MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc35540b602ba860b10c2b43261657a7e2b9fc1d3aa8104272f2255a664fabd7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc35540b602ba860b10c2b43261657a7e2b9fc1d3aa8104272f2255a664fabd7
SHA3-384 hash: 14694078ca8fd0151ee2e54ad6c91d9b2a55e00134e88ec1de9f3d69f11b43a93d70c44258a80eef0b7fb2bfc498273e
SHA1 hash: 3518eb79082655a27598a1025d581ffdba11fb6c
MD5 hash: 0e738f5922ef1bed63478ca5ccbe4ab5
humanhash: beryllium-beryllium-lion-oxygen
File name:0e738f5922ef1bed63478ca5ccbe4ab5.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:252'105 bytes
First seen:2022-01-31 07:46:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 6144:owjeNQuyqL2XdkuorhVf+0UGe9JS7RwZCvKLNcuM:HeNQuyxdLodoGeQRwZCarM
Threatray 13'157 similar samples on MalwareBazaar
TLSH T16B34120E77D1A9FFD59211B11E7707EAD6FED2054F901A0BAF341FD934A0086A252BB2
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
W6902.xlsx
Verdict:
Malicious activity
Analysis date:
2022-01-31 04:36:15 UTC
Tags:
encrypted exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/95cc86ba-6b95-470d-a855-87b69cd82dc8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/228343/
Detection(s):
SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/61f793f8d9e6538232d67aee/reports/dd6702ca-ab28-4471-a336-5a4d2fcaacbe/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c9e4b892-e630-40de-9c65-220cfd303bcf
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/930659
Behaviour
Behavior Graph:
n/a
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fc35540b602ba860b10c2b43261657a7e2b9fc1d3aa8104272f2255a664fabd7/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2022-01-31 07:52:42 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7q2vic3afougbmimfnbsmfsxu7rlt7a5hkubaqts6isvuzspvplq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
02c848711be5356cc435b98837bdf0120cac86fdeaa5238793a3ab6300482147
Formbook
08d17b9c0d3ab4eb79a38b0a500655f9f47bc3468718ae5b61d59d0b2b687e53
Formbook
194eecb866b404241cc14abfccf3ece512927dafff1e64248e1b1fb4e4acbd26
Formbook
1ec8f5c2a626d9484af9532ed48a5b7482fc0dcdab074d8545ac8e4454c68a89
Formbook
2a4415721925c12ce8a80719697ffbda5daf88fe34804b0549bc5d5605790cdb
Formbook
75362f20dab8d57db3ade6427e647b0bc01d8345ccfa9781d5778877f04f7fb5
Formbook
9af4d9ef8b2a850854ae23411d44d3603147c26898bca1010fd2f9b16f6d456e
Formbook
b8ab74dd84edb28eb65b60019e3420a82747b46e1d10d016dbf74fee5edb7ecb
Formbook
b96d8904afc128bf96f360fb2702b6eb0d4d70ae6cbf32e7e4bbdd90ff884a04
Formbook
d0a2b78cdc16ebd07adf6aacd4b6e2d639dcdebd28f0e3eb4ca3e6b73cc1add8
Formbook
+ 13'147 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:b80i loader rat
Link:
https://tria.ge/reports/220131-jmjtxshdf7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Xloader Payload
Xloader
Unpacked files
SH256 hash:
fc35540b602ba860b10c2b43261657a7e2b9fc1d3aa8104272f2255a664fabd7
MD5 hash:
0e738f5922ef1bed63478ca5ccbe4ab5
SHA1 hash:
3518eb79082655a27598a1025d581ffdba11fb6c
Link:
https://www.unpac.me/results/e860725f-2cf1-4b2d-944f-d4ea8bc43b67/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/fc35540b602b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.33
Link:
https://yomi.yoroi.company/submissions/fc35540b602ba860b10c2b43261657a7e2b9fc1d3aa8104272f2255a664fabd7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe fc35540b602ba860b10c2b43261657a7e2b9fc1d3aa8104272f2255a664fabd7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2001965/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/228343/

Comments