MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e05f95a61609a00f7c8372823b0cd8731524e3d938c8f54a11922491e1a70989. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	e05f95a61609a00f7c8372823b0cd8731524e3d938c8f54a11922491e1a70989
SHA3-384 hash:	73eb77a64f5f29a9b7eb9fa3dc0e76c9024d7fb3b2d258c470aeb9052a6e2026116630cc630071ac0fa729e0cdfcce7f
SHA1 hash:	87379bf1c427bb22c4fa89bd444bda4801547d8e
MD5 hash:	5f8499cc3faaffa4862f09806fccb900
humanhash:	eighteen-moon-fillet-virginia
File name:	SKGCTMG_Carta_202107015_16374466893343426doc.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	410'917 bytes
First seen:	2021-07-23 15:36:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b89f3af6e8726c625cba8a18b46cbaf3 (2 x AgentTesla, 2 x Formbook, 1 x OskiStealer)
ssdeep	6144:uh9xdjfLqqHKmT+wRbm8ImpLK8akZgDwLOzhVQ372g6K:uHqmywpLKwZ7OnYrj
Threatray	6'800 similar samples on MalwareBazaar
TLSH	T1A1947C72B1E59942D01311B1681FC66460C93E7EED6EC20EB346BB2F85F22D12257E9F
dhash icon	008ea0b28e9a8680 (1 x Formbook)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

133

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SKGCTMG_Carta_202107015_16374466893343426doc.exe

Verdict:

Suspicious activity

Analysis date:

2021-07-23 16:09:31 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/825b493b-3dcd-438d-bdae-635a8183ff02

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/173686/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.2249.35.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0d60a09e-718a-4dd6-8b1a-f9e9a03a03c6

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/820874

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/e05f95a61609a00f7c8372823b0cd8731524e3d938c8f54a11922491e1a70989/

Threat name:

Win32.Spyware.Noon

Status:

Malicious

First seen:

2021-07-23 07:43:42 UTC

AV detection:

10 of 46 (21.74%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4bpzljqwbgqa67edokbdwdgyomksjy6zhdepksqrsisjdynhbgeq._file

Verdict:

malicious

Label(s):

formbook

Formbook

18245cb19e63733176ad7ca573d8d92b9a8291d6e8a62dc6af6f1491381bf526

Formbook

1a91deb8d42e066f792fed5e4feb0dbaacdec1a052f516e1287cf9625a8c9684

Formbook

3643c16e7017696ca2809399d3edbf2f7f7298e4ef3246951fac256e86176716

Formbook

454cdf27c94d9e4a69b615b12536293233057fc9c42fc3cfdab35e711a20694a

Formbook

6421a877340afab7934556dfd4d8ce52f187df24aa621242e65f3ea14f07c541

Formbook

8bd8e7edfd64f242eec8ebeaf0a473152c0f52de8f0318f8bcacf98326e0405a

Formbook

975d26e2e3cbc36e78c184a98bff54686261c65bba363d93391076b6a248b486

Formbook

c3ce9a925d6648a3fa48d02e7640a0d541435651585f11aa72bf8c66a63522ee

Formbook

fe5d8bb940112ba98d51c57496fa25e242d3f6e4b28b183bfe2ef3ec2c393e9e

Formbook

+ 6'790 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader loader rat

Link:

https://tria.ge/reports/210723-8nt3m5x5pj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.mambomakaya.com/ftgq/

Unpacked files

SH256 hash:

bbc3a0025b214037b27d5667bebcdcfb103c64daafd22745cb47102a6a6ca115

MD5 hash:

46b34b67fa5dc5cc6a1b3d90a9508121

SHA1 hash:

9e84c6bbcf8548cb28f9f5231c295f2d036051b4

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/8468e568-db7c-4826-b64d-b4b053c7433e/

Parent samples :

bc42a2014018e4644194a651f1a42916d2bd62154adda1e05ed3b5847a50317d
3643c16e7017696ca2809399d3edbf2f7f7298e4ef3246951fac256e86176716
0b79991d57a301d4cdf1d4cf7234d2ad5afe5a3895e75b9c12d4bd16a385389a
92976a7ee61468fb88761dfa0f9cfdf99b6c6c484ae47e970986acf66926f3a0
454cdf27c94d9e4a69b615b12536293233057fc9c42fc3cfdab35e711a20694a
e05f95a61609a00f7c8372823b0cd8731524e3d938c8f54a11922491e1a70989
f515599d9ab7045656d0976c3aa5740feab68f862fa2e339379a1118f8ccba4a
8dec5ed95d3ca077bb1c2695074877a7160f97960df22a119d9f2debfb18dc0b
598a6fc7c9e91a6ce28af2833cb0e6262f28fab605fcd74098fc2edf9510b58f
24d79b2f4a2aba518237343b7b94b817f51de0afc1e40236a4c267657b113849

SH256 hash:

e05f95a61609a00f7c8372823b0cd8731524e3d938c8f54a11922491e1a70989

MD5 hash:

5f8499cc3faaffa4862f09806fccb900

SHA1 hash:

87379bf1c427bb22c4fa89bd444bda4801547d8e

Link:

https://www.unpac.me/results/8468e568-db7c-4826-b64d-b4b053c7433e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e05f95a61609a00f7c8372823b0cd8731524e3d938c8f54a11922491e1a70989

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/173686/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample