MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa0c54af42af10dbb34626554f789c0d00d392a6bca0017f97babda9e17ef785. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	fa0c54af42af10dbb34626554f789c0d00d392a6bca0017f97babda9e17ef785
SHA3-384 hash:	062a78e67b552d7ae725594a54dbebdf1670c61bafddb34c7996f3916795c6c611f9a4ec09e6f0c4765ceafff8535bdf
SHA1 hash:	1bdef262e81ba80d8bd4b94abf106444754f1cb7
MD5 hash:	235cfac32180bb40ce5c379fcaf75c27
humanhash:	comet-cardinal-maryland-steak
File name:	TNT Original Invoice PDF.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	445'952 bytes
First seen:	2022-02-14 07:11:54 UTC
Last seen:	2022-02-14 08:20:40 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	12288:zJyasVrlZrRWOt0YYECiG/hw2vTBayRzUoK:zJHshnrYd6u/y2r1RIo
Threatray	13'287 similar samples on MalwareBazaar
TLSH	T19794D02550F311B6D8A887FFF861D60C2F78FA6F8517B6FA0448603808BDBD4468A677
File icon (PE):
dhash icon	c4a4d8dca0cc06d2 (5 x AgentTesla, 2 x SnakeKeylogger, 2 x Formbook)
Reporter	abuse_ch
Tags:	exe FormBook TNT

Intelligence

File Origin

# of uploads :

# of downloads :

203

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/241282/

Detection(s):

SecuriteInfo.com.Scr.Malcodegdn30.3068.27316.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Launching a process

Launching cmd.exe command interpreter

Searching for synchronization primitives

Unauthorized injection to a system process

Gathering data

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0fbe6365-8cbb-46bf-89dd-d8afeaf95e4c

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/939132

Signature

.NET source code contains very large strings

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Executable has a suspicious name (potential lure to open the executable)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Self deletion via cmd delete

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/fa0c54af42af10dbb34626554f789c0d00d392a6bca0017f97babda9e17ef785/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-02-14 07:12:13 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 27 (81.48%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7igfjl2cv4inxm2gezku66e4buanhevgxsqac74xxk62tyl666cq._file

Verdict:

malicious

Label(s):

formbook

Formbook

3a1b706adecf798ffa11002e153bad33e9f82e6a9da82f7777c27d2cf7b23b0d

Formbook

3d1c26a55a0b7a502b019b18f4b6e87c1273d3c42a50d20c958d510f530c5f40

Formbook

3e744c3094645bf04cea5756fe54d7b04a32a59bed5d945ac4ccc9b06fb85ef5

Formbook

41d5c1e02c1b4a694660a1c8759ffd46569f5b9574ed99a08d3f00cd2765d2d0

Formbook

7cbd8cc35b03d65491ad01b6a44b84dc047e6663189554201c24dbfbeb81473c

Formbook

9774f8078d941b17f5018bf3759bca9e62cfe4714ed55d5bd33737fcbba25ce3

Formbook

b7cf8d9d8db4c5eaf796d35251bfc2b24f34c2c77d2ca82a1ebf470323c0894f

Formbook

b972dfd3f5fd6142b67366d223c0056b75d3d93538a7c05ce35e27ad1c9541ed

Formbook

+ 13'277 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:zqzw loader rat

Link:

https://tria.ge/reports/220214-h1kspsgbh2/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Suspicious use of SetThreadContext

Deletes itself

Xloader Payload

Xloader

Unpacked files

SH256 hash:

79ae0b03c7fb13f978ce4d5240f8ac11d7df67fa21d870dd77fc7566685c2ec2

MD5 hash:

b1e1ec5c090c44cf46751f1a1ec609b6

SHA1 hash:

ae8c65bfa078322b1f6ff8fec4361373edaf01a5

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/67d28913-eda9-4b82-92c0-e480689c22de/

Parent samples :

82ca37f8d0b630ec22f7b60a7ce6e5e8490ca703f240b0db10b2e6e014c5d4ab
e8232a6b14f66804622f2ea2bfd8c2d8bfe5eef292f664c5801844b96a84d125
2a170cc5086a00b41ce8ff4bcf8fce45f85aef342d4cf4d08f018943cc5221ac
fa0c54af42af10dbb34626554f789c0d00d392a6bca0017f97babda9e17ef785
ed99b5652455f1287171fd7d49a5ac69add7ed72a08712d4c66f6474fd094615
08e2b0e469f2809991e59e65177fe994f3aeeea601a2af8aec6c7ae1406debb0
cd4ee025ad3406b7e572952d42465eee19649cef6c0d3a6acbb0e972096988f4
670a250601cc6d66fe3491438274b4a3de650b7283525caf699ab7d81ff93b93
3c6a613507d90d332e2d4d7f91c7c2ef3135e464e5937b1da1a9c4f749528343
c0a5470477f1ef65286a66e14b46c02b71c41eabc473b9885fbe7911844d90b7

SH256 hash:

c03bff90c5f9c384ff3b4c7555defdd64a6b4263014c8e78f335d428db714930

MD5 hash:

9509f7c8b5aace31efdd33965b43d486

SHA1 hash:

dc12ef8bab1ec51b45736ca74f1e2ea6b85db478

Link:

https://www.unpac.me/results/67d28913-eda9-4b82-92c0-e480689c22de/

SH256 hash:

79823e47436e129def4fba8ee225347a05b7bb27477fb1cc8be6dc9e9ce75696

MD5 hash:

39f524c1ab0eb76dfd79b2852e5e8c39

SHA1 hash:

428018e1701006744e34480b0029982a76d8a57d

Link:

https://www.unpac.me/results/67d28913-eda9-4b82-92c0-e480689c22de/

SH256 hash:

fa0c54af42af10dbb34626554f789c0d00d392a6bca0017f97babda9e17ef785

MD5 hash:

235cfac32180bb40ce5c379fcaf75c27

SHA1 hash:

1bdef262e81ba80d8bd4b94abf106444754f1cb7

Link:

https://www.unpac.me/results/67d28913-eda9-4b82-92c0-e480689c22de/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/fa0c54af42af/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fa0c54af42af10dbb34626554f789c0d00d392a6bca0017f97babda9e17ef785

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/241282/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample