MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0a7fa8da49f99f47a5e45bfe09792d043a58fb366098ba3aaec126611e0f043. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	f0a7fa8da49f99f47a5e45bfe09792d043a58fb366098ba3aaec126611e0f043
SHA3-384 hash:	77b364bf4a21fee95fd9496dddf870e471a81d11b1837c45f7e854e27332920b2a49ccfa3007797a319b3379efa5a65d
SHA1 hash:	4a77f01f367e91b429cddfa1a5ba16748f147433
MD5 hash:	a34e623ed417f4f449cde0830c5b51ca
humanhash:	lamp-venus-nitrogen-kentucky
File name:	2E_PRG_210909_SP-PRG020-21_SHANG_09155231-pdf.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	261'628 bytes
First seen:	2021-10-27 05:53:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep	6144:wBlL/c6moSihPogPyzQ3g1EiAWoml2HuPM4HuZD:Ce6m8hGzQg1vomX0t
Threatray	10'870 similar samples on MalwareBazaar
TLSH	T13644122472D278F7E6835E73FFDA3671E3FBE6150061864753E0AE5318289CA945F282
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	GovCERT_CH
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

184

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/200397/

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file

Deleting a recently created file

Windows shutdown

Launching a process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

80%

Link:

https://www.filescan.io/uploads/6178e97cdb358dd15edecdea/reports/75ed5639-bf73-4cd8-b415-6f45bc405aea/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/19ad9002-84d3-4612-89cf-a6bb104eef1c

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/877520

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/f0a7fa8da49f99f47a5e45bfe09792d043a58fb366098ba3aaec126611e0f043/

Threat name:

Win32.Backdoor.Zapchast

Status:

Malicious

First seen:

2021-10-27 04:44:50 UTC

AV detection:

15 of 44 (34.09%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6ct7vdnet6m7i6s6iw76bf4s2bb2ld5tmyeyxi5k5qjgmepa6bbq._file

Verdict:

malicious

Label(s):

formbook

Formbook

19428f9c431fb0f8d6fbd9ca194589bacf9d9d3e475717031373b71982bea2a5

Formbook

50c6754cbbd313acc6a250182439a1191d8f8318f0794feea75bd647b6205f7a

Formbook

b3bc74c1f3673da08a95775af5f39dd116a249d8a7e597fcd8bb56e07ae3bcd2

Formbook

d9cee5cc1ff9b14e0c1604dfded72f085e39b1983c41b595660a60bfaab942b9

Formbook

da0e2504009a426b799d9135979188e2c4533f69c2e981650afc51d5e8e320c2

Formbook

e6cde5c1b614549613d30761b34c899f4ff69d7e6e3147c21d68bedd64f8fe25

Formbook

f8d9fbcef6907460baa7c91e53d1a40865901bb50906b5519cba440fdbc65032

Formbook

+ 10'860 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:o2go loader rat

Link:

https://tria.ge/reports/211027-glwe8aagc8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.vezmnmnr.xyz/o2go/

Unpacked files

SH256 hash:

f0a7fa8da49f99f47a5e45bfe09792d043a58fb366098ba3aaec126611e0f043

MD5 hash:

a34e623ed417f4f449cde0830c5b51ca

SHA1 hash:

4a77f01f367e91b429cddfa1a5ba16748f147433

Link:

https://www.unpac.me/results/579f538e-c3c3-49d9-8bde-8a48905575ed/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/f0a7fa8da49f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f0a7fa8da49f99f47a5e45bfe09792d043a58fb366098ba3aaec126611e0f043

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe f0a7fa8da49f99f47a5e45bfe09792d043a58fb366098ba3aaec126611e0f043

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/200397/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample