MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff0b124c254ddf4b3bd11079d2475ff96a1b1e3e2ab6ffe4edbc7443c02c65df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff0b124c254ddf4b3bd11079d2475ff96a1b1e3e2ab6ffe4edbc7443c02c65df
SHA3-384 hash: ba30834d856a8979d423521c0a6adda65611f9dca243aaea7dd36187af075f5046578e6cdd009626dd04d77169e9d06d
SHA1 hash: 257b7ac1066eecd46978b9ceb44ddfa91de1bb4a
MD5 hash: 5bb447f5f28c1a28361ef8aea283dddc
humanhash: green-pizza-summer-december
File name:2022-09-02-003267.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:269'969 bytes
First seen:2022-02-09 11:38:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 6144:owQTGyht+cVXSyz7jCkJfN+49/x5dzsOiviGxInyy:qL+cVXS4jHhNx5d4Oicnyy
Threatray 13'181 similar samples on MalwareBazaar
TLSH T1374412776BCC887BEA5FA3713E775AB4C2F9C7042413115B0B58DFF72969082921A386
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter FORMALITYDE
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
208
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/239462/
Detection(s):
SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Searching for the window
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6203a7dcc79b424d720abd4f/reports/b91808c8-606c-49ec-84de-af36d2b2c05c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0836916c-057b-4e07-9f25-8d4ce5d68c94
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/936799
Behaviour
Behavior Graph:
n/a
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ff0b124c254ddf4b3bd11079d2475ff96a1b1e3e2ab6ffe4edbc7443c02c65df/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2022-02-09 11:15:58 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=74fretbfjxpuwo6rcb45er277fvbwhr6fk3p7zhnxr2ehqbmmxpq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
31168981af16e0fc209774a91e04e5aaf622cacbed12e970b7a35db0705174d6
Formbook
34fc8a270fda2856448cb455e3dca4d8210f5e83f25f1fa8339d8f428a449466
Formbook
4d1ac5962b58c0bf6386b85fc1c2029efb0c8d5ccf0054733795eec1ea8b3291
Formbook
94517fa5a38b384136a3027f7588daa605494dd888e4658cb89d521f5fb2d55a
Formbook
a6e23730cd711af23e7900cbabb871b668d37a74dda0c97d63f3303167861cf5
Formbook
e8720afe9895124761086a0f00aa515997015669cc5332aebe99d5ea02ca7377
Formbook
f777ad0feb1db2da7abb7c793515f7af49d06a7b4fc5904a9da436ccbd59ddc3
Formbook
fcccde6b56dbe8650273f1d67957a1adc1dd0e783d43d6543da7a44696731292
Formbook
ff3f7736a06e89ae300270369d83b922423c8a840903b30a8a21365c4b0b0628
Formbook
+ 13'171 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:cq4e loader rat
Link:
https://tria.ge/reports/220209-nsaknaabd4/
Behaviour
Checks processor information in registry
Gathers network information
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Xloader Payload
Xloader
Unpacked files
SH256 hash:
ff0b124c254ddf4b3bd11079d2475ff96a1b1e3e2ab6ffe4edbc7443c02c65df
MD5 hash:
5bb447f5f28c1a28361ef8aea283dddc
SHA1 hash:
257b7ac1066eecd46978b9ceb44ddfa91de1bb4a
Link:
https://www.unpac.me/results/093cf5b5-637a-463b-84b6-28b50736a6d2/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ff0b124c254d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe ff0b124c254ddf4b3bd11079d2475ff96a1b1e3e2ab6ffe4edbc7443c02c65df

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/239462/

Comments