MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f47f29cebfa58b4356cea3bb53b36d669a2c4ef9481b48efadcfd1129b518768. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f47f29cebfa58b4356cea3bb53b36d669a2c4ef9481b48efadcfd1129b518768
SHA3-384 hash: 4beee90311066d84d68ea680c649c5e545b43a5c564e69114e566475ed5ab3c624f2f9422f6eacee2ddcc6be20b5581a
SHA1 hash: 644fd4556037bbdbd71d8add168aa63809487abc
MD5 hash: 611dec6f91abb8a47e1a1bef6d8933e0
humanhash: sad-johnny-william-mars
File name:611dec6f91abb8a47e1a1bef6d8933e0
Download: download sample
Signature Formbook
Create hunting rule
File size:937'984 bytes
First seen:2022-01-25 10:07:34 UTC
Last seen:2022-01-25 11:30:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 60001c6e865a4f78d5ea9add6c0c27e1 (1 x Formbook, 1 x AveMariaRAT)
ssdeep 24576:Vn0w79689uLrDdAh2JmkN4JE5maQ3DKT7vzGeO:Vnd/uZaCpeDgC
Threatray 13'199 similar samples on MalwareBazaar
TLSH T195158E26B3905433D4771A388E1B97AD6C29BE112D2CFE5636F4AD8C9E367403429F93
File icon (PE):PE icon
dhash icon b2b0f1ecccce9e98 (2 x Formbook, 1 x DBatLoader, 1 x AveMariaRAT)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/222327/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.35148.29551.6238.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/5062/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe keylogger packed remote.exe replace.exe
Link:
https://www.filescan.io/uploads/61efcc09f81da814afa31c79/reports/1405b202-18a4-4d89-b07b-9f9aa1d093ab/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3b170b50-65e8-4668-9949-c3fd0de46959
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/927139
Signature
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f47f29cebfa58b4356cea3bb53b36d669a2c4ef9481b48efadcfd1129b518768/
Threat name:
Win32.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2022-01-24 09:39:59 UTC
File Type:
PE (Exe)
Extracted files:
72
AV detection:
27 of 43 (62.79%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1bdc41058e53e885ccf81cf42ddac59733b6608f40719017dde98ac33ed8b8f5
Formbook
8d38be02ab71fba9115c3a645edf515c62ffe53a5a590f7b37f362ab117473a1
Formbook
96a54086e0d1667ed27dacd61ce88129d2ae1236718babe4ee5b3054385cc215
Formbook
9e2502b3945f31482623e8e61dcb85b9ebb7d9a4244d9074fa289596c9da513e
Formbook
9e6a92df11bb23b335d5bbf85731a1ea96f6c4038a24c2e4edb28e2169804c30
Formbook
a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5
Formbook
b9829a5660b2dcf188de5595741b42380f091c30bb3be299e131b61171d7b513
Formbook
c1657f01ccef85f3f46740a96704bc5dccfb4cf8fc9ac09abcfd7aa6660448f7
Formbook
cfd1a77378decd68cd7a59307b77b93247bdd91e00de5111ecae6b5658c8665f
Formbook
f80dd0bf7402bebd03d303c97c8dd3f921d3e923a2521f4a2af2e4bf3c288aa1
Formbook
+ 13'189 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:i5nb loader persistence rat
Link:
https://tria.ge/reports/220125-l588msdgh9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Xloader Payload
Xloader
Unpacked files
SH256 hash:
f47f29cebfa58b4356cea3bb53b36d669a2c4ef9481b48efadcfd1129b518768
MD5 hash:
611dec6f91abb8a47e1a1bef6d8933e0
SHA1 hash:
644fd4556037bbdbd71d8add168aa63809487abc
Link:
https://www.unpac.me/results/3bc02304-9abb-4bda-bdbc-1b512b313be4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f47f29cebfa58b4356cea3bb53b36d669a2c4ef9481b48efadcfd1129b518768

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe f47f29cebfa58b4356cea3bb53b36d669a2c4ef9481b48efadcfd1129b518768

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/222327/
  
URLhaus
https://urlhaus.abuse.ch/url/2004760/

Comments


Avatar
zbet commented on 2022-01-25 10:07:35 UTC

url : hxxp://192.3.180.39/3000/vbc.exe