MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4ba4c7cfa06963a05eb720c098686c8296e799fcfe96c7f44ae1b9ef814c1da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	f4ba4c7cfa06963a05eb720c098686c8296e799fcfe96c7f44ae1b9ef814c1da
SHA3-384 hash:	10babcd57f03791c94944470b8c1f65111864a552de2ed8918183a3ae0d4431a1b330df9a0044b77e7381c8b58fff086
SHA1 hash:	7e1bb15a8a13108bfdae90280b1a47aa46f0a181
MD5 hash:	596b608654b92e1ecfca12ea2a61d3c5
humanhash:	cup-fruit-mountain-neptune
File name:	SecuriteInfo.com.Trojan.Siggen15.51910.26071.7063
Download:	download sample
Signature	Formbook Create hunting rule
File size:	489'421 bytes
First seen:	2021-11-24 21:05:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep	12288:uA7BIeNsNZkNFJPO6Ya88hxT21TDZ03N3:uSgaXIa88zT2d1ON3
Threatray	11'810 similar samples on MalwareBazaar
TLSH	T10CA47B5CB6624A9EDCD21470293F699043253D22777EA4F2732AFA9EF520C1DBC462F1
File icon (PE):
dhash icon	20b032b098ecd4f0 (1 x Formbook)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

209

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Quote Request - Linde Tunisia.xlsx

Verdict:

Malicious activity

Analysis date:

2021-11-24 18:13:42 UTC

Tags:

encrypted opendir exploit CVE-2017-11882 loader trojan formbook stealer

Link:

https://app.any.run/tasks/67cfae0e-7f27-4530-8ef8-0cbe2e48b40d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Detection(s):

SecuriteInfo.com.Trojan.Siggen15.51910.26071.7063.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a file

Unauthorized injection to a recently created process

DNS request

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/619ea940f36138de3f3aa04a/reports/b4e47302-fb29-4443-9343-e97f828fd74a/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/da3bf829-f7e5-4f89-afe9-c1031c0f7377

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/895768

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/f4ba4c7cfa06963a05eb720c098686c8296e799fcfe96c7f44ae1b9ef814c1da/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2021-11-24 21:06:13 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 28 (64.29%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

Formbook

2edfa5f806d554457c20a6d48a519f96f8da0bf6d53e54556be1bffecbbb9710

Formbook

387508d9f7c0d79b09bde31b037d1c43ceb1ce799a0cc94a77a20226477b47f7

Formbook

5f5195f363ef21135a5b5298c2a3576bd03125eec094d769b25296eb0a2605b9

Formbook

695b006f3b83048d47ea1fcae9d7cbacac8f82b4f3d2908ca20f06788e8b3b92

Formbook

75772375acbcfb6cb668fc2449671a6a83afe1434184ac7c01fd895825fcf5e6

Formbook

87f8905d999f293634fddf1bff47a614041bdfaa2f07ef19fe70e5296a7b086e

Formbook

90995079eb10cbbc7da16c81c68775a46c65a2901eca1731d537192d8266fed0

Formbook

c0363e690238ce1be218baa1c66a3fe647df3740da9448788945c6863ac6b07c

Formbook

d079479dd85fb94fe08f6cd70cfff35e39c14294174a8ed6f9b480ffc1cbc9b2

Formbook

+ 11'800 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:hf9j loader rat

Link:

https://tria.ge/reports/211124-zxqm8adfek/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.dubaibiologicdentist.com/hf9j/

Unpacked files

SH256 hash:

f4ba4c7cfa06963a05eb720c098686c8296e799fcfe96c7f44ae1b9ef814c1da

MD5 hash:

596b608654b92e1ecfca12ea2a61d3c5

SHA1 hash:

7e1bb15a8a13108bfdae90280b1a47aa46f0a181

Link:

https://www.unpac.me/results/5c0d00df-3464-41dc-9241-065f7a27bd4d/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/f4ba4c7cfa06/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.47

Link:

https://yomi.yoroi.company/submissions/f4ba4c7cfa06963a05eb720c098686c8296e799fcfe96c7f44ae1b9ef814c1da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Formbook Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe f4ba4c7cfa06963a05eb720c098686c8296e799fcfe96c7f44ae1b9ef814c1da

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1813698/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/209201/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample