MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e912182fd92da6a55c2130b42842864159e24d80ea37a885549c54f377cd7bed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e912182fd92da6a55c2130b42842864159e24d80ea37a885549c54f377cd7bed
SHA3-384 hash: 847ac78688a08185ebc23df14f420553e5948017e28ca92d66b96c33d20180ffd362baa576cc708460fae2e9944c8038
SHA1 hash: 5e86bfbcf47b92fc4e9f2882d272f7112b3d5bc3
MD5 hash: 2eda9a2163200170bbcac352f02e5d1e
humanhash: eight-glucose-massachusetts-fifteen
File name:2eda9a2163200170bbcac352f02e5d1e.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:305'543 bytes
First seen:2022-01-19 09:03:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 6144:ow86ea2o/B87tjmAFiK0X7GO4yc5qxZpdcw8l/o5CiosSH:dCoWZjTsKUB4ysbw8W5CiosS
TLSH T1FC5413DA27D0D4FAE961193A18E7C67992B367017661448FABB40EFB99361C3E4130C7
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/220562/
Detection(s):
SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a file
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
DNS request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe expand.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/61e7d408d32385db63075e71/reports/c572d7d0-b780-4846-8632-9f4e057b09a6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e22becb6-ecee-457e-8a0e-6e3dfcc9aec5
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/923252
Signature
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 555734 Sample: a3VSpfDqch.exe Startdate: 19/01/2022 Architecture: WINDOWS Score: 100 56 www.lovelilly.net 2->56 58 lovelilly.net 2->58 74 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 4 other signatures 2->80 12 a3VSpfDqch.exe 1 21 2->12         started        signatures3 process4 file5 52 C:\Users\user\AppData\...\ylgvnpkfhhmurj.exe, PE32 12->52 dropped 54 C:\Users\user\AppData\...\vgcipbstwt.dll, PE32 12->54 dropped 100 Tries to detect virtualization through RDTSC time measurements 12->100 102 Injects a PE file into a foreign processes 12->102 16 a3VSpfDqch.exe 12->16         started        signatures6 process7 signatures8 60 Modifies the context of a thread in another process (thread injection) 16->60 62 Maps a DLL or memory area into another process 16->62 64 Sample uses process hollowing technique 16->64 66 Queues an APC in another process (thread injection) 16->66 19 explorer.exe 16->19 injected 21 cmd.exe 16->21         started        process9 signatures10 24 ylgvnpkfhhmurj.exe 17 19->24         started        28 ylgvnpkfhhmurj.exe 17 19->28         started        82 Self deletion via cmd delete 21->82 84 Modifies the context of a thread in another process (thread injection) 21->84 86 Maps a DLL or memory area into another process 21->86 88 Tries to detect virtualization through RDTSC time measurements 21->88 30 cmd.exe 21->30         started        process11 file12 48 C:\Users\user\AppData\...\vgcipbstwt.dll, PE32 24->48 dropped 92 Multi AV Scanner detection for dropped file 24->92 94 Machine Learning detection for dropped file 24->94 96 Tries to detect virtualization through RDTSC time measurements 24->96 32 ylgvnpkfhhmurj.exe 24->32         started        50 C:\Users\user\AppData\...\vgcipbstwt.dll, PE32 28->50 dropped 98 Injects a PE file into a foreign processes 28->98 35 ylgvnpkfhhmurj.exe 28->35         started        37 conhost.exe 30->37         started        signatures13 process14 signatures15 68 Modifies the context of a thread in another process (thread injection) 32->68 70 Maps a DLL or memory area into another process 32->70 72 Sample uses process hollowing technique 32->72 39 svchost.exe 32->39         started        42 explorer.exe 35->42         started        44 explorer.exe 93 35->44         started        process16 signatures17 90 Tries to detect virtualization through RDTSC time measurements 39->90 46 msiexec.exe 42->46         started        process18
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e912182fd92da6a55c2130b42842864159e24d80ea37a885549c54f377cd7bed/
Threat name:
Win32.Worm.SpyBot
Create hunting rule
Status:
Malicious
First seen:
2022-01-19 09:08:30 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:bc93 loader persistence rat
Link:
https://tria.ge/reports/220119-k1lq4sgeb9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Xloader Payload
Xloader
Unpacked files
SH256 hash:
0685dbab1b71fb278b7fe2be01129255518dc1117ad9f704171e67f9342a65b3
MD5 hash:
dbd129a9f2a8d63167c165e3156b5a44
SHA1 hash:
dd6d5390c8547627b32ef033627e9cc64f7f4867
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/b2a17670-d7dd-4d01-a8ed-f636ca9ea406/
SH256 hash:
383f0362d90c217667cca44230e150078d9ce9af656343cc5c4e802bfa3c4f77
MD5 hash:
569a342deab3635b39c259ee33ceee3b
SHA1 hash:
ddbe7fb9a5eab5da3e8724431733b748b0f19d9c
Link:
https://www.unpac.me/results/b2a17670-d7dd-4d01-a8ed-f636ca9ea406/
SH256 hash:
e912182fd92da6a55c2130b42842864159e24d80ea37a885549c54f377cd7bed
MD5 hash:
2eda9a2163200170bbcac352f02e5d1e
SHA1 hash:
5e86bfbcf47b92fc4e9f2882d272f7112b3d5bc3
Link:
https://www.unpac.me/results/b2a17670-d7dd-4d01-a8ed-f636ca9ea406/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.63
Link:
https://yomi.yoroi.company/submissions/e912182fd92da6a55c2130b42842864159e24d80ea37a885549c54f377cd7bed

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe e912182fd92da6a55c2130b42842864159e24d80ea37a885549c54f377cd7bed

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/220562/
  
URLhaus
https://urlhaus.abuse.ch/url/1986804/
  
Delivery method
Distributed via web download

Comments