MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0cb284abb63cf61b070bfa0a5250ff536f92907bbf5eec07070b9aeafa4ac2bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 29 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0cb284abb63cf61b070bfa0a5250ff536f92907bbf5eec07070b9aeafa4ac2bd
SHA3-384 hash: 5b8c82f63bea994a777406563217d5a4a60a98903118ce93b46e30345f0d79bc1721d402cbd782c2680d4df6e7e5530c
SHA1 hash: 009a265a5dc2c1fb960c4cffde17d95fc21fa16d
MD5 hash: 6adf971492254cf2a5f8894c8a0d637f
humanhash: winner-gee-burger-princess
File name:Search.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:2'498'360 bytes
First seen:2024-03-26 06:13:10 UTC
Last seen:2024-07-25 00:49:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 49152:9woLb4RIEWQqv1RUliCZz7BQlHySGp2pamWWO6PHDM6Pgq9OSQBGDi6QU:Co/ScIi83BQhvGp2g6vpPgZwDL
TLSH T1F1C533406B8D3723DE7AAB3C02E506B86AF4BBF6D684F123E5F3554518247E05E06B4B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter 1ZRR4H
Tags:91.92.250.169 exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
369
Origin country :
CL CL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0cb284abb63cf61b070bfa0a5250ff536f92907bbf5eec07070b9aeafa4ac2bd.exe
Verdict:
Malicious activity
Analysis date:
2024-03-26 06:14:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/022a52b6-0387-46d5-bc1a-5ec698eb64e8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a process with a hidden window
Creating a file
Сreating synchronization primitives
Launching the process to change network settings
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/660267abc114c71235702ce7/reports/50ee7f1e-46b0-40e3-9ecc-4f684424abe4/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/0cb284abb63cf61b070bfa0a5250ff536f92907bbf5eec07070b9aeafa4ac2bd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bde92879-fd05-44b8-85d9-d8e29fdb913f
Result
Threat name:
FormBook, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1415595
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected FormBook
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1415595 Sample: Search.exe Startdate: 26/03/2024 Architecture: WINDOWS Score: 100 30 www.xn--matfrmn-jxa4m.se 2->30 32 www.vicatti.com 2->32 34 11 other IPs or domains 2->34 44 Snort IDS alert for network traffic 2->44 46 Multi AV Scanner detection for domain / URL 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 10 other signatures 2->50 10 Search.exe 3 2->10         started        signatures3 process4 signatures5 62 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->62 64 Injects a PE file into a foreign processes 10->64 13 Search.exe 10->13         started        process6 signatures7 66 Maps a DLL or memory area into another process 13->66 16 yjqoSiBMlM.exe 13->16 injected process8 signatures9 42 Found direct / indirect Syscall (likely to bypass EDR) 16->42 19 netsh.exe 13 16->19         started        22 ctfmon.exe 16->22         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 2 other signatures 19->58 24 yjqoSiBMlM.exe 19->24 injected 28 firefox.exe 19->28         started        process12 dnsIp13 36 www.staudent.life 203.161.62.199, 49724, 49725, 49726 VNPT-AS-VNVNPTCorpVN Malaysia 24->36 38 www.vicatti.com 91.195.240.117, 49732, 49733, 49734 SEDO-ASDE Germany 24->38 40 7 other IPs or domains 24->40 60 Found direct / indirect Syscall (likely to bypass EDR) 24->60 signatures14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0cb284abb63cf61b070bfa0a5250ff536f92907bbf5eec07070b9aeafa4ac2bd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0cb284abb63cf61b070bfa0a5250ff536f92907bbf5eec07070b9aeafa4ac2bd/
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2024-03-26 06:14:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
12 of 38 (31.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bszijk5wht3bwbyl7iffeuh7knxzfed3x5poybyhbonov6skyk6q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:purelogstealer family:zgrat rat stealer
Link:
https://tria.ge/reports/240326-gzbb7sgc91/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Detect ZGRat V1
PureLog Stealer
PureLog Stealer payload
ZGRat
Unpacked files
SH256 hash:
353d7c1a83055619cdba3abc2798d45ded439716c74ed4fb2a9f20fc5aa861b1
MD5 hash:
1815a14aeb563d9e633bd1c185f52fdd
SHA1 hash:
78a50f11e246c17057a68a754b5437af0c8aa7f6
Link:
https://www.unpac.me/results/40b538a1-2b4a-4558-9c32-93036a153f22/
SH256 hash:
cfb6ea32d8b66f1904a443b6545bcd55dac8f723f40c97ca4401966a8763d560
MD5 hash:
d13c27efddca1ee2e4a462497e1529c1
SHA1 hash:
f4fbf7738696a463bd9b24eb12613a936ea012bc
Link:
https://www.unpac.me/results/40b538a1-2b4a-4558-9c32-93036a153f22/
SH256 hash:
236c6d054c1aac9454bdd9426976b43df315d43725417c00a83c234df2a4e0f3
MD5 hash:
1b007318710e0a159a7133b81cdd9bfe
SHA1 hash:
e456e94ff3d703e34e689d63483a28d5a440856d
Link:
https://www.unpac.me/results/40b538a1-2b4a-4558-9c32-93036a153f22/
SH256 hash:
7f00d4fd4605690810bfa00c4a99e538df0d32b0b15c86cb796b972bb24bae7e
MD5 hash:
b9ea6b673b3072aa4eb8c375c67754c7
SHA1 hash:
cdcbf0446f071f2dd73d62ce1336637afb3a29fb
Link:
https://www.unpac.me/results/40b538a1-2b4a-4558-9c32-93036a153f22/
SH256 hash:
c38662b1f436d82f45bbc55f6f63645b9280f6974961e5a0f7a880a9a20619c5
MD5 hash:
62df20d975eb33d204e8284c4007157d
SHA1 hash:
af9512a3e8a2f682017231948af32bd066a27721
Link:
https://www.unpac.me/results/40b538a1-2b4a-4558-9c32-93036a153f22/
SH256 hash:
59ceb0b78230164405d88974e609da7c6fbce9bfa5c403b766c9996b16fe2770
MD5 hash:
667caa0f57ed5b318e9161559a724db1
SHA1 hash:
50518f7146e427ca76c984664fdf9ec4ba660bcc
Link:
https://www.unpac.me/results/40b538a1-2b4a-4558-9c32-93036a153f22/
SH256 hash:
0cb284abb63cf61b070bfa0a5250ff536f92907bbf5eec07070b9aeafa4ac2bd
MD5 hash:
6adf971492254cf2a5f8894c8a0d637f
SHA1 hash:
009a265a5dc2c1fb960c4cffde17d95fc21fa16d
Link:
https://www.unpac.me/results/40b538a1-2b4a-4558-9c32-93036a153f22/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0cb284abb63c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0cb284abb63cf61b070bfa0a5250ff536f92907bbf5eec07070b9aeafa4ac2bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Formbook
Create hunting rule
Author:kevoreilly
Description:Formbook Payload
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/formbook-adopts-cab-less-approach
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments