MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1a555c5a9574de6448cde29e8cd3f8312d1420e6769a31c58e4d43debad2940. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e1a555c5a9574de6448cde29e8cd3f8312d1420e6769a31c58e4d43debad2940
SHA3-384 hash: 40474787704a0cacb28dd725931ec845435fe0470aabb31a349cfb21b3aa406be2b6f5668cc856fc7a019d776a27b9fe
SHA1 hash: 92a733417245b4b8785727967626298933440a49
MD5 hash: 90f9a425b955b24ee81c3d676daac7c7
humanhash: maine-oranges-emma-lion
File name:Pago.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:524'288 bytes
First seen:2021-12-16 16:19:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:r8PapPapPazY8DwZbxWmfEgm2i+TtRJnoS4Bk4fy7EuSK3:r8P8P8PwY80ZNWRohd4Bk4K7fSK3
Threatray 12'336 similar samples on MalwareBazaar
TLSH T1C5B4E01132A98B22C9B99BF44C7161A003B57C56BA7AE74F2DC17CEF31B9F804690B57
Reporter malwarelabnet
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
1
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/214636/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61bb67386daa353fa3b5a6f3/reports/91dd7152-2990-4b2b-83dc-57915eb32eaf/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c9ce84bf-410b-49cc-a026-9f6cc30812c2
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/908642
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e1a555c5a9574de6448cde29e8cd3f8312d1420e6769a31c58e4d43debad2940/
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2021-12-16 16:20:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4gsvlrnjk5g6mrem3yu6rtj7qmjncqqom5u2ghcy4tkd325nffaa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
18e91cbaa2d04fa969e97e947ccd011d494f68eb6375b067f0342a7765fb3119
Formbook
2edfa5f806d554457c20a6d48a519f96f8da0bf6d53e54556be1bffecbbb9710
Formbook
4cef73e83df4c6bb091a157a975a38a2c50be436649414a2ac7a55bc62e67da0
Formbook
516601b7a328bcee918e8c52e46f71b39437045489bdaaf90136c9f899197bc8
Formbook
52b3b8d10c143dd7b6dfc186bf1e1e0e3c47c3f995dec4e1e4f5f569075d9a38
Formbook
59139210e96ea7a1ca64dbb343b225be422bc0d3c66a673959b3e8e076bceea7
Formbook
778b43e9a8b8350b3940a9f59684f454e5a1761eaa38198430af89b968a2ce35
Formbook
ad1a7132112ed0a17f526989f2f50b61a43c71180de093582866b4541c24adc7
Formbook
f6d328b383e179f3c0918c3e97964151319444ea9f22e0d667c831dfe8d26069
Formbook
+ 12'326 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:hno9 loader rat suricata
Link:
https://tria.ge/reports/211216-ts4fmadbdm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
1f144a04cefd8f8c2eb0e9ac6377a8827d85e59eec6784b4488a8933b206364f
MD5 hash:
264efc9c4096124f50b589e62edc9058
SHA1 hash:
b7b0e7a08ab1ee561cb94891d82a05d5c5af9b9b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/34b7e753-5a85-4e2f-a326-a9f1b586f2df/
Parent samples :
e1a555c5a9574de6448cde29e8cd3f8312d1420e6769a31c58e4d43debad2940
4fef5b14f0bd76fe46ed3ddacd8d1373bd82bcf0945c27d8c4b2b3308b1b4056
0cf02a2d59436d9c614e4b82646a52e7ea90047d0ef93444f22a602a60dbecb3
SH256 hash:
23a51a4787e7be05dc300056d427187080b43a96df87c956d551b381e77f0a83
MD5 hash:
0119466b3f2ab43d479745a3236873d6
SHA1 hash:
6f5806ef5d82504e591fdb6e0494be5380455259
Link:
https://www.unpac.me/results/34b7e753-5a85-4e2f-a326-a9f1b586f2df/
SH256 hash:
9f5763966bacdc6de3944a6e06a49b05869c38f2e98b32cb93b483a480a6ffff
MD5 hash:
3418c620c4b9dd4533a88f1ba5ec3ff1
SHA1 hash:
12f6aaf1c90030c4063d42a27b2e7000a08b6e74
Link:
https://www.unpac.me/results/34b7e753-5a85-4e2f-a326-a9f1b586f2df/
SH256 hash:
e1a555c5a9574de6448cde29e8cd3f8312d1420e6769a31c58e4d43debad2940
MD5 hash:
90f9a425b955b24ee81c3d676daac7c7
SHA1 hash:
92a733417245b4b8785727967626298933440a49
Link:
https://www.unpac.me/results/34b7e753-5a85-4e2f-a326-a9f1b586f2df/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e1a555c5a957/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/e1a555c5a9574de6448cde29e8cd3f8312d1420e6769a31c58e4d43debad2940

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/214636/

Comments