MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e793dac4e4c4c8553c02cbe177b1de4759bf777d150eca151c53e9c58f6b23d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments 1

SHA256 hash:	e793dac4e4c4c8553c02cbe177b1de4759bf777d150eca151c53e9c58f6b23d3
SHA3-384 hash:	f753d433c952088f73b7ddd4a8b3113ca7fa26575c4bf19ed7e0c0fbf159a7740ba81dd418b287eed1647c063ab34b5f
SHA1 hash:	19d005238c5a8b59c3dd02eeadefcaf76d2310c3
MD5 hash:	b3a25f8fa62494ca8b99b28c4b4bb9b7
humanhash:	sweet-football-cola-lemon
File name:	b3a25f8fa62494ca8b99b28c4b4bb9b7
Download:	download sample
Signature	Formbook Create hunting rule
File size:	663'552 bytes
First seen:	2022-05-20 13:29:36 UTC
Last seen:	2022-05-20 14:47:22 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:DEtJPfQaiVgb2TPA41j2lCT1Pb+74+6DOJgJffv5Hs5VOj8ogAt:0fyVgb2TPzqcT1Pb+74+RJUXv5HI
Threatray	12'163 similar samples on MalwareBazaar
TLSH	T138E412252BF94B37E0AE97FDA0A1502113B7F20D7913F31E5AA910E90DB3391895277B
TrID	54.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 23.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 7.8% (.EXE) Win64 Executable (generic) (10523/12/4) 4.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.3% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	zbetcheckin
Tags:	32 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

288

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

b3a25f8fa62494ca8b99b28c4b4bb9b7

Verdict:

Malicious activity

Analysis date:

2022-05-20 16:53:41 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/4a999b4f-ccea-4a42-b426-10e928c99034

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/273060/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a window

Sending a custom TCP request

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed update.exe

Link:

https://www.filescan.io/uploads/628797ee3ec49f83a6b9a600/reports/0303938d-a7f5-4f38-88c0-23db256058b6/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e4c8b936-394a-4754-b9db-1a747befb2a5

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/998625

Signature

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/e793dac4e4c4c8553c02cbe177b1de4759bf777d150eca151c53e9c58f6b23d3/

Threat name:

ByteCode-MSIL.Trojan.RealProtectPENG

Status:

Malicious

First seen:

2022-05-20 13:25:27 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

Formbook

3f38d14b57be8821c36b5a3b35fee281a0371fb2b41cbecb2f788c29a34f05ef

Formbook

5e0b3793ea67f580aa658ab4629f7a4f4f9e307083c4ac4b6604a959d204b856

Formbook

6eef88d9b2ada286ff5f0ee740bd12a593a6111f2e29e0b86cc43dc437701edf

Formbook

71ed38b5c950b506cced8e7d12d773bb1fa20daadf3570a98577054749caadfe

Formbook

9743e0c9282aca077061e690b4b1fd70a0def71147f7ebbee648ae91cca0d459

Formbook

ba3eb6491a8a4953418407379da280e591d403f2ada5f3ac941bcfaab1951418

Formbook

dc0ed0d428679dd6269a17ca9c6fd5d0af9ac0cf62fd66c3abf30736a0df9ad2

Formbook

ddefebb59f9e4b8fc00e13686024f829fbc7d82a2b0d07fd29748071708a5850

Formbook

+ 12'153 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:n6g4 loader rat

Link:

https://tria.ge/reports/220520-qrsqysdhc7/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Xloader Payload

Xloader

Unpacked files

SH256 hash:

94241fe79dab331bfc2eea55737fde652a7b87db66019ba79cf3b1ffbd5c655f

MD5 hash:

6f5997f955d95110150aa2ce8b6f3a87

SHA1 hash:

9e924c8d8ccbe3836bf7c5159029fb16a8075b24

Link:

https://www.unpac.me/results/a43bb74e-cadc-4582-90f2-1ba2c217675c/

SH256 hash:

4cc8fac2c632d17ef19d9a7b282a3a1f034a7ad03b6107d466fbc2277f7d3469

MD5 hash:

55e63421ab336dc1b9e2642c07a4018a

SHA1 hash:

eac12375fe245a4c665f745654755844cab7dd58

Link:

https://www.unpac.me/results/a43bb74e-cadc-4582-90f2-1ba2c217675c/

SH256 hash:

5908b5657ebdf0d32c533235c17918d4af7193eea615db2b3a05f3aeafa5ab08

MD5 hash:

9e2664cf48ec6abeea9f24050ce4bead

SHA1 hash:

f2f54ea26272d1bbf07e83488b2fe8821418ec40

Link:

https://www.unpac.me/results/a43bb74e-cadc-4582-90f2-1ba2c217675c/

SH256 hash:

bcc1ff0c7bc4d1ffc8fede4bfc00ebdc331e53138e7d56a542a2a6a62ff037b6

MD5 hash:

db208c90e3042616c1553e7177404d84

SHA1 hash:

8bf78458fb2ae652936ca7bfaf62937faccdfa41

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/a43bb74e-cadc-4582-90f2-1ba2c217675c/

Parent samples :

a6c9f393ac5677eeccc1451ed5e1fd58c52771c06673781ce495eb956c7b867a
8a10a7d039e501feb322fc8d7777353ce540f23ffdf76a402852106581334e56
e01aab97bf2805546ef29b22bb0d9e3e2205d4a319faaf6f7f4ce966b8aaa149
44c088af1487247b48ef427d49ce3be93642e593f3ba4d730ba41d56ce17b66b
b409cabbc8dbdfa8a3d1a60cb225f27386dfcc61b3f7379812218b6660ef654f
8ff19d8ae3d48bed91963633eaf4fe35d96eca6c6bfa0dd4fe4cc54b4492c2d4
c9c30e8b5fcdba36818cdb867d9c3aa29ab421ea94eb77d2eb82001c8d9e770e
e54460b814db593c07a06645065eb94fa5fcf08b77a459d1ce79ce401d3e0075
fe830bb897373330395a82f70ff277acfa996e18dbbd5c74ebc9496e00e3c363
e793dac4e4c4c8553c02cbe177b1de4759bf777d150eca151c53e9c58f6b23d3
09cbeac5eba144d439480d11c57a96aa1a692684512b08ea92211267ff54508e
e2bb153627e7cbf914f93bdfa91d1a44b4e405bd277090e1d1a4dac106f13a41

SH256 hash:

e793dac4e4c4c8553c02cbe177b1de4759bf777d150eca151c53e9c58f6b23d3

MD5 hash:

b3a25f8fa62494ca8b99b28c4b4bb9b7

SHA1 hash:

19d005238c5a8b59c3dd02eeadefcaf76d2310c3

Link:

https://www.unpac.me/results/a43bb74e-cadc-4582-90f2-1ba2c217675c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e793dac4e4c4c8553c02cbe177b1de4759bf777d150eca151c53e9c58f6b23d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.