MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ffebbdfbf43481f261924e72b9c3acb4b503d41549ab926015159af4d1f7f1fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	ffebbdfbf43481f261924e72b9c3acb4b503d41549ab926015159af4d1f7f1fc
SHA3-384 hash:	abf5fb88c16221b4fd439fb3f6e7660fe9ee65af2412963d1d4f2d94431dd4aa1a940f5e46d6e4b0c380289d494a5817
SHA1 hash:	93f37d06fc07fd90323eb3cd1eb316ed8fc3292e
MD5 hash:	ae534f8ee5cc7d3d9345d4b97db45f8a
humanhash:	triple-pasta-island-finch
File name:	ae534f8ee5cc7d3d9345d4b97db45f8a.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	255'826 bytes
First seen:	2022-01-27 13:38:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep	6144:ow3APuwPd1dAkhexYw+tWJlKPV74N8S6w:muwPykheKw+qlKPVJw
TLSH	T163441226A1E485E7F1C6057335ABEB33E7F6932022521C5B0BB14F67B51E1D3C0269AB
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

178

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

lod2.xlsx

Verdict:

Malicious activity

Analysis date:

2022-01-27 06:48:56 UTC

Tags:

encrypted trojan opendir exploit CVE-2017-11882 loader formbook stealer

Link:

https://app.any.run/tasks/57ffdcc9-84a4-4f14-9f98-2831104c8dde

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/224330/

Detection(s):

SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file

Unauthorized injection to a recently created process

DNS request

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/61f2a086c4bcf3287a6141b8/reports/afb4464c-61ff-4c0e-b117-e87812d800cf/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4a329a77-4101-4e44-ad87-dfb0131c072d

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/929222

Behaviour

Behavior Graph:

n/a

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/ffebbdfbf43481f261924e72b9c3acb4b503d41549ab926015159af4d1f7f1fc/

Threat name:

Win32.Trojan.SpyNoon

Status:

Malicious

First seen:

2022-01-27 13:15:01 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=77v3367ugsa7eymsjzzltq5mws2qhvavjgvzeyavcwnpjupx6h6a._file

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:ndf8 loader rat

Link:

https://tria.ge/reports/220127-qxy5xsdedl/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Xloader Payload

Xloader

Unpacked files

SH256 hash:

2d259c31d441060d1f45fe3b7648cafbeaad6cbb0f4598cebb99342cca7f1689

MD5 hash:

881441709a2a82fd30592fc9e0bbfd14

SHA1 hash:

a1ba1d015e64a67776bdbe0fa64c47e9b953f48a

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/85fe68b0-1878-459f-9430-ab9e60c5d3a4/

Parent samples :

ffebbdfbf43481f261924e72b9c3acb4b503d41549ab926015159af4d1f7f1fc
820b1216485962fa3501dc8bd02a76bdb821fd7b6ffab858c4ebe135c4246090
22099fbafc3dda95912c51aa0c313826f21e2fe84ef51453c649f66ab29c6916

SH256 hash:

e26db32ce437b6736858261d510403b3029117d5e5c3c497cc5b6a2d5c496640

MD5 hash:

3f0c5309d04570d57b42d280d467bc97

SHA1 hash:

97c6bf5d31fe594a7e8222e100ac6a65a67dd2b7

Link:

https://www.unpac.me/results/85fe68b0-1878-459f-9430-ab9e60c5d3a4/

SH256 hash:

ffebbdfbf43481f261924e72b9c3acb4b503d41549ab926015159af4d1f7f1fc

MD5 hash:

ae534f8ee5cc7d3d9345d4b97db45f8a

SHA1 hash:

93f37d06fc07fd90323eb3cd1eb316ed8fc3292e

Link:

https://www.unpac.me/results/85fe68b0-1878-459f-9430-ab9e60c5d3a4/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/ffebbdfbf434/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.33

Link:

https://yomi.yoroi.company/submissions/ffebbdfbf43481f261924e72b9c3acb4b503d41549ab926015159af4d1f7f1fc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe ffebbdfbf43481f261924e72b9c3acb4b503d41549ab926015159af4d1f7f1fc

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2004815/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/224330/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample