MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fddfa27a56eb44a653c6d5d7947d62415896a15da7cbd4cf8e7b72334e6f0833. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fddfa27a56eb44a653c6d5d7947d62415896a15da7cbd4cf8e7b72334e6f0833
SHA3-384 hash: 1ea7c20fcb3d64a66a91e26254aa69095bf8b1c9b995a346e8a882d56ec48f61835ac03f78f35786c9ccd8a0b4083134
SHA1 hash: 7a59d956566fff7f3ceb307a517e9916d109d72d
MD5 hash: c99abadf6f390dd2faffb596f57cf4ef
humanhash: orange-high-finch-pennsylvania
File name:FedEx.vbs
Download: download sample
Signature Formbook
Create hunting rule
File size:2'860 bytes
First seen:2022-02-10 01:10:10 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:R42OtbOU+AjZLNmXdq2E7IcrwAOGOb0AhQpFccQ+LL7Ij9aKn:R2T+uNmveIEwALGwLLY9fn
Threatray 13'356 similar samples on MalwareBazaar
TLSH T1E451836E3627FA68AA039DE1EC4F485D55E4178670788460770C82D80B7A859EBC8E8E
Reporter Anonymous
Tags:FormBook vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
172
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/240038/
Result
Verdict:
SUSPICIOUS
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/937573
Signature
Command shell drops VBS files
DLL side loading technique detected
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Powershell drops PE file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspect Svchost Activity
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Very long command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 570051 Sample: FedEx.vbs Startdate: 10/02/2022 Architecture: WINDOWS Score: 100 56 www.mcato.xyz 2->56 66 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 Yara detected FormBook 2->70 72 3 other signatures 2->72 10 wscript.exe 14 2->10         started        14 wscript.exe 2->14         started        16 wscript.exe 13 2->16         started        signatures3 process4 dnsIp5 64 sinogytee.mywire.org 191.101.130.47, 49735, 49763, 49764 MAJESTIC-HOSTING-01US Chile 10->64 84 System process connects to network (likely due to code injection or exploit) 10->84 86 Wscript starts Powershell (via cmd or directly) 10->86 88 Very long command line found 10->88 90 2 other signatures 10->90 18 powershell.exe 14 23 10->18         started        23 cmd.exe 3 10->23         started        25 powershell.exe 14->25         started        27 powershell.exe 16->27         started        signatures6 process7 dnsIp8 58 sinogytee.mywire.org 18->58 50 C:\Users\user\AppData\...\AgileDotNetRT64.dll, PE32+ 18->50 dropped 52 C:\Users\user\AppData\...\AgileDotNetRT64.dll, PE32+ 18->52 dropped 74 Writes to foreign memory regions 18->74 76 DLL side loading technique detected 18->76 78 Injects a PE file into a foreign processes 18->78 80 Powershell drops PE file 18->80 29 calc.exe 18->29         started        32 conhost.exe 18->32         started        54 C:\Users\user\Music\FedEx.vbs, ASCII 23->54 dropped 82 Command shell drops VBS files 23->82 34 conhost.exe 23->34         started        60 sinogytee.mywire.org 25->60 36 calc.exe 25->36         started        38 conhost.exe 25->38         started        62 sinogytee.mywire.org 27->62 40 calc.exe 27->40         started        42 conhost.exe 27->42         started        file9 signatures10 process11 signatures12 94 Modifies the context of a thread in another process (thread injection) 29->94 96 Maps a DLL or memory area into another process 29->96 98 Sample uses process hollowing technique 29->98 100 2 other signatures 29->100 44 explorer.exe 29->44 injected process13 signatures14 92 Uses netsh to modify the Windows network and firewall settings 44->92 47 svchost.exe 44->47         started        process15 signatures16 102 Tries to detect virtualization through RDTSC time measurements 47->102
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fddfa27a56eb44a653c6d5d7947d62415896a15da7cbd4cf8e7b72334e6f0833/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7xp2e6sw5nckmu6g2xlzi7lcifmjnik5u7f5jt4opnzdgttpbazq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0418190aadd19ac9ea51c98d516f178ce5378a5d4354d44a9b49ac814b49325e
Formbook
31168981af16e0fc209774a91e04e5aaf622cacbed12e970b7a35db0705174d6
Formbook
79215526b0229696bf3961e09918bca444cb43b079ca70834c54db52c49c51ac
Formbook
7cbd8cc35b03d65491ad01b6a44b84dc047e6663189554201c24dbfbeb81473c
Formbook
820b1216485962fa3501dc8bd02a76bdb821fd7b6ffab858c4ebe135c4246090
Formbook
87fb0ca5b0ebcc0dc80aeca8065b2e2bf1ec14cade124316227646bc59ad237c
Formbook
c68187b173ad6e5f68910e7e23137e30c348192f861ef27e45bf82c0bc8663e8
Formbook
caf586c9d78e7b0adc9d91286228eba817463d60b912651f2aa43288441d4d48
Formbook
e8720afe9895124761086a0f00aa515997015669cc5332aebe99d5ea02ca7377
Formbook
+ 13'346 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:shar loader rat
Link:
https://tria.ge/reports/220210-bjyvnscae8/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
Xloader Payload
Xloader
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/fddfa27a56eb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/240038/

Comments