MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9aa5ead78afd5f5b233ce0f83e8f5e9fac12c110ee558516d7239c31680c606. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e9aa5ead78afd5f5b233ce0f83e8f5e9fac12c110ee558516d7239c31680c606
SHA3-384 hash: 85bfb7be8361741c59fe57f2145fb9061f9e4074ac7ac256afb69b856298a5ee832b55c2f95ff60d7bf6302993407e72
SHA1 hash: 6d199f3d73e544758762eeda8793e6c607083b6b
MD5 hash: fcb154b336e968c49ae9853a41b2c469
humanhash: five-earth-two-princess
File name:fcb154b336e968c49ae9853a41b2c469
Download: download sample
Signature Formbook
Create hunting rule
File size:1'130'360 bytes
First seen:2022-04-06 16:04:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 98af55cea50542926ec50c986b130f44 (1 x Formbook)
ssdeep 24576:374GNC7/ZbJJn5dFhd1hqm/TE10uhsRt97aSyKcOlZyMOyB:L4GNI/pJFjFXhL+0uhrSVr6MOy
Threatray 13'878 similar samples on MalwareBazaar
TLSH T127352385EAFAC162EDB49F336120D430B735E6F97E97821C149D25E3A6226D1C3780ED
File icon (PE):PE icon
dhash icon a2aaa2dadaa2aa8c (1 x Formbook)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/261403/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
exploit overlay packed
Link:
https://www.filescan.io/uploads/624dba37db9ca5cf842e3130/reports/e105a1a1-eb12-4062-86b3-be93744fe3f0/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a6a12531-a6f3-4127-a249-bb894612059c
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/971657
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
PE file has nameless sections
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e9aa5ead78afd5f5b233ce0f83e8f5e9fac12c110ee558516d7239c31680c606/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-04-06 16:05:11 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
16 of 26 (61.54%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
208e7ad8dab4aee54a4d2a5e7be5f2c333855856fa4a433461c1ef55b101ec0a
Formbook
7207ba6762eaf3c396fb549b33ef7af3900580bbc8da9c057b6f2b06f48548d7
Formbook
7bd7078e492274101be1289e00a8c17c84a33a836257fe5038149d9e7ab3564e
Formbook
99bb3d1c9a2a4dad6465a81df1008b91f5836e51ce0463da76b31f9758dd9b62
Formbook
bae9500c6eecd23164e1eba0e489d68938bfff866d47fb9e6c8320b3b8500720
Formbook
e07c12a4c17554763b40b0ca410493875bbdd907bc8ba261a732d935e015f852
Formbook
e3004a946bcf2e7b396a75d00db10dee9dcd0881cc197d9294a171ad3d882349
Formbook
ece61a7e1773aa3be279569c92cbc8c326005d86965cc60ce37a283efe262b0e
Formbook
+ 13'868 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:p4sm loader rat
Link:
https://tria.ge/reports/220406-tjg62abfcn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks computer location settings
Xloader Payload
Xloader
Unpacked files
SH256 hash:
c7d770978b5c11ff480e21af8501df2ee31649fc051ee46da25fe0067e2a587d
MD5 hash:
704dfa4770376dbb5f54065e64ceebf6
SHA1 hash:
450ca4a310b7a12f98476fbeb64c59247708f8e2
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/ff21a521-65ae-4d4d-a2a7-9b923e58edaf/
Parent samples :
7bd7078e492274101be1289e00a8c17c84a33a836257fe5038149d9e7ab3564e
e9aa5ead78afd5f5b233ce0f83e8f5e9fac12c110ee558516d7239c31680c606
SH256 hash:
8675d82ba8aa539824a6827f88e44ba59214897d808ae82dd4fb8389f090a435
MD5 hash:
466d573467a16a51f8d130d72b3e7062
SHA1 hash:
ef257b2cb2ab71aef9887290e5ca2e7dadcb2b6b
Link:
https://www.unpac.me/results/ff21a521-65ae-4d4d-a2a7-9b923e58edaf/
SH256 hash:
e9aa5ead78afd5f5b233ce0f83e8f5e9fac12c110ee558516d7239c31680c606
MD5 hash:
fcb154b336e968c49ae9853a41b2c469
SHA1 hash:
6d199f3d73e544758762eeda8793e6c607083b6b
Link:
https://www.unpac.me/results/ff21a521-65ae-4d4d-a2a7-9b923e58edaf/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e9aa5ead78af/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:quakbot_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe e9aa5ead78afd5f5b233ce0f83e8f5e9fac12c110ee558516d7239c31680c606

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2134277/
Cape
Cape
https://www.capesandbox.com/analysis/261403/

Comments


Avatar
zbet commented on 2022-04-06 16:04:17 UTC

url : hxxp://103.156.90.79/save365/vbc.exe