MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f633f414c34b4e34904904022c23b78fbb2093aa7f9ee9cd714dae9f4388883d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f633f414c34b4e34904904022c23b78fbb2093aa7f9ee9cd714dae9f4388883d
SHA3-384 hash: 74c8b2eb8553726459ae6620503be7a534417af24e3c1e347d104413140958f90d635c6767881e495ecf7d4c6dee1508
SHA1 hash: bca781a9c061606d4d3c19fd7b236eb458535be1
MD5 hash: ceafc23a2e1e865b1aac9c9c226fc73c
humanhash: sweet-uranus-island-kitten
File name:vbc.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:399'216 bytes
First seen:2022-03-24 17:51:24 UTC
Last seen:2022-03-24 20:16:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:BGiEq3axKONVt5IEf54UoM/tC4Eomtrx4GOto4J2Zu415y0:Gq3axjvPaUnM4EowRLRi0
Threatray 14'579 similar samples on MalwareBazaar
TLSH T1E784F12171A4D2F3D420A470CC6BD2F6272E7E15DEA9712B73C0BF2E33FA1958816A51
File icon (PE):PE icon
dhash icon e8f8f8d8d8c8e868 (1 x Formbook)
Reporter pr0xylife
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
244
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/257264/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.29196.22252.19163.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Launching a process
Reading critical registry keys
Launching cmd.exe command interpreter
DNS request
Sending an HTTP GET request
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe formbook overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/623cafc60cd58dbd92e8c004/reports/e34466f0-6a46-444f-bbb8-11a619602d93/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5002a18f-41f9-4707-b9c1-d2e1e13a8662
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/963927
Signature
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 596407 Sample: vbc.exe Startdate: 24/03/2022 Architecture: WINDOWS Score: 92 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected FormBook 2->47 11 vbc.exe 18 2->11         started        process3 file4 31 C:\Users\user\AppData\Local\...\cxtyucf.exe, PE32 11->31 dropped 14 cxtyucf.exe 11->14         started        process5 signatures6 55 Tries to detect virtualization through RDTSC time measurements 14->55 17 cxtyucf.exe 14->17         started        process7 signatures8 33 Modifies the context of a thread in another process (thread injection) 17->33 35 Maps a DLL or memory area into another process 17->35 37 Sample uses process hollowing technique 17->37 39 Queues an APC in another process (thread injection) 17->39 20 explorer.exe 17->20 injected process9 process10 22 systray.exe 20->22         started        signatures11 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        27 explorer.exe 144 22->27         started        process12 process13 29 conhost.exe 25->29         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f633f414c34b4e34904904022c23b78fbb2093aa7f9ee9cd714dae9f4388883d/
Threat name:
Win32.Trojan.GenericML
Create hunting rule
Status:
Malicious
First seen:
2022-03-24 17:52:13 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
17 of 25 (68.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6yz7ifgdjnhdjecjaqbcyi5xr65sbe5kp6pottlrjwxj6q4ira6q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
085716dfefcb862a1677484242f5e03be402875e1752717a9e9f6ce346120ea4
Formbook
0da36b7f7e4b44b640ab5769532fdd7599032ca2b1d6b57807ba48ad1fa76780
Formbook
2f47cecb0ac0c17ad38f1e8b65e4bbb7180d87d750ed7e93ce9fc5db11e5cae5
Formbook
58a3b0684756dd561c0300547a910b82c2b177d7644cca51b1e746302fe8fdbc
Formbook
75362f20dab8d57db3ade6427e647b0bc01d8345ccfa9781d5778877f04f7fb5
Formbook
adee504198fbe0336c2f1cd0c729dc7624c582bab3bd796dbb525f2b0d98d9ac
Formbook
afb1cde138515b45b393db872662c5db328675d218868ca7f9d8732f8ad96faf
Formbook
deac58296321ec67026dc3de7275137fbdf1775e28fbd9e4d3bf528be7bc95ff
Formbook
+ 14'569 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:wesd loader rat
Link:
https://tria.ge/reports/220324-wfrmeaccc7/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Loads dropped DLL
Uses the VBS compiler for execution
Executes dropped EXE
Xloader Payload
Xloader
Unpacked files
SH256 hash:
f633f414c34b4e34904904022c23b78fbb2093aa7f9ee9cd714dae9f4388883d
MD5 hash:
ceafc23a2e1e865b1aac9c9c226fc73c
SHA1 hash:
bca781a9c061606d4d3c19fd7b236eb458535be1
Link:
https://www.unpac.me/results/0f0098ad-149b-4099-af9f-5909dda217c8/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f633f414c34b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.18
Link:
https://yomi.yoroi.company/submissions/f633f414c34b4e34904904022c23b78fbb2093aa7f9ee9cd714dae9f4388883d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_Formbook_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe f633f414c34b4e34904904022c23b78fbb2093aa7f9ee9cd714dae9f4388883d

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/257264/
  
URLhaus
https://urlhaus.abuse.ch/url/2114274/
  
Delivery method
Distributed via web download

Comments