MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc012967b327039a1bf1ac88cf5b5226cd5534083759a0920018d19d94cc3453. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	fc012967b327039a1bf1ac88cf5b5226cd5534083759a0920018d19d94cc3453
SHA3-384 hash:	761764b756443a61f188ea60d6341a8d04d2b3973a058908e90805a6ba9e327318b54c1391db0aeac404d002d91c1105
SHA1 hash:	7a9053cc90945cb85e50ffc68acd84ca6c3ea787
MD5 hash:	477507eb2efd3e13f3689dc3d4eac75d
humanhash:	sad-cup-wisconsin-johnny
File name:	188428754-041540-sanlccjavap0003-2190_PDF.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	566'784 bytes
First seen:	2021-10-08 09:23:27 UTC
Last seen:	2021-10-08 10:06:48 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	6144:qX54SGkCfHQmsqvFoouv6i6eFPS5DAPLMbPYTrdJ8kU0ocYnKhtUSOJI9x:i4S4fce6z7T+APL6Y4kTocYnKrUSO
Threatray	10'620 similar samples on MalwareBazaar
TLSH	T125C44873D986D298C97583FCD22B738313245C61E8F9DA6E16723091177AF8168BF623
File icon (PE):
dhash icon	70e89296e8f0f071 (4 x AgentTesla, 2 x Formbook, 2 x LimeRAT)
Reporter	pr0xylife
Tags:	exe FormBook xloader

Intelligence

File Origin

# of uploads :

# of downloads :

194

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

188428754-041540-sanlccjavap0003-2190_PDF.exe

Verdict:

Malicious activity

Analysis date:

2021-10-08 09:25:12 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c65db67e-bdb5-4e79-876d-ff784a1f2ad5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/196101/

Detection(s):

SecuriteInfo.com.MachineLearning.Anomalous.94.8226.18940.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/61600e35b95458900cdf1b5a/reports/088e6911-a48d-4f57-8a41-a007d6f7bd63/overview

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6f9e8628-9a78-43d9-8f04-61370e316bc7

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/866988

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/fc012967b327039a1bf1ac88cf5b5226cd5534083759a0920018d19d94cc3453/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2021-10-08 09:24:05 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7qassz5te4bzug7rvsem6w2se3gvknaig5m2beqaddiz3fgmgrjq._file

Verdict:

malicious

Label(s):

formbook

Formbook

2cf9a6fd4361184dbe79b2067472bdb6ac2907b89e78e213cf0eadd69ed10cd1

Formbook

3c185c2191d1bc3a281f26cb51114b69b6d36a9fd63b3103d6c41608c8baf8a8

Formbook

50c6754cbbd313acc6a250182439a1191d8f8318f0794feea75bd647b6205f7a

Formbook

5c175aad872d219fa23de0c83ea085fbdca8d76601167089b4e55ee66d520276

Formbook

5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8

Formbook

75772375acbcfb6cb668fc2449671a6a83afe1434184ac7c01fd895825fcf5e6

Formbook

a325ff051ebc1d366533e22fba4a75a4c0b183a28457ed2fea0841f68da06334

Formbook

d079479dd85fb94fe08f6cd70cfff35e39c14294174a8ed6f9b480ffc1cbc9b2

Formbook

e6cde5c1b614549613d30761b34c899f4ff69d7e6e3147c21d68bedd64f8fe25

Formbook

+ 10'610 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:sg5c loader rat

Link:

https://tria.ge/reports/211008-lc2yvsdgb4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.maquinadevendasonlinegrt.com/sg5c/

Unpacked files

SH256 hash:

01a38699b9233d3820076fc48b4c51fc2b05ffe267e0e8d35d49c46807bf4ce2

MD5 hash:

1ec6d90667c4b8276f3b0d9a256eb2a5

SHA1 hash:

b03444c137cedde1028f883dcafc29bfea992ac7

Link:

https://www.unpac.me/results/c42beaa5-1513-49a9-9a9b-0d16104cf4aa/

SH256 hash:

fc012967b327039a1bf1ac88cf5b5226cd5534083759a0920018d19d94cc3453

MD5 hash:

477507eb2efd3e13f3689dc3d4eac75d

SHA1 hash:

7a9053cc90945cb85e50ffc68acd84ca6c3ea787

Link:

https://www.unpac.me/results/c42beaa5-1513-49a9-9a9b-0d16104cf4aa/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/fc012967b327039a1bf1ac88cf5b5226cd5534083759a0920018d19d94cc3453

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/196101/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample