MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fda3ed77e29ab105a5c1762c84c6fae92b4497c5954cb305e613cfe030506090. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fda3ed77e29ab105a5c1762c84c6fae92b4497c5954cb305e613cfe030506090
SHA3-384 hash: c84d8b777e428a84cfb274943f92e49bc9864fec6f347113fe63368b88d8c1819e17fe84e7d06a36e79f3476d836fea1
SHA1 hash: c8d42f3efe983add08b190325239290e4fb79631
MD5 hash: 30a5ad6d62e4cd603673a9e3b3e77631
humanhash: arizona-kansas-gee-florida
File name:exe030.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'131'857 bytes
First seen:2024-11-15 18:37:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 521911f3c9ec03ddf394e50a8c2bfb15 (1 x Formbook)
ssdeep 24576:0zAW5Wy3XuH/pR0+9vwe5oc78dBDaiMo9mRCYDwECvw:0NWHH/Dt55l4jaYKIEcw
TLSH T14935F11AF7E408F8E4B7A57CCD564905E6B67C0247319B9F13A0666A2F233D0AD3E721
TrID 76.9% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
16.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
3.0% (.EXE) Win64 Executable (generic) (10522/11/4)
1.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.5% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter juroots
Tags:exe FormBook xworm


Avatar
juroots
Opendir: http://194.90.142.157/exe/

Intelligence

File Origin
# of uploads :
1
# of downloads :
393
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://194.90.142.157/exe/exe030.exe
Verdict:
Malicious activity
Analysis date:
2024-11-13 23:08:28 UTC
Tags:
opendir loader evasion
Link:
https://app.any.run/tasks/643dce29-7d88-489e-a014-503a170ff0d5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.njRAT-10002074-1
Create hunting rule

Win.Packed.Msilzilla-10019837-0
Create hunting rule

Win.Packed.Loveletter-10023052-0
Create hunting rule

Win.Dropper.Nanocore-10024427-0
Create hunting rule

Win.Packed.Loveletter-10024677-0
Create hunting rule

Win.Packed.Msilzilla-10024808-0
Create hunting rule

Win.Packed.Msilzilla-10026193-0
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.AsyncRAT.UNOFFICIAL
Create hunting rule

Win.Malware.Barys-10024056-0
Create hunting rule

Win.Packed.Msilzilla-10024501-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673795504ca0f9db40c48a5d
Tags:
asyncrat autorun khalesi gumen
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm asyncrat backdoor fingerprint microsoft_visual_cc njrat overlay packed packed packer_detected rat
Link:
https://www.filescan.io/uploads/6737950ff72956936c075a52/reports/9a809d5c-e456-4708-84b2-a65b22d22a0b/overview
Verdict:
Suspicious
Labled as:
Trojan_MSIL_AsyncRAT_R_MTB
Link:
https://www.hybrid-analysis.com/sample/fda3ed77e29ab105a5c1762c84c6fae92b4497c5954cb305e613cfe030506090
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/48a46e86-cef6-4813-8aba-56b3f1a2dab2
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1556670
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contain functionality to detect virtual machines
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1556670 Sample: exe030.exe Startdate: 15/11/2024 Architecture: WINDOWS Score: 100 55 senior-adopted.gl.at.ply.gg 2->55 57 ip-api.com 2->57 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Antivirus detection for dropped file 2->67 69 15 other signatures 2->69 9 exe030.exe 7 2->9         started        signatures3 process4 file5 45 C:\Users\user\Desktop\FREE BYPASS.exe, PE32 9->45 dropped 47 C:\Users\user\Desktop\2.exe, PE32 9->47 dropped 12 2.exe 6 9->12         started        17 FREE BYPASS.exe 10 9->17         started        19 conhost.exe 9->19         started        process6 dnsIp7 59 senior-adopted.gl.at.ply.gg 147.185.221.23, 49714, 49715, 49716 SALSGIVERUS United States 12->59 49 C:\Users\user\AppData\Roaming\XClient.exe, PE32 12->49 dropped 75 Antivirus detection for dropped file 12->75 77 Multi AV Scanner detection for dropped file 12->77 79 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->79 81 4 other signatures 12->81 21 powershell.exe 23 12->21         started        24 powershell.exe 12->24         started        26 powershell.exe 12->26         started        28 powershell.exe 12->28         started        51 C:\Users\user\...\SAM CHEAT bypass.exe, PE32+ 17->51 dropped 53 C:\...\Realtek HD Audio Universal Service.exe, PE32 17->53 dropped 30 Realtek HD Audio Universal Service.exe 14 2 17->30         started        33 SAM CHEAT bypass.exe 17->33         started        file8 signatures9 process10 dnsIp11 71 Loading BitLocker PowerShell Module 21->71 35 conhost.exe 21->35         started        37 conhost.exe 24->37         started        39 conhost.exe 26->39         started        41 conhost.exe 28->41         started        61 ip-api.com 208.95.112.1, 49706, 80 TUT-ASUS United States 30->61 73 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 30->73 43 WerFault.exe 30->43         started        signatures12 process13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fda3ed77e29ab105a5c1762c84c6fae92b4497c5954cb305e613cfe030506090
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fda3ed77e29ab105a5c1762c84c6fae92b4497c5954cb305e613cfe030506090/
Threat name:
ByteCode-MSIL.Spyware.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2024-11-13 14:46:10 UTC
File Type:
PE+ (Exe)
Extracted files:
24
AV detection:
25 of 38 (65.79%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7wr6257ctkyqljoboywijrx25evujf6fsvglgbpgcph6amcqmcia._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
error
Formbook
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery execution persistence rat trojan
Link:
https://tria.ge/reports/241115-w913yazaph/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
147.185.221.23:25808
senior-adopted.gl.at.ply.gg:56758
Verdict:
Malicious
Tags:
Win.Packed.njRAT-10002074-1
YARA:
n/a
Link:
https://app.threat.zone/submission/0fe4480f-85a2-4a6f-9c05-96ca2f5afb74
Unpacked files
SH256 hash:
edcef9f0255fa29acdfd80bbfb03abea630eb152b19f20fca12fdd88ccf9b399
MD5 hash:
d46bcf5d90966c10fb75419041fae79f
SHA1 hash:
9db2c47dd39acd50983c963d370045fcb956d72a
Link:
https://www.unpac.me/results/19d74c9a-68d0-430d-82b3-f13248dd8340/
SH256 hash:
d1179ff1ecadf6756288590c6c08420ec7b9e06aa9e0effc9b2c6b9b8ca5fa4e
MD5 hash:
d73c9e865143acd7ee7b526266109048
SHA1 hash:
86cd070de3e808bfa057daf04ca7286644e33e35
Link:
https://www.unpac.me/results/19d74c9a-68d0-430d-82b3-f13248dd8340/
SH256 hash:
a3ddac32a27fe5da8c189519d6a9801cbf2f4bd38c6e85b2b8dcb54351e01649
MD5 hash:
8b2dcbe05d600ce494098fd501786fb5
SHA1 hash:
20dea1f20b8506d9703c12ebbac32eb89be0b5e3
Detections:
win_xworm_w0
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
win_xworm_bytestring
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
Link:
https://www.unpac.me/results/19d74c9a-68d0-430d-82b3-f13248dd8340/
SH256 hash:
8d2cf02c3005fb4bb7058df1f3a2e24b98077a8c5a8aab5c8184f4aa9ed951d8
MD5 hash:
066d90fb1d671648842a3b46622eb7ce
SHA1 hash:
6d0949bd4f494c9f8d80b705a79cfa9038c80e51
Detections:
win_xworm_w0
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
win_xworm_bytestring
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
Link:
https://www.unpac.me/results/19d74c9a-68d0-430d-82b3-f13248dd8340/
SH256 hash:
fda3ed77e29ab105a5c1762c84c6fae92b4497c5954cb305e613cfe030506090
MD5 hash:
30a5ad6d62e4cd603673a9e3b3e77631
SHA1 hash:
c8d42f3efe983add08b190325239290e4fb79631
Link:
https://www.unpac.me/results/19d74c9a-68d0-430d-82b3-f13248dd8340/
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fda3ed77e29a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fda3ed77e29ab105a5c1762c84c6fae92b4497c5954cb305e613cfe030506090

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/7e514f24-aa21-45d9-8c99-2a9bd316e698

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW
KERNEL32.dll::GetSystemDirectoryW

Comments