MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e812adcd8f8470a1be64d92dafaebf717db1c45d58fe04a9160d88a468cf7e3c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e812adcd8f8470a1be64d92dafaebf717db1c45d58fe04a9160d88a468cf7e3c
SHA3-384 hash: 6c3d345770f8d428c9b9340268ad4faedc1936d8b0f102b363d5a957175c85afdc46262076224427cbd7098f8cbca199
SHA1 hash: 1c15af77ead16dbc2d7c3c1da7f189043532acd0
MD5 hash: cf80558eb44d749850aad70fd8237f99
humanhash: equal-triple-hot-spring
File name:gon.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:738'304 bytes
First seen:2022-02-23 15:03:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:Y1yDENc6pleL8SbrzH22qla5w/yXbxYws1nfrfD4d2D:T8c63DSfzH0MW/IbxStL4d2D
Threatray 14'428 similar samples on MalwareBazaar
TLSH T140F48D08EB876981EDAD727A95F523023355F9748C8F920B71ED657EC9E73E42F40288
File icon (PE):PE icon
dhash icon 69d4b26868b2cc71 (23 x Formbook, 6 x SnakeKeylogger, 2 x AgentTesla)
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
208
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/243838/
Detection(s):
SecuriteInfo.com.EXE.Obfus-4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/62164cec875593a3cc0b2f74/reports/ceb57761-2cf3-4dbb-a48a-64f22b6e031a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fada38c1-c18a-4cbf-bb7a-f8cbb9df48cf
Result
Threat name:
FormBook gzRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/944871
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect virtualization through RDTSC time measurements
Uses ping.exe to check the status of other devices and networks
Yara detected Costura Assembly Loader
Yara detected FormBook
Yara detected gzRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 577349 Sample: gon.exe Startdate: 23/02/2022 Architecture: WINDOWS Score: 100 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 Antivirus detection for URL or domain 2->70 72 7 other signatures 2->72 10 gon.exe 1 4 2->10         started        process3 file4 52 C:\Users\user\AppData\Local\huss.exe, PE32 10->52 dropped 54 C:\Users\user\...\huss.exe:Zone.Identifier, ASCII 10->54 dropped 56 C:\Users\user\AppData\Local\...\gon.exe.log, ASCII 10->56 dropped 86 Tries to detect virtualization through RDTSC time measurements 10->86 88 Injects a PE file into a foreign processes 10->88 14 gon.exe 10->14         started        17 cmd.exe 1 10->17         started        signatures5 process6 signatures7 90 Modifies the context of a thread in another process (thread injection) 14->90 92 Maps a DLL or memory area into another process 14->92 94 Sample uses process hollowing technique 14->94 96 Queues an APC in another process (thread injection) 14->96 19 explorer.exe 14->19 injected 98 Uses ping.exe to check the status of other devices and networks 17->98 21 PING.EXE 1 17->21         started        24 conhost.exe 17->24         started        process8 dnsIp9 26 huss.exe 1 19->26         started        29 cmmon32.exe 19->29         started        31 huss.exe 1 19->31         started        58 yahoo.com 74.6.231.20 YAHOO-NE1US United States 21->58 process10 signatures11 74 Antivirus detection for dropped file 26->74 76 Multi AV Scanner detection for dropped file 26->76 78 Machine Learning detection for dropped file 26->78 80 Injects a PE file into a foreign processes 26->80 33 cmd.exe 1 26->33         started        35 huss.exe 26->35         started        82 Self deletion via cmd delete 29->82 84 Tries to detect virtualization through RDTSC time measurements 29->84 37 cmd.exe 1 29->37         started        39 cmd.exe 1 31->39         started        process12 process13 41 PING.EXE 1 33->41         started        44 conhost.exe 33->44         started        46 conhost.exe 37->46         started        48 PING.EXE 1 39->48         started        50 conhost.exe 39->50         started        dnsIp14 60 yahoo.com 41->60 62 98.137.11.164 YAHOO-GQ1US United States 48->62 64 yahoo.com 48->64
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e812adcd8f8470a1be64d92dafaebf717db1c45d58fe04a9160d88a468cf7e3c/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-02-23 14:10:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0b7b92e40a75e7c96676e65733f2babfdf0c37529c130619510b2b0b7879a697
Formbook
16956685e8f153db05d1eda237f9fde5ae23cecc8de57f891be024af9af05626
Formbook
280a181eae2d790e6992653b19b216b9407a948f42d32db3ad78e81660ff1f8c
Formbook
5de06778dd414ee2cc418f089914bb7a656ccf854a30a004d286599cda4c4013
Formbook
7cbd8cc35b03d65491ad01b6a44b84dc047e6663189554201c24dbfbeb81473c
Formbook
ab12ca2a034e07fbdd6c9d6c31270f52173cd8559e12aad0aea593cc460867cd
Formbook
d2cc3484cdabe8305bf9afd35530ca1118ca2c308408dc7140c3a94b392b60bb
Formbook
fa3b721595b9e5571bcfd42767aa563f6e363a3fff9e9cdbfb525d0f28e62eb7
Formbook
fa4fe52b60d9da8ae735fe5ff04114abd194754fcd4ca94c0558ca7f6a3b3945
Formbook
+ 14'418 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:8gce loader persistence rat
Link:
https://tria.ge/reports/220223-sfl55saec7/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Xloader Payload
Xloader
Unpacked files
SH256 hash:
b907805ee047ba0530e01a218bd244a4658fdd9f30375d1019ef9239385227bc
MD5 hash:
741fcb1d2a9a186a1fc464b6cc4aa056
SHA1 hash:
22c0eae99f2ac0936b2a4ac7f65fef998eccdee5
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/4da293a0-37ee-4b49-a0e1-84cb9182d326/
SH256 hash:
9f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026
MD5 hash:
9fbb8cec55b2115c00c0ba386c37ce62
SHA1 hash:
e2378a1c22c35e40fd1c3e19066de4e33b50f24a
Link:
https://www.unpac.me/results/4da293a0-37ee-4b49-a0e1-84cb9182d326/
SH256 hash:
27a14cfea357f95581de61d6d853f0c4a9609287dab06788c74240d5d9289ba2
MD5 hash:
15d4ccc1891b7feb9cb1353fe01f9aa1
SHA1 hash:
32d0ab5572a8538a80c2b139fc7b506f80f6e4cd
Link:
https://www.unpac.me/results/4da293a0-37ee-4b49-a0e1-84cb9182d326/
SH256 hash:
e812adcd8f8470a1be64d92dafaebf717db1c45d58fe04a9160d88a468cf7e3c
MD5 hash:
cf80558eb44d749850aad70fd8237f99
SHA1 hash:
1c15af77ead16dbc2d7c3c1da7f189043532acd0
Link:
https://www.unpac.me/results/4da293a0-37ee-4b49-a0e1-84cb9182d326/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e812adcd8f84/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/e812adcd8f8470a1be64d92dafaebf717db1c45d58fe04a9160d88a468cf7e3c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/2055536/
Cape
Cape
https://www.capesandbox.com/analysis/243838/
  
URLhaus
https://urlhaus.abuse.ch/url/2055855/

Comments