MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fdc7a121571ec5e47773d3c837cd0d4e7234d00b6a7262b2500301c51ee5801a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	fdc7a121571ec5e47773d3c837cd0d4e7234d00b6a7262b2500301c51ee5801a
SHA3-384 hash:	98bc005c814dae77ba4fc2f4b756c3a27b494057904e37a49561625aa25a7c22765128d244f88968425bc93ebb446c88
SHA1 hash:	751555d8ade582bd24c690763bbaaba98fa41654
MD5 hash:	5537ce44174ebce4d526fe00d3914cd6
humanhash:	spring-oranges-golf-winner
File name:	SecuriteInfo.com.Trojan.PackedNET.507.30982.13845
Download:	download sample
Signature	Formbook Create hunting rule
File size:	611'328 bytes
First seen:	2021-01-21 14:09:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:TT/OnNNWOradK8obFvI3blgYKkWvgLIQ1IAiMo9oe7GTKI5/DX85JopC6no:v28+UblgYvt6AiKdeI5/DM5JjEo
Threatray	3'609 similar samples on MalwareBazaar
TLSH	1ED43A516928C5C6E8AD12B2E19785F928F03C6ECBD5516F71AAFF2630B0753060FD2E
Reporter	SecuriteInfoCom
Tags:	FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

128

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Trojan.PackedNET.507.30982.13845

Verdict:

Malicious activity

Analysis date:

2021-01-21 14:18:58 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/35646110-09f9-418c-b9eb-411d64de3c72

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/113300/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.507.30982.13845.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Sending a UDP request

Connection attempt

Creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/587312

Signature

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/fdc7a121571ec5e47773d3c837cd0d4e7234d00b6a7262b2500301c51ee5801a/

Threat name:

ByteCode-MSIL.Backdoor.Crysan

Status:

Malicious

First seen:

2021-01-21 14:10:12 UTC

AV detection:

17 of 28 (60.71%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

Formbook

41440a2e9db109558bde920dddba0eee3a5f269eef4c0d80eedf6a0bf0445a70

Formbook

5551c39b0838a38711babfe60b36dda8855791ce1512553858fbaff025d31122

Formbook

82327e5e44156cddbd2dd77556fc746dad24eeaedc11733c82729c7d0c10a1e7

Formbook

a38cbbb16b9dda3d7aebcdcd033a8f5e56f17257c060859a3cdd2e1a8bb27ab9

Formbook

b36c5718a19998ec936051a544a8831e85f7e08b4e7f9c5269e25e963ebabdd3

Formbook

b88d84be2994a05ac716dac99a689356d8c7ecbd541989a5339be403da909430

Formbook

b9a286880c70bf7b6b049c8be7b7b14d8318b6c38d04185eced4bc48795330ff

Formbook

d81f4b6a0b8650415e2c2acfe4ee223f6826b3b6849393f4de2db4f3a814beaf

Formbook

e4e84d03d4cb709d737f9ee3e69b40d797e452d83faa35f0a06bb78a87ad0984

Formbook

+ 3'599 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:formbook family:xloader loader rat spyware stealer trojan

Link:

https://tria.ge/reports/210121-x9cpf69zre/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Formbook

Xloader

Malware Config

C2 Extraction:

http://www.inreachpt.com/gqx2/

Unpacked files

SH256 hash:

3e215d8d82233de2c29a24d35ccb0c8dea1ba1f25579497b075419843d36d17d

MD5 hash:

f66478d91fdabce95474a51a82eee285

SHA1 hash:

07008d10cd2d34ddb51767456d8b83a6674da3fb

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/daedf3ba-281a-48f1-8ba4-b69253624187/

Parent samples :

b88d84be2994a05ac716dac99a689356d8c7ecbd541989a5339be403da909430
b9a286880c70bf7b6b049c8be7b7b14d8318b6c38d04185eced4bc48795330ff
a38cbbb16b9dda3d7aebcdcd033a8f5e56f17257c060859a3cdd2e1a8bb27ab9
5551c39b0838a38711babfe60b36dda8855791ce1512553858fbaff025d31122
b36c5718a19998ec936051a544a8831e85f7e08b4e7f9c5269e25e963ebabdd3
fdc7a121571ec5e47773d3c837cd0d4e7234d00b6a7262b2500301c51ee5801a
7529675c4f443448e36de852d71111dc455009ccc66b516f898319ec2f7891bd
48e5295db9ba78034bfd5ff510f893c40a6cddee73f99421aa5b77d566ed715a
b3291d1f731c8e7408bbae7e36242e7223d24d7b3ef0fa2b7f07950be8dd3462
f29bebf4c348274359973039283bd9e56a8611f98847be2ab794f417ff706b3d
3ab5b91315aed3147ec6d8038d620caa9e068a1b200c9c1631a1fb036e839daf
d30db5b4b3087ae9f6dcfb18e0b85fa39ceb7bf182604418c4760cf32357cd1d
8ccda60ef18d8d5f5c5bfa7f1d141171871f51c906e44f363226b0d2a22a143b

SH256 hash:

97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf

MD5 hash:

8cd28be4bd9a1404c6d3600db32b3ed1

SHA1 hash:

fb90b0ca51118e771390d58b19d0a404ee14cfbc

Link:

https://www.unpac.me/results/daedf3ba-281a-48f1-8ba4-b69253624187/

SH256 hash:

7ba9f268bb67fc0b667f4ec130704a17782489206cdb9123b9b51a76c6df070d

MD5 hash:

195abdd7aaa7a309f1c16c1c70b9592e

SHA1 hash:

27bd7d970e079bd803a032671ac5350d02dcb353

Link:

https://www.unpac.me/results/daedf3ba-281a-48f1-8ba4-b69253624187/

SH256 hash:

fdc7a121571ec5e47773d3c837cd0d4e7234d00b6a7262b2500301c51ee5801a

MD5 hash:

5537ce44174ebce4d526fe00d3914cd6

SHA1 hash:

751555d8ade582bd24c690763bbaaba98fa41654

Link:

https://www.unpac.me/results/daedf3ba-281a-48f1-8ba4-b69253624187/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fdc7a121571ec5e47773d3c837cd0d4e7234d00b6a7262b2500301c51ee5801a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe fdc7a121571ec5e47773d3c837cd0d4e7234d00b6a7262b2500301c51ee5801a

(this sample)

Cape

https://www.capesandbox.com/analysis/113300/

URLhaus

https://urlhaus.abuse.ch/url/972965/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample