MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f80dd0bf7402bebd03d303c97c8dd3f921d3e923a2521f4a2af2e4bf3c288aa1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	f80dd0bf7402bebd03d303c97c8dd3f921d3e923a2521f4a2af2e4bf3c288aa1
SHA3-384 hash:	6b1079cbeab79c7dab1b8076bc0272c28d55aa0620ab9bd1bcd250ee1ac081c861bff47b3f89f76d91d4d55f2247017d
SHA1 hash:	6881f4922112e2c68d2540f0d807d46ab09b4fa2
MD5 hash:	bf3fa040704b6f8e7dbe62f86ee0e407
humanhash:	violet-september-nitrogen-romeo
File name:	Statement01202202_000000000000001020010201021020010.pdf.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	436'342 bytes
First seen:	2022-01-03 03:58:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep	6144:GybLOf2RkUCk0iSd69kPFr0ViyjdlesKIuq4ctrUMqxdloO9j0L2AlQGd8rNhhfp:jbLlCU0M22iyj+I3Exdzj0L2ASmyNHx
Threatray	12'767 similar samples on MalwareBazaar
TLSH	T17F942296BEED356AEE182936183FE639C6BA9B0343F3101317D93FA65F240812B5D153
Reporter	GovCERT_CH
Tags:	exe FormBook xloader

Intelligence

File Origin

# of uploads :

# of downloads :

219

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Statement01202202_000000000000001020010201021020010.pdf.exe

Verdict:

Malicious activity

Analysis date:

2022-01-03 04:00:05 UTC

Tags:

installer

Link:

https://app.any.run/tasks/d1ac2adb-d738-4aef-a511-38e9b5652630

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/217119/

Detection(s):

SecuriteInfo.com.Trojan.Risis.1.Gen.6435.26913.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Creating a file

Unauthorized injection to a recently created process

DNS request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

60%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/61d27488ec6c6c14a906a0df/reports/af24d0b1-0228-4c5a-8dc3-cbeaa6437c67/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8aba3d38-eb8c-46ee-8b3f-0244f15b494c

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/914718

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Sigma detected: Suspicious Double Extension

Tries to detect virtualization through RDTSC time measurements

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/f80dd0bf7402bebd03d303c97c8dd3f921d3e923a2521f4a2af2e4bf3c288aa1/

Threat name:

Win32.Spyware.Noon

Status:

Malicious

First seen:

2022-01-03 03:59:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 28 (67.86%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7ag5bp3uak7l2a6tapexzdot7eq5h2jdujjb6srk6lsl6pbirkqq._file

Verdict:

malicious

Label(s):

formbook

Formbook

5d407049f81d3b75bf2d9eb7dc14662f533b1ca37d283e5ef50e001a7ac1f758

Formbook

6bd5fda97afe76f3d6cc66ffac1350e77256315e151364355af9ee6d56be8ebf

Formbook

6d722da095632d50aa49b4749a4e7db323889aee6fad1ecc2c5dd999e63c645e

Formbook

7206a2aa27d3bb73daca20e7327a3e4cc2f66940e27cda04d3e8440450617596

Formbook

73db754f5e709731e9c07c230fa6512ee75e07184c367e3f80b1bf646e7b72da

Formbook

86df15ac78abc1d224a4249db72d29dcb2979fd0669a15c0d291e47648dc0c1c

Formbook

9050768f69225078f05d535401510a5b361dd071430e40639e869c7247621908

Formbook

9e4e02725cde43b4da85cdf054b11ad0e4a622bb54f4a967b1634ebcaea9666a

Formbook

aba852eff9b53848b266228241991403993f7769587712794eb5f406ce4c9a6c

Formbook

+ 12'757 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:b556 loader rat

Link:

https://tria.ge/reports/220103-ej316sbaa5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Xloader Payload

Xloader

Unpacked files

SH256 hash:

f80dd0bf7402bebd03d303c97c8dd3f921d3e923a2521f4a2af2e4bf3c288aa1

MD5 hash:

bf3fa040704b6f8e7dbe62f86ee0e407

SHA1 hash:

6881f4922112e2c68d2540f0d807d46ab09b4fa2

Link:

https://www.unpac.me/results/d0625db9-4777-4869-900e-863f9c82e9af/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/f80dd0bf7402/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.33

Link:

https://yomi.yoroi.company/submissions/f80dd0bf7402bebd03d303c97c8dd3f921d3e923a2521f4a2af2e4bf3c288aa1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe f80dd0bf7402bebd03d303c97c8dd3f921d3e923a2521f4a2af2e4bf3c288aa1

(this sample)

Dropped by

xloader

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/217119/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample