MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02f864baf71847c5832c94f396bb14ba3fd5c1b7d96936427c358f37a6cfa105. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 17

Intelligence 17 IOCs YARA 10 File information Comments

SHA256 hash:	02f864baf71847c5832c94f396bb14ba3fd5c1b7d96936427c358f37a6cfa105
SHA3-384 hash:	24683fb8add5cc1d1904df9262700f1f5e412410c7593e155a993aca9a08ae03f100a8de09da91c640e1d66a6c31f91e
SHA1 hash:	fdb262c5660dac2a6b30e8a488a05eec6b622151
MD5 hash:	29a50ff6397fe78b930c764195a1d9cb
humanhash:	floor-football-hamper-eighteen
File name:	PO 2000057560.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'122'843 bytes
First seen:	2022-09-20 10:37:52 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep	24576:iAOcZXp0P1xtOcW1JhC1MIDV2riu7w84UopeOH+2UNUquptQZNR:oL1jk+V2rtUUbJZupA
TLSH	T10C351243B7D51872E5B22C305B366B316DF97C601E35C66F63E81A68EB320406729FA3
TrID	91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 3.6% (.EXE) Win64 Executable (generic) (10523/12/4) 1.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.5% (.EXE) Win32 Executable (generic) (4505/5/1) 0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	80a4a6a6a6a68081 (11 x Formbook)
Reporter	lowmal3
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

245

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

PO 2000057560.exe

Verdict:

Malicious activity

Analysis date:

2022-09-20 10:44:13 UTC

Tags:

autoit formbook trojan stealer

Link:

https://app.any.run/tasks/3a10d8e3-8aea-410d-bcd5-8b8c1c570bbe

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/311650/

Detection(s):

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Adding an access-denied ACE

Launching a process

Launching cmd.exe command interpreter

Reading critical registry keys

Setting browser functions hooks

Forced shutdown of a system process

Unauthorized injection to a system process

Unauthorized injection to a browser process

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/38241/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware overlay packed setupapi.dll shdocvw.dll shell32.dll

Link:

https://www.filescan.io/uploads/6329981be96ddd53a2efd982/reports/82542a70-56f7-4c60-aea8-bfef039da2e5/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/62b4a866-b3bf-4408-87f4-45999ba84012

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1073612

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected AntiVM autoit script

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/02f864baf71847c5832c94f396bb14ba3fd5c1b7d96936427c358f37a6cfa105/

Threat name:

Win32.Backdoor.NanoCore

Status:

Malicious

First seen:

2022-09-20 09:51:38 UTC

File Type:

PE (Exe)

Extracted files:

358

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=al4gjoxxdbd4lazmstzznoyuxi75lqnx3futmqt4gwhtpjwpuecq._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:oy10 rat spyware stealer trojan

Link:

https://tria.ge/reports/220920-mpdmgacgd9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Formbook payload

Formbook

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/0f601f66-588c-4936-8448-1e5a650c9583

Unpacked files

SH256 hash:

698621c5bd32e84675eedcc2466ddc04cb62ecac17bdb186152ee11e1adc71ab

MD5 hash:

ad15bb401a09b2c9b1eea799f7bf5d3b

SHA1 hash:

409e7d67e90d2c1913dcb9317f784e907c86c6f4

Detections:

FormBook

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/113fd1b6-feb9-4524-97f0-7870a81411d4/

Parent samples :

02f864baf71847c5832c94f396bb14ba3fd5c1b7d96936427c358f37a6cfa105
0a89e078209cfee253f663972680a9e8ce5f811a1c3e212ca146dd1fe7806820
35dca540318f9e0fdc12b54f0e0a588fef8047bea5c7163db9e3e7bd6975f929
b967fa620a94b3669bae343ebf01c1150e5600d1b5967babc9bed153da762aad
8020c7ae73996b075960572036622d75a045e4979f165006a1db2e98ca561ce2
2b5e0eaa1ba6de90bb95dfb7a374b9a8f7052b109e670b900f4b0e3cc5a2896c
e4e94b44c9e470fb07a711c6cbf24730978c388cedc47a538a158126f9d1878f
f85c784976136a164863c0c50f9f2dd97c738b43efabd21f333ed8cf6d8edba4
4be0a5b71383128f03a11f9f39ecb9d32ed7e3c2f3f6fc5c6a0300dbecdb29d9
ae7bed4f2ca7d2e00ce5fd9138eed815e9a7ceaf971a0c731364ea9ac28eded2
dd5c4fcf7c4737619d62e6fc138247422d1866a04899f2fe242d372c3c2e9332

SH256 hash:

ecf4b3973be4eb05a27143ab620963ecbe794ee5cbe1c4474b3bebd611bec89c

MD5 hash:

2e3b5e2edd47197529ccc21cc0393f52

SHA1 hash:

fdf35066af7e95c81198d816b41053243350e24a

Link:

https://www.unpac.me/results/113fd1b6-feb9-4524-97f0-7870a81411d4/

SH256 hash:

02f864baf71847c5832c94f396bb14ba3fd5c1b7d96936427c358f37a6cfa105

MD5 hash:

29a50ff6397fe78b930c764195a1d9cb

SHA1 hash:

fdb262c5660dac2a6b30e8a488a05eec6b622151

Link:

https://www.unpac.me/results/113fd1b6-feb9-4524-97f0-7870a81411d4/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/02f864baf718/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/02f864baf71847c5832c94f396bb14ba3fd5c1b7d96936427c358f37a6cfa105

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	malware_Formbook_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	RansomwareTest4 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	RansomwareTest5 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	RansomwareTest7 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	sfx_pdb Create hunting rule
Author:	@razvialex
Description:	Detect interesting files containing sfx with pdb paths.

Rule name:	sfx_pdb_winrar_restrict Create hunting rule
Author:	@razvialex
Description:	Detect interesting files containing sfx with pdb paths.

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 02f864baf71847c5832c94f396bb14ba3fd5c1b7d96936427c358f37a6cfa105

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/311650/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample