MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fcf7e7eea1f4983f876bb52b0e40e09fedf69a92dcec11be50ff87e169824601. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fcf7e7eea1f4983f876bb52b0e40e09fedf69a92dcec11be50ff87e169824601
SHA3-384 hash: a90b0a055d2da1516d59ec38e0eeb3f80c6f900979f927a33821c6489a18688aaeadf0770895094b8b522c19c9b59e8e
SHA1 hash: b5a09b34b18f14d44c311f84a5e705bdc6684e0c
MD5 hash: 75f24a7fd78d30dc1287852829e55fe1
humanhash: virginia-fifteen-mirror-ink
File name:SOA_OCT 2021.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:276'247 bytes
First seen:2021-11-10 13:17:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:rGiHP4UEJyGFplNY5Iy/lTZdM6PLtO8YKi5BrnEqzqbMhYqfEFBmdq:rQU8ywfNiIy/lVdM6PhY5Bnzqw5uj
Threatray 11'271 similar samples on MalwareBazaar
TLSH T10044229F2AD0812BE0D7D5B157B7CBADEBBB98885570985B4B400FBFAE3326553020D1
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter malwarelabnet
Tags:exe FormBook xloader formbook

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/204721/
Detection(s):
SecuriteInfo.com.Dropped.Trojan.GenericKDZ.79883.29697.30496.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/618bc691175442ca93aaadec/reports/60d7bee7-d424-4eed-b991-57dac2d90840/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/bcc1ca64-0a64-44e2-8605-c6a603830b6a
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/886720
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fcf7e7eea1f4983f876bb52b0e40e09fedf69a92dcec11be50ff87e169824601/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-11-10 05:00:38 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7t36p3vb6smd7b3lwuvq4qhat7w7ngus3twbdpsq76d6c2mciyaq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
19428f9c431fb0f8d6fbd9ca194589bacf9d9d3e475717031373b71982bea2a5
Formbook
2a9f1febdc4e074beaa1b6b761d09900377204da7a9f1cdba39284d568e2ddc8
Formbook
50c6754cbbd313acc6a250182439a1191d8f8318f0794feea75bd647b6205f7a
Formbook
5264dba5e023d5b63d57197b4efc1d105083c9b4d84d754ea5a4d1f5823c9cb6
Formbook
6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c
Formbook
87f8905d999f293634fddf1bff47a614041bdfaa2f07ef19fe70e5296a7b086e
Formbook
ae55ee08f18b57a38a47ed9bc161b7833e35c31b014e8579ae904a2d4d7c63e3
Formbook
d78094f3b6eac87e2d4249671bdc4e044afb31e2e78aac8f2db7186c6d5b6db1
Formbook
+ 11'261 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:e8ia loader persistence rat suricata
Link:
https://tria.ge/reports/211110-qjyl8sebhq/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Adds policy Run key to start application
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.helpfromjames.com/e8ia/
Unpacked files
SH256 hash:
fcf7e7eea1f4983f876bb52b0e40e09fedf69a92dcec11be50ff87e169824601
MD5 hash:
75f24a7fd78d30dc1287852829e55fe1
SHA1 hash:
b5a09b34b18f14d44c311f84a5e705bdc6684e0c
Link:
https://www.unpac.me/results/c18998c5-fad7-401e-981e-335efe30d198/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/fcf7e7eea1f4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.47
Link:
https://yomi.yoroi.company/submissions/fcf7e7eea1f4983f876bb52b0e40e09fedf69a92dcec11be50ff87e169824601

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/204721/

Comments