MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd255d8ad67bf130b8e81f8ef3e09b6f89628232eb0d3b4eebf04138da1f9c8b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd255d8ad67bf130b8e81f8ef3e09b6f89628232eb0d3b4eebf04138da1f9c8b
SHA3-384 hash: 3e66310479378b1221b04fe72b0984bbe6d300f5be008f2d32c8b4de3d86ee32f0c7c668a61afd6a30a5b64dfa876426
SHA1 hash: 166f498ec95a3325c8e7023b85431b7647c5216c
MD5 hash: 0877ad4331272f6d392e5ce440878754
humanhash: india-chicken-six-pizza
File name:0877ad4331272f6d392e5ce440878754.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:877'568 bytes
First seen:2021-05-11 17:10:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:HqFyiUdh7NZbNhVxmDXc7/x5JpxtuuR0I/QKK6rH+E+m+HfkxlRjwnOfeIlMfq:jLbNhuDXA/x51OI/QgHAm+HgWOfeI
Threatray 5'093 similar samples on MalwareBazaar
TLSH 87152303B2A48928D1FE5BF1A896195517B0E509EA43FB9E6F8858DE24F36F0C7C07D1
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
236
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/155184/
Detection(s):
SecuriteInfo.com.Scr.Malcodegdn30.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Connection attempt
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/778907
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 411313 Sample: gCcAUOanux.exe Startdate: 11/05/2021 Architecture: WINDOWS Score: 100 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 6 other signatures 2->45 9 gCcAUOanux.exe 15 5 2->9         started        process3 dnsIp4 37 127.0.0.1 unknown unknown 9->37 29 C:\Users\user\AppData\...\gCcAUOanux.exe.log, ASCII 9->29 dropped 55 Tries to detect virtualization through RDTSC time measurements 9->55 57 Injects a PE file into a foreign processes 9->57 14 gCcAUOanux.exe 9->14         started        17 gCcAUOanux.exe 9->17         started        file5 signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 14->59 61 Maps a DLL or memory area into another process 14->61 63 Sample uses process hollowing technique 14->63 65 Queues an APC in another process (thread injection) 14->65 19 cmmon32.exe 14->19         started        22 explorer.exe 14->22 injected process9 dnsIp10 47 Modifies the context of a thread in another process (thread injection) 19->47 49 Maps a DLL or memory area into another process 19->49 51 Tries to detect virtualization through RDTSC time measurements 19->51 25 cmd.exe 1 19->25         started        31 easydentalfiber.com 50.87.223.209, 49763, 80 UNIFIEDLAYER-AS-1US United States 22->31 33 www.famafair.com 103.30.4.178, 80 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Hong Kong 22->33 35 12 other IPs or domains 22->35 53 System process connects to network (likely due to code injection or exploit) 22->53 signatures11 process12 process13 27 conhost.exe 25->27         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fd255d8ad67bf130b8e81f8ef3e09b6f89628232eb0d3b4eebf04138da1f9c8b/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-05-11 13:00:29 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7usv3cwwppytbohid6hphye3n6ewfars5mgtwtxl6batrwq7tsfq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0da69c7edc37d3b66c49f77a5aaca03f37732725108f7a7acec33eab349fcd7f
Formbook
1e046f6dcd3265264a9a6891cdc1814f382c7ae887b57ae23ceff53c7e1a53ff
Formbook
32ea10b6bd6642663614f79f2332c45d76772db89bc7efb5d4df3bb21d9c3562
Formbook
3638ac885ef63f3b5bfadd95b0f43c34c3854e2483adde873b3d5fca7a831632
Formbook
456614711c0a92e9455fc588f27889ee37c509b2f5e8c901d351346e8cf6140c
Formbook
4df95b25eba61af4dafea962aece44721deaebbb49cd3636fe3d20f169009d99
Formbook
59dfc7b23638bdecf18820f02997f0065b139d6e1b0ac0628b51ad4aef0a57d5
Formbook
68fa77befde4e147cc7bc2fb142306a94245adb49c4ccca175f12f29414ce3d1
Formbook
a173731d16e9140be26ee0a16e6416109b684b71a3523a3c4b85cf101bcd3b1e
Formbook
c651e973d7cc7d54b38d45b9c464889778e4262d3dfeb692cd87f0a2fd0d7079
Formbook
+ 5'083 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210511-dk9k8rj9d2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.badmovielogic.com/onqm/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fd255d8ad67bf130b8e81f8ef3e09b6f89628232eb0d3b4eebf04138da1f9c8b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe fd255d8ad67bf130b8e81f8ef3e09b6f89628232eb0d3b4eebf04138da1f9c8b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1220925/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/155184/

Comments