MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1a0d475c350215a9012f33149a8918ce8432f70af12904de606f4a18921bf49. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	f1a0d475c350215a9012f33149a8918ce8432f70af12904de606f4a18921bf49
SHA3-384 hash:	138873d0a5d4fb20b91b9448a589be2bd2068e204321b7b1d91ea9a63ccc3555cf8b71010abc9cf793a022ddd9d92cb7
SHA1 hash:	241a5ed82a8f3c8373ae1af891822383a977edae
MD5 hash:	2daaf51eeaa3ab654501a2f238d70f20
humanhash:	blue-romeo-mountain-venus
File name:	SecuriteInfo.com.W32.AIDetectNet.01.2074.31330
Download:	download sample
Signature	Formbook Create hunting rule
File size:	607'232 bytes
First seen:	2022-07-25 02:38:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:ryid30MX+ze59WDECaqbzPPoKlnSNNhckfMp3D8ydx:ryidEMuze5tCamzXoGnSNNhcdp3YQx
TLSH	T147D4023C6BB5AF27EABC47FC1571105003B661612862E35D1ED270EB29B3F748E50A9B
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

293

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/293843/

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.2074.31330.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62de0287b3bb70bb32de8f4b/reports/0e542242-2d8a-47fa-a3e6-40092394e8ff/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cb048dd3-c4bb-4e2c-b98e-c28ea7ba3a5c

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1040094

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f1a0d475c350215a9012f33149a8918ce8432f70af12904de606f4a18921bf49/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2022-07-25 01:40:41 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6gqni5odkaqvveas6myutkerrtuegl3qv4jjatpga32kdcjbx5eq._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader loader rat

Link:

https://tria.ge/reports/220725-c5a66sbcc7/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader payload

Xloader

Unpacked files

SH256 hash:

57ef5c5f01b189bc4ece4ceaeb51e9c8cf0d843726acbea7f780a9a2899ca674

MD5 hash:

4bb2b8d62a55271762abe3f5ffe52894

SHA1 hash:

6ce0a94d2a7974df5198bfa3fc1d799ee35d77b3

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/ac9a9a48-8822-4e4a-a12e-7d62a4e49006/

Parent samples :

742c0f69fa522736496e540ebe4d36f5bffa7b994485c7a06bb1a557ea06c15d
e210e11f8bed1a04ec9b472f5835081979e144b96d93e5f96c84aadf6012a2b6
a9aa59bed8eb3e4839b215c072549c359c3867b238e65c4bf98a5f274d2808bb
46ffe35598b3c2489b6b2830ac9afe19385161fd055b59863460ea073e562ad3
3ae816aae6ee27d43528398f0dabe972e188c6b005e29a6288ef15c74678ef5c
f1a0d475c350215a9012f33149a8918ce8432f70af12904de606f4a18921bf49
ece69e9d47fc20aee5fb15bed011ddc07042da79d8947c8aa964e72a31c0a463
c4af930a3b1a84b931016014a9a391da8b08857f7bdb26f12461b6dbc057ed88
26c9fd6c55b7c5ed6e8b43a4be26bb74f1b8d043a22aee090f022c65ac3ba858
477ca79c48c0ae888a5da641e5fbabc7d7c8ba7100e77a9b09cc66719360b086
b2f634be000cf32e481c6f66928d8a428a3481f17c7a045a39150bdf9ae6dbe7
19f67f8e8d53e712c27eb18cb84cbdb6e4536a410508360c6d7b0a0571ba48ee
0dc57802ed3d6837fabadc852dd1203a593b166ea46e02e16b5e28dd1a2d91c5

SH256 hash:

39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807

MD5 hash:

db51fe170a9e5d6ec5429a2fbd9d0353

SHA1 hash:

e30a58125fc41322db6cf2ccb6a6d414ed379016

Link:

https://www.unpac.me/results/ac9a9a48-8822-4e4a-a12e-7d62a4e49006/

SH256 hash:

3319510f20749135795641333f4aeb905e0f1d123d5bb7b75bf0085358627e60

MD5 hash:

bdd231706b01f7240a07da06a5263b44

SHA1 hash:

bc29a2436926829a5dd4d9b3407b5eb9c43da5b0

Link:

https://www.unpac.me/results/ac9a9a48-8822-4e4a-a12e-7d62a4e49006/

SH256 hash:

2a90ccb4adb08d826c0bf77a2d0ff61e44d21c7f0f3fc194b339dac9725db2d5

MD5 hash:

a953fc37b14314d3d767bfda5f844fa3

SHA1 hash:

75b893e6e657842872c2c733407d4a0ff60df887

Link:

https://www.unpac.me/results/ac9a9a48-8822-4e4a-a12e-7d62a4e49006/

SH256 hash:

13ca2f7a55b98e1890983122e67935c97e6d9df4429279d49a1324c6d56f0451

MD5 hash:

8b3a92a3409ae046bf3dc0753fcf8685

SHA1 hash:

4455c3efa2bf569f6d180063bb1e104a22581d61

Link:

https://www.unpac.me/results/ac9a9a48-8822-4e4a-a12e-7d62a4e49006/

SH256 hash:

f1a0d475c350215a9012f33149a8918ce8432f70af12904de606f4a18921bf49

MD5 hash:

2daaf51eeaa3ab654501a2f238d70f20

SHA1 hash:

241a5ed82a8f3c8373ae1af891822383a977edae

Link:

https://www.unpac.me/results/ac9a9a48-8822-4e4a-a12e-7d62a4e49006/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f1a0d475c350/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.81

Link:

https://yomi.yoroi.company/submissions/f1a0d475c350215a9012f33149a8918ce8432f70af12904de606f4a18921bf49

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/293843/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample