MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 022beee80a1abf89283d6c5008a075efd3018a4c382a00165deb171e7702a32e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 022beee80a1abf89283d6c5008a075efd3018a4c382a00165deb171e7702a32e
SHA3-384 hash: 96c6bca0091614d96ce3e7d289190b3b0a5d5e7924ba122649aedd6c979b4dae5aaebaf183a5074291792ed2e73a9107
SHA1 hash: 843492a98a36841d6151b4cd1c30cec16cb658d6
MD5 hash: e1c0624c2d2e1805c57b2227bd2a4b83
humanhash: arkansas-bulldog-bacon-five
File name:RE 回复 REQUEST FOR PI PG SHIPMANAGEMENT PTE. LTD..exe
Download: download sample
Signature Formbook
Create hunting rule
File size:668'672 bytes
First seen:2022-05-30 08:36:03 UTC
Last seen:2022-05-30 08:45:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:VWPCd9cVuCUngfhdW7zxUVty7QkrH7uLUiac23Tv9x/B324mqirHuPh:VWad9ckcdW7zxUVkQAH7uPX23Tv9x53F
Threatray 13'497 similar samples on MalwareBazaar
TLSH T1D6E401397A91CF42D26826B0C5F3543403F7A45B9632D3437ECE26CA1E4ABE49DC6B46
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 00ccf096ccc0d400 (21 x FormBook, 18 x AgentTesla, 11 x SnakeKeylogger)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
259
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RE 回复 REQUEST FOR PI PG SHIPMANAGEMENT PTE. LTD..exe
Verdict:
Malicious activity
Analysis date:
2022-05-30 08:41:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/743d545a-607d-4461-a9ef-3cfa729ae5a7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/275413/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.14223.12997.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe wacatac
Link:
https://www.filescan.io/uploads/629482480be8a16da4f0deb6/reports/9640db78-e31a-4fde-9831-875dc3de3f0c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6eb07c43-43fc-41e9-ab03-72e4401e41ad
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1003551
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected FormBook malware
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 636044 Sample: RE #U56de#U590d  REQUEST FO... Startdate: 30/05/2022 Architecture: WINDOWS Score: 100 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 Antivirus detection for URL or domain 2->68 70 12 other signatures 2->70 10 RE #U56de#U590d  REQUEST FOR PI  PG SHIPMANAGEMENT PTE. LTD..exe 7 2->10         started        process3 file4 42 C:\Users\user\AppData\...\fqjNVSWFeGWJb.exe, PE32 10->42 dropped 44 C:\...\fqjNVSWFeGWJb.exe:Zone.Identifier, ASCII 10->44 dropped 46 C:\Users\user\AppData\Local\...\tmpC789.tmp, XML 10->46 dropped 48 RE #U56de#U590d  R...T PTE. LTD..exe.log, ASCII 10->48 dropped 80 Adds a directory exclusion to Windows Defender 10->80 14 RE #U56de#U590d  REQUEST FOR PI  PG SHIPMANAGEMENT PTE. LTD..exe 10->14         started        17 powershell.exe 24 10->17         started        19 schtasks.exe 1 10->19         started        21 RE #U56de#U590d  REQUEST FOR PI  PG SHIPMANAGEMENT PTE. LTD..exe 10->21         started        signatures5 process6 signatures7 82 Modifies the context of a thread in another process (thread injection) 14->82 84 Maps a DLL or memory area into another process 14->84 86 Sample uses process hollowing technique 14->86 88 Queues an APC in another process (thread injection) 14->88 23 explorer.exe 14->23 injected 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        process8 dnsIp9 54 www.datacover.xyz 3.64.163.50, 49776, 49777, 49778 AMAZON-02US United States 23->54 74 System process connects to network (likely due to code injection or exploit) 23->74 76 Performs DNS queries to domains with low reputation 23->76 78 Uses ipconfig to lookup or modify the Windows network settings 23->78 31 ipconfig.exe 18 23->31         started        35 autofmt.exe 23->35         started        signatures10 process11 file12 50 C:\Users\user\AppData\...\4K7logrv.ini, data 31->50 dropped 52 C:\Users\user\AppData\...\4K7logri.ini, data 31->52 dropped 56 Detected FormBook malware 31->56 58 Tries to steal Mail credentials (via file / registry access) 31->58 60 Tries to harvest and steal browser information (history, passwords, etc) 31->60 62 3 other signatures 31->62 37 cmd.exe 2 31->37         started        signatures13 process14 signatures15 72 Tries to harvest and steal browser information (history, passwords, etc) 37->72 40 conhost.exe 37->40         started        process16
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/022beee80a1abf89283d6c5008a075efd3018a4c382a00165deb171e7702a32e/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-05-30 06:32:35 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 41 (48.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aiv652akdk7yskb5nriaridv57jqdcsmhavaafs55mlr45ycumxa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
107d68c6296491ef2507347077005737d0c8f39f9c2695282c90bf61baf67d84
Formbook
212a9d67f119355da790e8449b6978f357d46bb671d7e038444ad1eae5995bdc
Formbook
363c3288efc15bdba3db28988766e6554fca04e6bcb49e094f7a521388016fe8
Formbook
5938c544d44a8b9714eb80c498d7cbb327b55d8176541118394d3357727f3d28
Formbook
85ce49f0532bcb23b394c9af68f6b816670d5deeba332c15aae2ed158a10f19e
Formbook
95bf56d45ed29648838e732b3ab2ba8f968b53d9b9fd7f6155498c958f09bf14
Formbook
b0778020101d914d0b75ae36eafca80f80f985a048d08961e10eec0e1196908d
Formbook
+ 13'487 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220530-kh5fhafgh2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Unpacked files
SH256 hash:
2168aa4bc83d6af36735a04beac53a563f334b865be1d4d343a5f688da81f540
MD5 hash:
205fd3818fd7b768016d129dd5d2f108
SHA1 hash:
8c3b56874d23a256b521c03c534b624827e28192
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/8fab5c5c-1b65-4411-90b8-f082894ede10/
Parent samples :
fa2ca6d28bd365bebad538d2142ca9505173bf90f8572538a1268414a3b39aca
19a9ec9da618f09710fd8e6e1daec72377e05e78bd7469f33e203a9529d712fd
95bf56d45ed29648838e732b3ab2ba8f968b53d9b9fd7f6155498c958f09bf14
022beee80a1abf89283d6c5008a075efd3018a4c382a00165deb171e7702a32e
35639b3ca5017c02df11acde7f6356e1d0894ed0eeab843ff8d42b2c2766aef6
740cc8f312eef16d83b7c49fe33519ae293bf1c1c2f80e0482c34ea3a9473843
65c3708767175b438a938b8d5d4ae52a1d0cf450a38a4298a41ae9bd73816686
SH256 hash:
710efda658755039f07e71931d82f4cf05602a37f7000f954247a897cb0c2110
MD5 hash:
3cb6a9d033f0bd33538ebb14185d9fb8
SHA1 hash:
e2d4b0d72af9f74fe609f2cb6e9fcf40463963c0
Link:
https://www.unpac.me/results/8fab5c5c-1b65-4411-90b8-f082894ede10/
SH256 hash:
840be1d54ac08fdec3556b93ff92af7e2f6d7c909a7606c59c5ac777670e2742
MD5 hash:
cc4a8210cb3e6146e928003944c15fbf
SHA1 hash:
e218e2b2a8c8e204c19d6cc6aec987b87544d566
Link:
https://www.unpac.me/results/8fab5c5c-1b65-4411-90b8-f082894ede10/
SH256 hash:
0759310df759d865a12d0e8abbe4bae4a2da81b650a9536ccf70ab999784dd15
MD5 hash:
c2ec42b0c15b257d733b54174c71671d
SHA1 hash:
97e15bf19b8f96f4a2a7a61a7c8580f9f76ad7bc
Link:
https://www.unpac.me/results/8fab5c5c-1b65-4411-90b8-f082894ede10/
SH256 hash:
b79f0b10c60d80094b87ffa9dd200a55890c3d0df229984dcd29d188e075fe27
MD5 hash:
b5372ba3419a04658122eee39a3f15df
SHA1 hash:
34e0d9170ca5e77468fa248d30d00aa2bd713b70
Link:
https://www.unpac.me/results/8fab5c5c-1b65-4411-90b8-f082894ede10/
SH256 hash:
022beee80a1abf89283d6c5008a075efd3018a4c382a00165deb171e7702a32e
MD5 hash:
e1c0624c2d2e1805c57b2227bd2a4b83
SHA1 hash:
843492a98a36841d6151b4cd1c30cec16cb658d6
Link:
https://www.unpac.me/results/8fab5c5c-1b65-4411-90b8-f082894ede10/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/022beee80a1a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/022beee80a1abf89283d6c5008a075efd3018a4c382a00165deb171e7702a32e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 022beee80a1abf89283d6c5008a075efd3018a4c382a00165deb171e7702a32e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/275413/

Comments