MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f36d0fe551b2be41e023f6a55d35ffb3ae7a5e021703c4b49235e04e296aceb3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f36d0fe551b2be41e023f6a55d35ffb3ae7a5e021703c4b49235e04e296aceb3
SHA3-384 hash: b965b0c52b88910417f9087d49f91a9aba6d1b2107908daea6cd1f08f1f7b6f5508a85b3e9e6e5cac7e3d4443457a8d8
SHA1 hash: a64211b8384db8652a90b64038ceedc198a1c35f
MD5 hash: 688a80f956364e2d3937b973c41cfbb6
humanhash: item-purple-vermont-earth
File name:SecuriteInfo.com.W32.AIDetect.malware1.17659.21832
Download: download sample
Signature Formbook
Create hunting rule
File size:372'736 bytes
First seen:2021-04-12 13:45:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1c198acdc88e6433341d82c12cfad0a9 (2 x Formbook, 1 x CryptBot)
ssdeep 6144:udyAPECLp4dK/eNvPn7JhCDQ9RTatK5DQtwpEpEywGvUnek:udyAf/eNvP3CDQ9RatCDyw2we
Threatray 4'673 similar samples on MalwareBazaar
TLSH C784CF1133D0C133C05325798516CBB68EBE743566656A8FBFC90FBC6F296D1A72A30A
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Proforma Invoice Payment Information_Purchase Order Confirmation.docx
Verdict:
Malicious activity
Analysis date:
2021-04-12 11:17:51 UTC
Tags:
generated-doc exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/f27bbc15-1914-4c21-bfeb-8e9a5b9c6bdd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/133769/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.17659.21832.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/673130
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f36d0fe551b2be41e023f6a55d35ffb3ae7a5e021703c4b49235e04e296aceb3/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-04-12 08:48:22 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  1/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
6657aeabd5ded830361aad9112749d785fc0fbe46121daeb7acb23cd841274ed
Formbook
95eedb3eaf98ec12d5f66609278d43f94e1f635420d413ee0672bbf9434aafa4
Formbook
98bf20a283219c4cc786234b7d389766fddbe3b095d13c9109f5406128e83103
Formbook
ab95bc3c40647b2b700cdb9aba76b6de220fd528fd194e6071c1747df6cb78ce
Formbook
b2697b1c939e346a4adcf8ed2cb4a0e493f2390a54a0457c95fea5485c2fa19b
Formbook
c494dceddfa1c8c6944a93f902c641ab5f99352ba48b81849e576f7da353314c
Formbook
cfc09cd2a2109a174ccbc346779f2e19316be4601173e2e85c3e4314cc139017
Formbook
f7e96b7c6612b709e413bbc8c72796cadbb7ce91ed17ec77d5ba4d4422e729cb
Formbook
f86b0f3ec06d574080bd86e2980c7d04c29d4093d025fe592a567b5767031d2b
Formbook
fd0cf58b93453778c312805f74673284da2548389ee866c37cc91431f0ba9cb1
Formbook
+ 4'663 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210412-2h85351wee/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.scott-re.online/nnmd/
Unpacked files
SH256 hash:
05a4ce7e8d6d923ce392466f0c611ad340042743208068a4c73dab5b8a062326
MD5 hash:
5011a7bed7d8851b64a5b39b35443a9b
SHA1 hash:
140266a5509c547dbc04d9f192e8f8bf2a036782
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/615d81f2-761b-4066-baf5-de6f3b8a1cb8/
Parent samples :
f86b0f3ec06d574080bd86e2980c7d04c29d4093d025fe592a567b5767031d2b
98bf20a283219c4cc786234b7d389766fddbe3b095d13c9109f5406128e83103
f36d0fe551b2be41e023f6a55d35ffb3ae7a5e021703c4b49235e04e296aceb3
SH256 hash:
f36d0fe551b2be41e023f6a55d35ffb3ae7a5e021703c4b49235e04e296aceb3
MD5 hash:
688a80f956364e2d3937b973c41cfbb6
SHA1 hash:
a64211b8384db8652a90b64038ceedc198a1c35f
Link:
https://www.unpac.me/results/615d81f2-761b-4066-baf5-de6f3b8a1cb8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f36d0fe551b2be41e023f6a55d35ffb3ae7a5e021703c4b49235e04e296aceb3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe f36d0fe551b2be41e023f6a55d35ffb3ae7a5e021703c4b49235e04e296aceb3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1107298/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/133769/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-14 15:50:47 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0012.001] Anti-Static Analysis::Argument Obfuscation
1) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
2) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
3) [C0049] File System Micro-objective::Get File Attributes
4) [C0051] File System Micro-objective::Read File
5) [C0050] File System Micro-objective::Set File Attributes
6) [C0052] File System Micro-objective::Writes File
7) [C0033] Operating System Micro-objective::Console
8) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
9) [C0040] Process Micro-objective::Allocate Thread Local Storage
10) [C0041] Process Micro-objective::Set Thread Local Storage Value
11) [C0018] Process Micro-objective::Terminate Process