MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e00c78c89894028be70f0125ab20cc5919d39930fb98d01b367c3f05d69029ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e00c78c89894028be70f0125ab20cc5919d39930fb98d01b367c3f05d69029ce
SHA3-384 hash: bd24d3a7d471ee319d175eadf91e2f7182d88fd33a46c2ef80a943d10c08503fcb0e894076a9be4e98014d9c81e7247d
SHA1 hash: 07edabeb3c3375043de5a0a2af222a9888e40c75
MD5 hash: 3e63f636a493ee210b6627e63c954665
humanhash: tango-spring-snake-speaker
File name:LisectAVT_2403002C_89.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:219'323 bytes
First seen:2024-07-25 01:51:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (728 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 6144:oNeZg14JHXuf5KmE+rZOuTdcC2xIC90pLXg4Psgf:oN8HXG1NOiSPxbCLX7PsO
Threatray 3'457 similar samples on MalwareBazaar
TLSH T1F1240243FD64C4BEE8B61673497BA29A09D52C3D06B00D4F87CD7B6C3832263469962F
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 131163e1e1e1e1a0 (17 x SnakeKeylogger, 7 x Formbook, 2 x AveMariaRAT)
Reporter Anonymous
Tags:exe FormBook


Avatar
Anonymous
this malware sample is very nasty!

Intelligence

File Origin
# of uploads :
1
# of downloads :
304
Origin country :
CN CN
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL
Create hunting rule

Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Launching a process
Launching cmd.exe command interpreter
DNS request
Connection attempt
Sending an HTTP GET request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer lolbin microsoft_visual_cc overlay packed shell32
Link:
https://www.filescan.io/uploads/66a1afc73a481e36d574736e/reports/2324b935-08c0-4b1d-ae51-9c0721a994ec/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1481273
Behaviour
Behavior Graph:
n/a
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e00c78c89894028be70f0125ab20cc5919d39930fb98d01b367c3f05d69029ce
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e00c78c89894028be70f0125ab20cc5919d39930fb98d01b367c3f05d69029ce/
Threat name:
Win32.Trojan.NSISInject
Create hunting rule
Status:
Malicious
First seen:
2024-07-25 01:52:06 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4aghrseysqbixzypaes2wigmlem5hgjq7omnagzwpq7qlvuqfhha._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
4216ff4fa7533209a6e50c6f05c5216b8afb456e6a3ab6b65ed9fcbdbd275096
Formbook
ad958c67c1d8cc2dce3c9b7e3456f48cbff851107be42a7835a05d6e2f99faed
Formbook
bf6ccdb40c75ee410046cf7c4590b73d9d9f6e0c16e7d9bf0659b2ae264893e2
Formbook
dd892312fd39c8906dce9e3c397ef4881776e0eff41f7b0b6a884580d7ac45ae
Formbook
e00c78c89894028be70f0125ab20cc5919d39930fb98d01b367c3f05d69029ce
Formbook
+ 3'447 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:hsot discovery loader rat
Link:
https://tria.ge/reports/240725-b9zjwsthre/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Xloader payload
Xloader
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/52452f07-accc-40f6-9624-b34dc5ec8aa4
Unpacked files
SH256 hash:
f72993da75396849b8f58292a3fc1692bd5f9df07fc0526cb3b4e4af427f53e9
MD5 hash:
f681eb16d79cca0fd14a7796d6d8b45d
SHA1 hash:
a90f0607f42b7c1c6fe96c620a21fc6a525e059b
Detections:
XLoader
Create hunting rule
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_w0
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/f9a6225e-ba1b-4706-80a4-0cb2478af918/
Parent samples :
2f6a10bdc0e72b2b49bfdb61c307c72c8fe2fc9dd5ede0cfabc63ea5aabf9a4f
99f7e07f84e40e362b58d7b84110898eda66ce1e6906b2e27f1e9a9cae90e548
e6151eb0148e2cc0e89eabc995cb5e6620131a8a658d1eb3c78da753066543be
e00c78c89894028be70f0125ab20cc5919d39930fb98d01b367c3f05d69029ce
SH256 hash:
428a93604f67ed28baf755599a0b87fca69a26e04a047a5dcaea8816d1fb837c
MD5 hash:
cac59ae3259fcb4fa88990e20838b784
SHA1 hash:
71c1f22756464af1a5e56a9b7217c353f65078ce
Link:
https://www.unpac.me/results/f9a6225e-ba1b-4706-80a4-0cb2478af918/
SH256 hash:
afe2d238f04f3ea7405ecaf6296d938e31cfdf044dd6a9bf9c53edd41d856d7e
MD5 hash:
1d114e91747556fc9187af1de83a7d97
SHA1 hash:
9d0570af5cd50ebbfc79d962c6e6fd26b6e65490
Link:
https://www.unpac.me/results/f9a6225e-ba1b-4706-80a4-0cb2478af918/
SH256 hash:
e00c78c89894028be70f0125ab20cc5919d39930fb98d01b367c3f05d69029ce
MD5 hash:
3e63f636a493ee210b6627e63c954665
SHA1 hash:
07edabeb3c3375043de5a0a2af222a9888e40c75
Link:
https://www.unpac.me/results/f9a6225e-ba1b-4706-80a4-0cb2478af918/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NSIS_April_2024
Create hunting rule
Author:NDA0N
Description:Detects NSIS installers
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe e00c78c89894028be70f0125ab20cc5919d39930fb98d01b367c3f05d69029ce

(this sample)

  
Link
https://bbs.kafan.cn/forum-31-1.html
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::SetFileSecurityW
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments