MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e50290f9b9cf781a2d64f7e3190de28d2b673cd24099675d3b65a80ab70cf9e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e50290f9b9cf781a2d64f7e3190de28d2b673cd24099675d3b65a80ab70cf9e1
SHA3-384 hash: 8a291349a65a4d24b0596ec1e1474ba763346355a298d21625ae6e62de8d8970c020da993280c301841e8598e83478cd
SHA1 hash: e2773bc252dc364340b5440aa781338e79288e33
MD5 hash: 98b7ded3535167f063b28e937d837a31
humanhash: nevada-chicken-failed-hotel
File name:Wfedtqxbgeorkwcgiehsnsjbdjghrpjtlr.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:773'120 bytes
First seen:2021-11-25 13:27:14 UTC
Last seen:2021-11-25 17:05:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fa05048bfda17ad908358f66259767df (1 x Formbook, 1 x RemcosRAT, 1 x DBatLoader)
ssdeep 12288:a+3V1iARDZ1Wv7GFdc6v8cnr3pB7PeDhxYjAnJtWcpEL36U:a+FrZ1Wv74d9lTrbeDhmgJtWf36U
Threatray 9'810 similar samples on MalwareBazaar
TLSH T126F46BA16680693AC1B72579CCBF86948E387D14CDF9BC963EE179090FF5361740EB82
File icon (PE):PE icon
dhash icon 74f0888a8c8880b4 (5 x Formbook, 2 x RemcosRAT, 2 x DBatLoader)
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Wfedtqxbgeorkwcgiehsnsjbdjghrpjtlr.exe
Verdict:
Malicious activity
Analysis date:
2021-11-25 13:31:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/67e4aee5-c268-47d2-8cc6-53e8ffc59b1a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

SecuriteInfo.com.Malware.AI.3961113016.25418.17593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Searching for synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger
Link:
https://www.filescan.io/uploads/619f8f6602c80febc2a93222/reports/ef8329e5-735b-493f-91fa-bcf06db1f32b/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b1bf228d-0a24-4753-b0a7-edbeb5fec490
Result
Threat name:
DBatLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/896111
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 528586 Sample: Wfedtqxbgeorkwcgiehsnsjbdjg... Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 41 www.7890174.com 2->41 63 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 5 other signatures 2->69 10 Wfedtqxbgeorkwcgiehsnsjbdjghrpjtlr.exe 1 17 2->10         started        signatures3 process4 dnsIp5 53 schoolofspanish.co.za 156.38.200.58, 443, 49752, 49755 xneeloZA South Africa 10->53 37 C:\Users\user\Contacts\Wfedtqxb.exe, PE32 10->37 dropped 39 C:\Users\...\Wfedtqxb.exe:Zone.Identifier, ASCII 10->39 dropped 91 Writes to foreign memory regions 10->91 93 Allocates memory in foreign processes 10->93 95 Creates a thread in another existing process (thread injection) 10->95 97 Injects a PE file into a foreign processes 10->97 15 logagent.exe 10->15         started        file6 signatures7 process8 signatures9 99 Modifies the context of a thread in another process (thread injection) 15->99 101 Maps a DLL or memory area into another process 15->101 103 Sample uses process hollowing technique 15->103 105 2 other signatures 15->105 18 explorer.exe 2 15->18 injected process10 dnsIp11 43 www.wxaipuer.com 156.234.200.116, 49830, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 18->43 45 dustyscleaning.services 34.102.136.180, 49807, 80 GOOGLEUS United States 18->45 47 6 other IPs or domains 18->47 71 System process connects to network (likely due to code injection or exploit) 18->71 22 Wfedtqxb.exe 13 18->22         started        26 Wfedtqxb.exe 13 18->26         started        28 svchost.exe 18->28         started        30 chkdsk.exe 18->30         started        signatures12 process13 dnsIp14 49 schoolofspanish.co.za 22->49 73 Multi AV Scanner detection for dropped file 22->73 75 Machine Learning detection for dropped file 22->75 77 Writes to foreign memory regions 22->77 32 DpiScaling.exe 22->32         started        51 schoolofspanish.co.za 26->51 79 Allocates memory in foreign processes 26->79 81 Creates a thread in another existing process (thread injection) 26->81 83 Injects a PE file into a foreign processes 26->83 35 DpiScaling.exe 26->35         started        85 Modifies the context of a thread in another process (thread injection) 28->85 87 Maps a DLL or memory area into another process 28->87 89 Tries to detect virtualization through RDTSC time measurements 28->89 signatures15 process16 signatures17 55 Modifies the context of a thread in another process (thread injection) 32->55 57 Maps a DLL or memory area into another process 32->57 59 Sample uses process hollowing technique 32->59 61 Tries to detect virtualization through RDTSC time measurements 32->61
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e50290f9b9cf781a2d64f7e3190de28d2b673cd24099675d3b65a80ab70cf9e1/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-11-25 08:32:43 UTC
File Type:
PE (Exe)
Extracted files:
48
AV detection:
6 of 45 (13.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ubjb6nzz54bulle67rrsdpcruvwopgsicmwoxj3mwuavnym7hqq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0476138fbcff609f17840fc691a990908bda11f81e13372d26d541a8cf47b0c3
Formbook
1e5bb5e00fddfcc62c8bfe71b46a4c8c6c22986c7a51931d16b8ddc465170d72
Formbook
2863a8690acd578ea41d8ef458f493c7bab50c34d8d6fd668f8ef56d429094de
Formbook
8968808899b3e810e675fc87e6ff0f61c82b444183fd7f8febdb276eee05e683
Formbook
b88385613d90ebbd240b11a3847fc2117c0d832fdf7a3c45f1ed68692ed68038
Formbook
c11992880daecda35958fd14fcf3b6e5d32a6bda8c904a888ede0dcbb1f91aa6
Formbook
d544f115e860d3282bd996d7b12ac92c10097d68d135667cca0f847ca754f8ef
Formbook
d9acad219b9fa52e4258fafd8c85b9e473b8f99435f4d9af4dbb953fae94a17d
Formbook
+ 9'800 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:s9m3 loader persistence rat
Link:
https://tria.ge/reports/211125-qqnevaafd6/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Blocklisted process makes network request
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.zhhctax.com/s9m3/
Unpacked files
SH256 hash:
80862d46bdac152572d0faa96c99edb9bcb3d5d3ff5d1d41771f5cb8ad164a2c
MD5 hash:
7c09b28f7639c8b2a033e88db5d9df53
SHA1 hash:
fbcccc3c2d024228a3e1dab743b3912ed8ccbb3c
Detections:
win_temple_loader_w0
Create hunting rule
Link:
https://www.unpac.me/results/71c596d1-fcfd-40be-9f60-4276d00a7083/
Parent samples :
e50290f9b9cf781a2d64f7e3190de28d2b673cd24099675d3b65a80ab70cf9e1
a00a856f0d85fcb7f485777ae81a0b1c52974bb1cd2482ba5e987a7ce8207511
7c491171fbe25c5f47f560db3a857cfc716d0c4733466ac08660e8a8be9bc8cd
5627d54b0f87a8fa0e9a33d2cbce145140eb0e88e77f1076e7658310b742aa83
46e51f41840a1a08e695f8b5dbd03efd3b3f7071edc00d9e916a73a02d8176a1
bc42c1e528e70d0f4152e78278ed1a0e4bacf4cab8bb21da9ea8f99a48676355
62d54d23908b06fb851da8829798a3d82110e0c189a8794f9d7deb9642f1542d
91b5c318543587a212464565a4df06eae2ad2823338389134f06c4409047e18e
57e117773ebe7caaac7d1db9759f5c8313d15db896f7b736459c65164770a5f5
6c2c4e5bb1275643184f07bd2bce3f51722e3b3e0557fbf0d83c0dc6461c4a5b
2d086daa30c03800b673011e6ee10d5ccdfa56842f67188ac348e30ed5cc803c
SH256 hash:
e50290f9b9cf781a2d64f7e3190de28d2b673cd24099675d3b65a80ab70cf9e1
MD5 hash:
98b7ded3535167f063b28e937d837a31
SHA1 hash:
e2773bc252dc364340b5440aa781338e79288e33
Link:
https://www.unpac.me/results/71c596d1-fcfd-40be-9f60-4276d00a7083/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e50290f9b9cf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e50290f9b9cf781a2d64f7e3190de28d2b673cd24099675d3b65a80ab70cf9e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 406f7f23782af62f91c03f7f56447a27f88b6d808b271a259a113d8b4e56bb45

Formbook

Executable exe e50290f9b9cf781a2d64f7e3190de28d2b673cd24099675d3b65a80ab70cf9e1

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 406f7f23782af62f91c03f7f56447a27f88b6d808b271a259a113d8b4e56bb45
Cape
Cape
https://www.capesandbox.com/analysis/209372/

Comments