MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3c279e61de77236f3390c91dee09f02aa01974e14e429426fa174e0ff8a7512. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	f3c279e61de77236f3390c91dee09f02aa01974e14e429426fa174e0ff8a7512
SHA3-384 hash:	74dd9292f32ff8af6205eebcd964d8ff904f62055404199317efb972493379a26b6aa1d60acc31fb37cb79a9406a1341
SHA1 hash:	29d71fdcf9bf142da347470cbf0eae90b352dd7d
MD5 hash:	9597713af0d2566f6e3186196d31e520
humanhash:	bacon-white-utah-fix
File name:	SecuriteInfo.com.Trojan.Win32.Save.a.6339.10816
Download:	download sample
Signature	Formbook Create hunting rule
File size:	2'104'912 bytes
First seen:	2021-05-02 08:06:31 UTC
Last seen:	2021-05-02 08:50:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	768:sRZRCxJvfWlQ1ZGMSOs6ZCyeDOKkYh+Qz5LBYEJWtprV3oybcpGjZa6463xhgWDH:+fp+n
Threatray	4'936 similar samples on MalwareBazaar
TLSH	F7A5B95573D7601CFAC6781AFF9617F042B6333876BFF46861A6012A9E807B48071B9B
Reporter	SecuriteInfoCom
Tags:	FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

171

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/147893/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Save.a.6339.10816.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Running batch commands

Creating a process with a hidden window

Launching a process

Unauthorized injection to a recently created process

Sending a UDP request

Adding an access-denied ACE

Launching the default Windows debugger (dwwin.exe)

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/706401

Signature

.NET source code contains very large strings

C2 URLs / IPs found in malware configuration

Contains functionality to hide a thread from the debugger

Found malware configuration

Hides threads from debuggers

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/f3c279e61de77236f3390c91dee09f02aa01974e14e429426fa174e0ff8a7512/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2021-05-02 06:19:13 UTC

AV detection:

14 of 47 (29.79%)

Threat level:

5/5

Verdict:

malicious

Formbook

67bf85e54212cc6dd8e3f3bdfe292d7440ae7f7ad5f131f9c8b5ea51a86c1e96

Formbook

719604b516f11740266b2c7a8a61129f779caf4c1f9e16bac35d39f5792a009b

Formbook

7b1f7ca6d7203473484a7f221f68c56eff50d196db18a18e9fcf0142dd60a02d

Formbook

7c8eea0e649a176edb83fc19998f0e99be49c7bee1ff9090d1be69f614554088

Formbook

7fba034b2f0aa5f549bda067c80b6494a02ea3d96e70e13701845bcfe7ade5e7

Formbook

c8ae2ba5bc167ab220f8d6e57d6672f64093b7c8e54fee7b810614ec98641aeb

Formbook

c9afe6904407e9b60e73edf93efbd932b6725f0f4f33306117ffc9854c21cae2

Formbook

ce99378f7bcd95a0441b3572fe948daeb420ec960719761b249b817e5c0cec37

Formbook

fa768e26f300f2c19ef11635dd836b031e0b5352d86d40cdc24284bf874230e7

Formbook

+ 4'926 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader loader rat

Link:

https://tria.ge/reports/210502-jqbyag36sx/

Behaviour

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.jqjdgw.com/ued5/

Unpacked files

SH256 hash:

309101f787d3c99592e05be1f6e81212dac34c2c8cdfed9142cc5dd0771f2a5a

MD5 hash:

e82d6eebbcac02b8ea1290f6289585ce

SHA1 hash:

ec27a3918a287fd6c693724e51a74829227e114a

Link:

https://www.unpac.me/results/156ac4b3-84e2-45e8-94d5-d1bccccb4e7a/

SH256 hash:

a04f33a90a54eaaa60108d3dd9aab746b5b69dd54f1c82d986b5ea0bc5efc58e

MD5 hash:

d37601609ef7773418d9842b204d4f4a

SHA1 hash:

d6743754dc991c0641ab9681593c5f5edd258931

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/156ac4b3-84e2-45e8-94d5-d1bccccb4e7a/

SH256 hash:

f3c279e61de77236f3390c91dee09f02aa01974e14e429426fa174e0ff8a7512

MD5 hash:

9597713af0d2566f6e3186196d31e520

SHA1 hash:

29d71fdcf9bf142da347470cbf0eae90b352dd7d

Link:

https://www.unpac.me/results/156ac4b3-84e2-45e8-94d5-d1bccccb4e7a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f3c279e61de77236f3390c91dee09f02aa01974e14e429426fa174e0ff8a7512

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time