996524b5a5b8b118a977feb6bce9992c
Formbook
+ 13'699 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:b6qc loader rat
Link:
https://tria.ge/reports/220615-t78c5afhcn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Xloader Payload
Xloader
Unpacked files
SH256 hash:
b6d0cb02eb83a2d9962b0ba51cd6a2708f77442e4341e162e15c2ff8b4fa5c2a
MD5 hash:
5f77be289fe4de9abdd118e5c471b6bc
SHA1 hash:
a7ddbb3a6dde6df64698a96f4bdcbee20ca1e9b9
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/0f7105ab-a7b9-418a-9d52-e327c01b8e01/
Parent samples :
74520a3fdf8105f8650110816d310fde0f8abe7dae410b8c73fd9aaae5acfd3c
805eb8f712f25a3cb19e4c274c9d90b77199f4579a661228c20496253b1f586a
c40018a8c58d463f829a97d5c5280c2b5292573cbd321f042e7225db4bff6d95
bf8946958d9cf3891ccd81cb336f4518309b291917a854c032f3e141ebb5ff41
213800d4309d521a4eca763503bf7fb6740e7a09848f3052e6f6cff23f6a6172
dc768179ba649419f687c42e8ffbd972d6667775e7cc48665a3f7d05a52cc0d5
8ecf3a66141bdd66b2ba8201bb1fedbbbde5c4e5710b99ba2e1d523ad49011a1
6aa2c6b6dcec7100bd6a8173f1c0ce79dd820c175f005a2230c77af07a03f530
SH256 hash:
5e95b92999dc337f367d2c8e91e68daadbcdfc537d2d11fa2612ce68a58e8d04
MD5 hash:
e3df2dd40f0ce5dcd593a52653983ca4
SHA1 hash:
d7d895a35867dc41c8a03ab5ec3aa4e38e1a08a3
Link:
https://www.unpac.me/results/0f7105ab-a7b9-418a-9d52-e327c01b8e01/
SH256 hash:
e07b879cefac9daa68d113adf60794cbd47e2d6a5bc447ee1bda97dcbec2df12
MD5 hash:
163f35fda3d9f7c095c34cfc7c386886
SHA1 hash:
5a58cbdae708b401e37a67122195dc712ef217f5
Link:
https://www.unpac.me/results/0f7105ab-a7b9-418a-9d52-e327c01b8e01/
SH256 hash:
dc499023d756fc9caa18caf3c1f977095d473188ef674b3fba80e4d5e6516692
MD5 hash:
c93a1088871b55f7e0753cdab6c76fd2
SHA1 hash:
2d8acd8ff097f711bea75372073234988dbe5878
Link:
https://www.unpac.me/results/0f7105ab-a7b9-418a-9d52-e327c01b8e01/
SH256 hash:
dc768179ba649419f687c42e8ffbd972d6667775e7cc48665a3f7d05a52cc0d5
MD5 hash:
367ffd87575710f945167bbe6bb40825
SHA1 hash:
9fc101224a3ed65d93c19f46c3896bb105754505
Link:
https://www.unpac.me/results/0f7105ab-a7b9-418a-9d52-e327c01b8e01/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dc768179ba64/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dc768179ba649419f687c42e8ffbd972d6667775e7cc48665a3f7d05a52cc0d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe dc768179ba649419f687c42e8ffbd972d6667775e7cc48665a3f7d05a52cc0d5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2239049/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/280237/

Comments