MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fbaf103427e20432a3dcf19733b5f447bb6f0b2e5c700c76df55c2d977d080ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fbaf103427e20432a3dcf19733b5f447bb6f0b2e5c700c76df55c2d977d080ae
SHA3-384 hash: 6ce1aa14e5a78c7e94b7d4b45af2788383e23aa77584b60ec83a41225687dc580cb43c13e6b9079c1f43059dd3b295bb
SHA1 hash: 48ac926df1e641b32935f095523140701d5013c6
MD5 hash: 4ba87f01d518f5b660cc487d488dbf3b
humanhash: march-connecticut-oregon-blue
File name:PO.10032021.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:849'920 bytes
First seen:2021-10-04 13:39:21 UTC
Last seen:2021-10-05 11:00:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8276363bcf2f383c8cd04fac30801161 (10 x RemcosRAT, 2 x NetWire, 1 x Formbook)
ssdeep 12288:0w6jlNSq3W9F1Sa+tiDWIyNsYAycjL7YiEFXXXB:Naeq3gF1Sf+WIyXAyAdSXXXB
Threatray 10'101 similar samples on MalwareBazaar
TLSH T1D20516164190AB28F1173B32FD4B028847F5683D2E144B35E6941B979B2F780EED69BF
File icon (PE):PE icon
dhash icon 1432694969516806 (10 x RemcosRAT, 2 x NetWire, 1 x Formbook)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO.10032021.exe
Verdict:
Malicious activity
Analysis date:
2021-10-04 15:05:25 UTC
Tags:
installer trojan formbook stealer
Link:
https://app.any.run/tasks/ce21145b-7a3b-4668-afd4-dc1e49409e60

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/194669/
Detection(s):
Win.Trojan.Remcos-9897068-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Launching a process
Launching the process to change network settings
Launching cmd.exe command interpreter
Deleting a system file
Sending an HTTP GET request
Reading critical registry keys
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger packed
Link:
https://www.filescan.io/uploads/615c100be3d213d202b76f88/reports/6ae73270-31a1-40ce-aa4c-14ba82958d23/overview
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/82a6e8e8-8043-4045-9125-cc7de9146e20
Result
Threat name:
DBatLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/863991
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 496418 Sample: PO.10032021.exe Startdate: 04/10/2021 Architecture: WINDOWS Score: 100 29 www.purosepeti7.com 2->29 31 purosepeti7.com 2->31 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus detection for URL or domain 2->45 47 4 other signatures 2->47 11 PO.10032021.exe 14 2->11         started        signatures3 process4 dnsIp5 39 cdn.discordapp.com 162.159.129.233, 443, 49750, 49751 CLOUDFLARENETUS United States 11->39 57 Writes to foreign memory regions 11->57 59 Allocates memory in foreign processes 11->59 61 Creates a thread in another existing process (thread injection) 11->61 63 Injects a PE file into a foreign processes 11->63 15 secinit.exe 11->15         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 2 other signatures 15->71 18 explorer.exe 15->18 injected process9 dnsIp10 33 sumikkoremon.com 163.44.239.73, 49825, 80 INTERQGMOInternetIncJP Japan 18->33 35 www.phalcosnusa.com 166.88.19.180, 49827, 80 EGIHOSTINGUS United States 18->35 37 5 other IPs or domains 18->37 49 System process connects to network (likely due to code injection or exploit) 18->49 22 cmmon32.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fbaf103427e20432a3dcf19733b5f447bb6f0b2e5c700c76df55c2d977d080ae/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-10-04 13:40:23 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7oxranbh4icdfi646glthnpui65w6czolryay5w7kxbns56qqcxa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0c22acaa973cbb781aea92dc1fb5a8c7cc1fd2abd403f2a6b9703f8f1e1c8657
Formbook
26506e7d3f4821066fc1989a5c79afb4d1a316aa428f9e4a920644d93a80b495
Formbook
5852e0b1479d914e16a2f1cf21d61ff4e1f3d35b6fa5dbcf0055cfc2c9a89936
Formbook
909b2ca8fbea2b6c03ccf3d90e0416b12df094fcf02c47fbf59839a9ce105538
Formbook
9c558e9f026119bab2580c1e38533870d351b1e01e65341427194504e2cdf490
Formbook
a4c0f021f7b7e196e3a5d8e324cb4084c14941c94d2aab667eb886464948b44a
Formbook
a7acd97fcff334160640901d977010aa55397f5a6da375ab38bcb1622b800f7d
Formbook
d079479dd85fb94fe08f6cd70cfff35e39c14294174a8ed6f9b480ffc1cbc9b2
Formbook
dae6ba220bb0a34de731b57965753391343bfe96f9f3fa4fea48102d3377ccf7
Formbook
+ 10'091 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:pvxz loader rat
Link:
https://tria.ge/reports/211004-qykc6agde2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.finetipster.com/pvxz/
Unpacked files
SH256 hash:
f808a11e5b1cb4332bb4d65cdbcf1e0ca7323b15bcf73cb7462ad3eb30f05703
MD5 hash:
6cfdeebc3c72279486ddd229eb14b009
SHA1 hash:
e3a2a0a2a0fabd55415c9007f52c79fe9e19e0a7
Link:
https://www.unpac.me/results/e6eb70d9-6040-4842-a336-76f14a038a01/
SH256 hash:
67a3ca23c38928a1ade6f6ff2380e348deb6e15883243b8767951888c307cfda
MD5 hash:
b56e808ae18905d43c226ab29c659db1
SHA1 hash:
85ef8874acdd7e7f53a782e2fe59f81a6e013050
Link:
https://www.unpac.me/results/e6eb70d9-6040-4842-a336-76f14a038a01/
SH256 hash:
fbaf103427e20432a3dcf19733b5f447bb6f0b2e5c700c76df55c2d977d080ae
MD5 hash:
4ba87f01d518f5b660cc487d488dbf3b
SHA1 hash:
48ac926df1e641b32935f095523140701d5013c6
Link:
https://www.unpac.me/results/e6eb70d9-6040-4842-a336-76f14a038a01/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/fbaf103427e2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fbaf103427e20432a3dcf19733b5f447bb6f0b2e5c700c76df55c2d977d080ae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe fbaf103427e20432a3dcf19733b5f447bb6f0b2e5c700c76df55c2d977d080ae

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/194669/

Comments