MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 f310fc8fbf4b741c34d37b8c1fa89949b8721719aa17c0d91ee652995b45092c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Formbook
Vendor detections: 18
| SHA256 hash: | f310fc8fbf4b741c34d37b8c1fa89949b8721719aa17c0d91ee652995b45092c |
|---|---|
| SHA3-384 hash: | 49ac3c320fc3bba13e195b799639f58ddbb3e431c548765aa4db7c59db0edaee81f22afd1d0c6ec54bfb0cc6642d7044 |
| SHA1 hash: | 0a67bac90b80e3a0a3be39020d77f8a6b81787b0 |
| MD5 hash: | 5bc9abc48696ebe81ee673c9587dfe2e |
| humanhash: | aspen-lemon-hydrogen-arizona |
| File name: | 5bc9abc48696ebe81ee673c9587dfe2e |
| Download: | download sample |
| Signature | Formbook |
| File size: | 389'207 bytes |
| First seen: | 2022-04-08 09:47:20 UTC |
| Last seen: | 2022-04-08 11:11:05 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 56a78d55f3f7af51443e58e0ce2fb5f6 (728 x GuLoader, 451 x Formbook, 295 x Loki) |
| ssdeep | 6144:bNeZ1r2fhJjn8zN0ootLtLHIe8/a5EkIILxH1cV6o7gQiTp55L02WrQ6lEyYt:bNA2fhZ8zN0oEa1zixH1cV6o7gPNdABm |
| Threatray | 11'987 similar samples on MalwareBazaar |
| TLSH | T1FD8412046FBC8863C7E60AF129FB56029BF6C8165F5B4F0B47106B3A7D226C0B91E795 |
| File icon (PE): |  |
| dhash icon | 6667ead2dcb888c6 (1 x Formbook) |
| Reporter |  zbetcheckin |
| Tags: | 32 exe FormBook |
Intelligence
File Origin
# of uploads :
3
# of downloads :
183
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
ID:
1
File name:
invoice.xlsx
Verdict:
Malicious activity
Analysis date:
2022-04-08 09:17:44 UTC
Tags:
encrypted trojan opendir exploit CVE-2017-11882 loader formbook stealer
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Searching for synchronization primitives
DNS request
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
5/10
Tags:
n/a
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Verdict:
Malicious
Result
Threat name:
FormBook
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Detection:
xloader
Threat name:
Win32.Trojan.NSISInject
Status:
Malicious
First seen:
2022-04-07 12:03:36 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
18 of 26 (69.23%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
formbook
Similar samples:
+ 11'977 additional samples on MalwareBazaar
Result
Malware family:
xloader
Score:
10/10
Tags:
family:xloader campaign:a2c8 loader persistence rat suricata
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
7c887742e14f2f1c3207cd36338da6a504ce463ff91d7b0549d3d50a54da1549
MD5 hash:
aed447bb5c507a698c0221bf9aef836a
SHA1 hash:
56e1cc10c2872d54238c9d6eaab85e7ca53edbff
Detections:
win_formbook_g0
win_formbook_auto
SH256 hash:
ddbb4c57b7f149493d256a2a08268f1d9475c53b67792506a6cc801f8a7b0224
MD5 hash:
990fbbe95c291d75822ba60dca32e119
SHA1 hash:
fa599a910c27629b9b1c8760f8a541715112d835
SH256 hash:
f310fc8fbf4b741c34d37b8c1fa89949b8721719aa17c0d91ee652995b45092c
MD5 hash:
5bc9abc48696ebe81ee673c9587dfe2e
SHA1 hash:
0a67bac90b80e3a0a3be39020d77f8a6b81787b0
Malware family:
XLoader
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.url : hxxp://198.23.212.248/45/vbc.exe