MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff8822912c95eec63058510d93508925ce9f3b26cf2f3ce237d480d4ee3f09f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	ff8822912c95eec63058510d93508925ce9f3b26cf2f3ce237d480d4ee3f09f9
SHA3-384 hash:	6889bcf5c670daccf941b3373c16be65849f6d94de7e7e0b11b5047b9f77b903102674cb385fdc739da174ff9ffea150
SHA1 hash:	382070bcad68677c69655aa1f332c9f482585027
MD5 hash:	b73b2882deb97f0660254c5c68e3d62d
humanhash:	golf-hawaii-king-music
File name:	SecuriteInfo.com.Zum.Androm.1.32714.19273
Download:	download sample
Signature	Formbook Create hunting rule
File size:	316'331 bytes
First seen:	2021-10-06 10:16:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep	6144:F8LxBs2kEUS4G4yNQNl9MuBDk/CbUCZgjXIB34wRSY/EsIysXF:/2fUSEl9MuBQ/YCX6oRYA1
Threatray	10'067 similar samples on MalwareBazaar
TLSH	T15864232BB5E908FFE481B3F0BC7AE78CE3734C450811410B4B636E67AE6A64B41851ED
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

260

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Zum.Androm.1.32714.19273

Verdict:

Malicious activity

Analysis date:

2021-10-06 10:21:18 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6dc706f2-4779-4d04-a1c5-bd0267369e41

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/195443/

Detection(s):

SecuriteInfo.com.Zum.Androm.1.32714.19273.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file

Unauthorized injection to a recently created process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/615d779f98a6280f3932d86d/reports/f050a338-3c1d-425e-b0bf-2415df68a986/overview

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4df78018-dd9d-4663-a1f4-dc45eb9e7c10

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/865438

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/ff8822912c95eec63058510d93508925ce9f3b26cf2f3ce237d480d4ee3f09f9/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2021-10-06 10:17:05 UTC

AV detection:

15 of 27 (55.56%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=76ecfejmsxxmmmcykegzguejexhj6ozgz4xtzyrx2sanj3r7bh4q._file

Verdict:

malicious

Label(s):

formbook

Formbook

26506e7d3f4821066fc1989a5c79afb4d1a316aa428f9e4a920644d93a80b495

Formbook

31accabae2032a0fda8dd449182167521360e258df6ebd2316130399d910e990

Formbook

5852e0b1479d914e16a2f1cf21d61ff4e1f3d35b6fa5dbcf0055cfc2c9a89936

Formbook

64e3a0f2298f21833eb7a9c51aa0b2b8d3354bdcefb0156bb34371e3163d8b3d

Formbook

75772375acbcfb6cb668fc2449671a6a83afe1434184ac7c01fd895825fcf5e6

Formbook

7a8cd0fb35936203195d49af3fec0140f45e8b8fb75df0203db6b914d4b8d192

Formbook

9fd6d5c3553557a9cb263962d71901a681aaa50f3808436b7dff7c4c97289b5e

Formbook

ae55ee08f18b57a38a47ed9bc161b7833e35c31b014e8579ae904a2d4d7c63e3

Formbook

c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb

Formbook

+ 10'057 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:c6bi loader rat

Link:

https://tria.ge/reports/211006-mavmfabab6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.mhdastmaltchi.com/c6bi/

Unpacked files

SH256 hash:

ff8822912c95eec63058510d93508925ce9f3b26cf2f3ce237d480d4ee3f09f9

MD5 hash:

b73b2882deb97f0660254c5c68e3d62d

SHA1 hash:

382070bcad68677c69655aa1f332c9f482585027

Link:

https://www.unpac.me/results/c4999efc-d5b7-44ff-b468-8437bb5e8d2f/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/ff8822912c95/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ff8822912c95eec63058510d93508925ce9f3b26cf2f3ce237d480d4ee3f09f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Formbook Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/195443/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample