MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 def69bd673ae57b70c20087596b787eb27c1f0da7053ba2991e87cf7f032c43c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	def69bd673ae57b70c20087596b787eb27c1f0da7053ba2991e87cf7f032c43c
SHA3-384 hash:	ee0070be4be00281654c1b2c775ebbda377b26d7a575b0c339f48eaaf25269aaef3b837f6703f76c9a06e5bfe19b556f
SHA1 hash:	47e9710ccdef23f1b45dcc2d459148461359462a
MD5 hash:	9aad1149c17535bf37fe98c564958ef6
humanhash:	hamper-burger-london-six
File name:	DBS_Swift $12,863.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	352'768 bytes
First seen:	2021-10-19 13:12:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:VbqYJkNHwD3sLJCLI9d6yPzQWptHSYbTvZC0NRO87UzJXo3Nj1:VHSNUAC4dtHrAH8Y14v
Threatray	10'692 similar samples on MalwareBazaar
TLSH	T1EE74120467EA0302D6FE9BFA056316058B76B7976223E70C69D642CE0877F85CAD0F67
Reporter	malwarelabnet
Tags:	exe FormBook xloader

Intelligence

File Origin

# of uploads :

# of downloads :

146

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/198505/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.17696.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Launching a process

Creating a file in the %temp% directory

Delayed writing of the file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

formbook greyware keylogger obfuscated packed

Link:

https://www.filescan.io/uploads/616ec4629a5a1e91c5c6680e/reports/778bcca4-2719-47b6-aa47-746716d1e8a2/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/456ffa9a-ddcc-4056-8c0f-9f6ead75de02

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/873128

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Self deletion via cmd delete

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to resolve many domain names, but no domain seems valid

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/def69bd673ae57b70c20087596b787eb27c1f0da7053ba2991e87cf7f032c43c/

Threat name:

ByteCode-MSIL.Backdoor.Androm

Status:

Malicious

First seen:

2021-10-19 12:14:50 UTC

AV detection:

15 of 26 (57.69%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=333jxvttvzl3odbabb2znn4h5mt4d4g2obj3ukmr5b6pp4bsyq6a._file

Verdict:

malicious

Label(s):

formbook

Formbook

366b6d23b6e536c3b8bd769edbebc2e7dc26e38e75ac85a32a7b4512f585b68f

Formbook

42c496ed24bc4b1abd0d647105d7931b9b18b9ce638550dcc5e96fa0cd69dc4c

Formbook

435b924af18dce67e3fbc2b55fc515b839fe883da2e10fd3c8c21859a1181d64

Formbook

63abf2ffa58c2c36920a2be604c77ac2a25b2bd5d1d6ba9d81338da21418ff10

Formbook

7f0599ad186f76d0d5ae5daf5e713747281b1b631bfef0cb340b2977ed53d253

Formbook

a9d0de4abec8a5d9f13b203b8f4bcc0dcd101fb5f5f89ea910414d4cc16391ab

Formbook

aba30cfb1f3ce3760e9cbd42f49cafa3582d349d690f1ee91674e2998f4b290e

Formbook

b4c38c13fa5c4e7789b534da669f6aff46e9faa41ceac97ed3deea7ca94094ca

Formbook

b5821114ae6e03e71fa7cc2dc293aa7f8a5563ebb4a2151194b2acb9eed4758d

Formbook

+ 10'682 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:ssee loader rat suricata

Link:

https://tria.ge/reports/211019-qf4dbaggbn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Xloader Payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Malware Config

C2 Extraction:

http://www.idt-metrofireandsecurity.com/ssee/

Unpacked files

SH256 hash:

fe4ed2a81e8d978e5af169b4144f115f27e039f4d56f627ec25dcdf3468bc1ef

MD5 hash:

84869db9efc28228fd5932c0a33a9aac

SHA1 hash:

33b9d49e3eb86dbd7b9bac6b2580bc69d251b611

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/2b9c8739-7319-4bab-887d-c83c49056e26/

Parent samples :

1c49c90dceca146ee0b95fab3873e38bcda5b46b550a59f8ba2ccf5984a11b92
fa7a3ac64a6c26f248d805abfb0961bfe6518df6dcb3212de51593b92d5e4158
435b924af18dce67e3fbc2b55fc515b839fe883da2e10fd3c8c21859a1181d64
132167fd6c334c13919991a82a38645572a9d58c5f83cb1ddf0fcf41e37d2105
0cb047df6b7a2df55972c4d33b5d10b511f707f30907513f07bf5ae2c070d534
9744a8f624cc86bce830db5caf4a5a8b2263b51f53ca384908b2557e5f9ce99d
7f0599ad186f76d0d5ae5daf5e713747281b1b631bfef0cb340b2977ed53d253
71d1fda394f185684d721f59017634f981e972964f1b4c23366fa28c1da4307f
366b6d23b6e536c3b8bd769edbebc2e7dc26e38e75ac85a32a7b4512f585b68f
f7c1ecf2c6e90d8a9a0ac0972b0ab02ca809a85da65d51b46f56a4c81cc4996e
aba30cfb1f3ce3760e9cbd42f49cafa3582d349d690f1ee91674e2998f4b290e
ac57d8cb242185bd11b7b0ab898c06f7904e0e0a0d9c39edd3b136c902bf394a
69a08fcc2b3eb5499a9356a801bb646d7726dc158cba7f141335997f374ead38
a73336c8fc448bd54031998ad8cbda50f452c3c8a1600623a43e07ce6476b3d5
b4c38c13fa5c4e7789b534da669f6aff46e9faa41ceac97ed3deea7ca94094ca
2465cbd2ae3adb04f06a069fef61acc098096ef1f33cece8076d059b106f7b3a
63abf2ffa58c2c36920a2be604c77ac2a25b2bd5d1d6ba9d81338da21418ff10
e426d0d32845bb665740831128bcb5109a588544acf73317f5ee3bce6e5f486f
42c496ed24bc4b1abd0d647105d7931b9b18b9ce638550dcc5e96fa0cd69dc4c
a9d0de4abec8a5d9f13b203b8f4bcc0dcd101fb5f5f89ea910414d4cc16391ab
169a316f9557b3a154c1cbc1ab4aae2b690d71fd197ff39ac77e58c7e7db4196
fdd78bbf6d05b69fbdcaa24727822f1ec7e9b652266ac34ed69916537e6aeff2
ee5ab13a8694e1883f2e4f1509580d2cd01b6041ef78da9e1524f8b4eaee6ed5
c221c9dcc6e6a5c53181b072958ebe173ac1781861fb1d95ed1734def6322972
b5821114ae6e03e71fa7cc2dc293aa7f8a5563ebb4a2151194b2acb9eed4758d
61364951cb7faf165eaadcb66f8e124a689f5f298ec5f2d9539206904d1194b8
1fad173e519f8c7cb34093e926807794765789e79d377e89ffe201ae8d76dd99
13c385c3a7e1297c506764e1b956a5aa568590389356140c92e2a2cb953bffe5
6ec3a910864aa91b0bec91275ffc3ef7e3dcc0e1c7f247624514b1c9d4c16992
9dbcb6d140d0fd1db131b3f086eb8ee6dc9d0dcdd325f36b48aea1495408e2a2
91a28bbaaaed3acd39f0c37cf091e0a4e3a54ac5f00b4c26c5d3af44c9bc3fb3
cb32d42bcbcc716d12c9926bd3aab2def79f4dc2774f2f04234d95b2b4849e86
def69bd673ae57b70c20087596b787eb27c1f0da7053ba2991e87cf7f032c43c

SH256 hash:

7b4ba24781e21b310e2749bc2f7a80b9670a4198a54d26e42079a6a1c1be6ae7

MD5 hash:

7b77d210bf6b00fd8ee8187198852052

SHA1 hash:

7f78d6294a269349fc9a49ad3c8ccb3c3d2665b4

Link:

https://www.unpac.me/results/2b9c8739-7319-4bab-887d-c83c49056e26/

SH256 hash:

dce82487c7272ae8b0012048bf8e2e7c738ec4edcd62b565f36e5dc818811db5

MD5 hash:

bf8a5de964634c87c2bc9f872b33cb9d

SHA1 hash:

20951cfc13c505b36c12d5207c62f28d5e3798a9

Link:

https://www.unpac.me/results/2b9c8739-7319-4bab-887d-c83c49056e26/

SH256 hash:

def69bd673ae57b70c20087596b787eb27c1f0da7053ba2991e87cf7f032c43c

MD5 hash:

9aad1149c17535bf37fe98c564958ef6

SHA1 hash:

47e9710ccdef23f1b45dcc2d459148461359462a

Link:

https://www.unpac.me/results/2b9c8739-7319-4bab-887d-c83c49056e26/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/def69bd673ae57b70c20087596b787eb27c1f0da7053ba2991e87cf7f032c43c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/198505/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample