MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1108f751687ce7947a548233e2c57fc9d2bdc71df78fb757d3d8c7820ddbbe90. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1108f751687ce7947a548233e2c57fc9d2bdc71df78fb757d3d8c7820ddbbe90
SHA3-384 hash: 2623dba881f9827f616e6874520a4729c29f2bf2e6f14522fed448974d82c918da63ca0754adb4e11ca4c6879487132d
SHA1 hash: 5269cc6f78d7a184a2ed904b9cb84730cc0815ac
MD5 hash: 60589f9e1b3d9c1721f9f4fb395be528
humanhash: table-autumn-crazy-queen
File name:PI209627515141.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:844'288 bytes
First seen:2022-02-02 16:00:07 UTC
Last seen:2022-02-09 10:20:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 854d5095b28b9ad272060d4d463a6c99 (2 x NetWire, 2 x Formbook, 1 x AveMariaRAT)
ssdeep 12288:klwxOYgJ9j9s1sve0B3FWZRb8uno+IbjlqV7bkNlpl1+ZUR3:k+0z9j9isve0BcZx8uoj87INlpTCUR3
TLSH T1C905BFA3B5D0447DC72B29B5AE2FC1887A15BD611D28254B3BD96E1C0FB92823835FD3
File icon (PE):PE icon
dhash icon 63111616171fffee (13 x Formbook, 5 x RemcosRAT, 3 x AveMariaRAT)
Reporter pr0xylife
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/230337/
Detection(s):
SecuriteInfo.com.ArtemisA1EF52A53572.10170.11149.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Launching cmd.exe command interpreter
Searching for synchronization primitives
Reading critical registry keys
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/5797/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe keylogger
Link:
https://www.filescan.io/uploads/61faaa8c6d25ac9e79fcf58b/reports/36ccb2fc-66ee-4027-a670-929682bcbb18/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/01d49eaa-6923-4abc-960e-209c080a4f35
Result
Threat name:
DBatLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/932529
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 565011 Sample: PI209627515141.exe Startdate: 02/02/2022 Architecture: WINDOWS Score: 100 49 www.fabio.tools 2->49 51 www.awp.email 2->51 53 5 other IPs or domains 2->53 87 Found malware configuration 2->87 89 Malicious sample detected (through community Yara rule) 2->89 91 Antivirus detection for URL or domain 2->91 93 5 other signatures 2->93 11 PI209627515141.exe 1 18 2->11         started        signatures3 process4 dnsIp5 67 cdn.discordapp.com 162.159.135.233, 443, 49753, 49754 CLOUDFLARENETUS United States 11->67 45 C:\Users\user\Contacts\Hqvbisntbl.exe, PE32 11->45 dropped 47 C:\Users\...\Hqvbisntbl.exe:Zone.Identifier, ASCII 11->47 dropped 115 Writes to foreign memory regions 11->115 117 Allocates memory in foreign processes 11->117 119 Creates a thread in another existing process (thread injection) 11->119 121 Injects a PE file into a foreign processes 11->121 16 logagent.exe 11->16         started        file6 signatures7 process8 signatures9 69 Modifies the context of a thread in another process (thread injection) 16->69 71 Maps a DLL or memory area into another process 16->71 73 Sample uses process hollowing technique 16->73 75 2 other signatures 16->75 19 explorer.exe 3 16->19 injected process10 dnsIp11 55 www.77777.store 103.120.80.144, 49828, 49840, 49841 WEST263GO-HKWest263InternationalLimitedHK Hong Kong 19->55 57 www.thecuratedpour.com 74.220.199.6, 49834, 80 UNIFIEDLAYER-AS-1US United States 19->57 59 27 other IPs or domains 19->59 95 System process connects to network (likely due to code injection or exploit) 19->95 23 Hqvbisntbl.exe 13 19->23         started        27 Hqvbisntbl.exe 15 19->27         started        29 chkdsk.exe 19->29         started        31 raserver.exe 19->31         started        signatures12 process13 dnsIp14 61 cdn.discordapp.com 23->61 97 Multi AV Scanner detection for dropped file 23->97 99 Writes to foreign memory regions 23->99 101 Allocates memory in foreign processes 23->101 33 DpiScaling.exe 23->33         started        63 162.159.133.233, 443, 49771 CLOUDFLARENETUS United States 27->63 65 cdn.discordapp.com 27->65 103 Creates a thread in another existing process (thread injection) 27->103 105 Injects a PE file into a foreign processes 27->105 36 DpiScaling.exe 27->36         started        107 Modifies the context of a thread in another process (thread injection) 29->107 109 Maps a DLL or memory area into another process 29->109 111 Tries to detect virtualization through RDTSC time measurements 29->111 38 cmd.exe 1 29->38         started        signatures15 process16 signatures17 77 Uses netstat to query active network connections and open ports 33->77 79 Modifies the context of a thread in another process (thread injection) 33->79 81 Maps a DLL or memory area into another process 33->81 83 Tries to detect virtualization through RDTSC time measurements 33->83 85 Sample uses process hollowing technique 36->85 40 NETSTAT.EXE 36->40         started        43 conhost.exe 38->43         started        process18 signatures19 113 Tries to detect virtualization through RDTSC time measurements 40->113
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1108f751687ce7947a548233e2c57fc9d2bdc71df78fb757d3d8c7820ddbbe90/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-02-02 08:32:37 UTC
File Type:
PE (Exe)
Extracted files:
51
AV detection:
22 of 28 (78.57%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ceepoulipttzi6suqiz6frl7zhjl3ry566h3ov6t3ddyedo3x2ia._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:euv4 loader persistence rat suricata
Link:
https://tria.ge/reports/220202-tfqn1aafdn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
d56dcedfe9f4d0a030a551f94424ce1948fb419d114429019e2c0b769b7bfcf7
MD5 hash:
0c0de81954d7c4ac102c28514739efb7
SHA1 hash:
1820e2812b38be4bdbe40349d05e65c9f81f4a60
Detections:
win_dbatloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/252a9208-4b15-4af2-95ee-70f36ad20613/
Parent samples :
074991cefc03a7683cb3c81e83c383010f45c130fdc6dafa13469bfffaf87867
15697b64ded63ae55e1a224cb4309a49a9cc475ae98f0ddfa951804afc3ee32e
ac24ac478aaa88087714b8249c93d92d5edbc511bdb04c6b623479ed8fc6c8de
527036f9e449de86dc23ca03f80ea7da2d0ee7d7752203bbfad4ffb9237a19a8
b054b0a613909898688c3a25ebc355d1e62289641b1103fa4d1defb1c04aa9a2
69142989b11074332c57d4f64b2ce684dbc998af67928c3f38a2f7a6b05644c0
28562d1e97597dbe302d550277e91bd4aa6869bd3d356668bc7c48b2b6eaa3d1
aac09011a3c3e7adce5c2fa1672b428d6a565993641bf350dd65f8c0319dbfd8
09effc5108b5ca6e852a9712180ad493ad2e4aa5e3693056953583fbce18cf92
fcdf1e07c91a675bb415f4406e709795964d3a177e6c6afc68437be8f6013d6a
8dcd0243ce72784ad2782b0021d6692133fe314cdd1cf7b44ded3ac7c04b36b0
b324d1babd989b4a671dff38634d8eaba21673730315b40f2005b28c4732a5b6
799ad611c58e732adb2d296f4f4050b9d7b869ab34272ae51fc2c1c818be33f1
e576b18c7eb5581bb16e0e0f9e69b2f1462b491669a2a82d0fb6df7e55f7b3cc
1108f751687ce7947a548233e2c57fc9d2bdc71df78fb757d3d8c7820ddbbe90
3245f88de02600ae1053fa8260fa02a63e46bf9d8f50aeba8ceea66b7b6488a5
4877dd469af0e1ac31efa295325a3024d10abdc0a7eeaf74fe5b4eb9d0518bd9
c180bb8451472fc5931d0dc3aac6ef18ca417665b958d1480dd0787ba3de238a
09be7801c1d01256f48f6c72beb080dc5947487b3e54260a2d5b16ad127e5091
b1d4e3af02c434b479ff7305d57cb5d1e64a6411fe4cc5d5335cc4eb5e7cf8f4
568cfb6f770f6fbec1f18595bb78183e1fb5d2e7086f747230f2706ce29ed381
cc455bbac9ab070aa72fb73ea9dea1215cae08f8d14fb45b9f86468e27a3a20b
51673b1856a0e3342e6ecb4dabdddbeb84ae4323de1e1f8b9da92eab74cc2758
23d09e266528b3ffbd4fc656743303461b9c8a5780d02e28b666243406915401
a75badb1c9ed280cc239b0d7659799d31cf2c63c609667c69a0e5d9d06d53896
74d2b78e8ac7268cf8c0c1b97aa0ea37fde7945cd1867587f3c9de7a898d7f74
8b7ae9f195b075a789d6d8277d500d27754bfa3c53ecca8db7beac8ccd07884f
f677570815857242b83340d50410dfbc9da7d77b87dff3ce887b0cf47b16095e
0f93f8bfa92a0387d3076d636200ce5a4f474a1bfaf591d17c40111816c4de8b
5f079a7612eb05e8574d8604154ea233b8da905cc59ba6fbaa4485c99fc2933e
31fa37041b3f218ac8e44e16ae4bc549e962ce1cda58a1df870179ee94ed1753
60bf53eb4a1c93e2956fb3bb5f60a18579aeb270206ce6c4a3b32c6c4e9165d2
3de53b4ea3e4c8c8522ca9fc9d38a1556cf645298b0fe18c937b0f307dba129f
36d637499adcbc01c5783e66b5d9a2678426c7e8265087b8db47a002816d6fd4
2179647ebf96503deb5fae78827c5d99757f2926f0226cb5a6e4181e2f0c1a07
98e33ebe79b9c93602af7b79bb4f3f63c2f3c1417b1c41be6e814a9930e43b3e
faa817223ef389f3ee864d27cf1ec44f2c09b51686b0957cd344fe18e5144635
ee66580c236649c4fa02f530ea8c5bd2eecc290e46d5a562bae98858ba1bc893
ea222f4ca18d4bd57e605742a68c0f6b40436d9219700a75ade966e9488db34e
177b480007813a30ee6c8e267b76848fe9f66b11557eb3e7422e680b46368b03
aa38c8327df5d1755de504ea0eccf988a34c786d80f0becb3e99491527289089
edae9d57ca54a66ec71baef31fff690098c5196b44f1140f897f3bc02caeef1c
5c8973990d63bf969c6fca63d2856c35641d63774d3b362123059fbb5a74a578
be910ed7df930a3d74f01ac74e72f8c3ed89d791f29b731cb2076d632b6ce9cd
10b8fbcea2f59c78bdbf498297dbbe4c8156f80b371bf1bee8cedd196e911d27
a0c5d20304a9b2339bd9ed8ec0eca757bb7f69fecc7167857600cf4853f7b2c2
SH256 hash:
1108f751687ce7947a548233e2c57fc9d2bdc71df78fb757d3d8c7820ddbbe90
MD5 hash:
60589f9e1b3d9c1721f9f4fb395be528
SHA1 hash:
5269cc6f78d7a184a2ed904b9cb84730cc0815ac
Link:
https://www.unpac.me/results/252a9208-4b15-4af2-95ee-70f36ad20613/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1108f751687ce7947a548233e2c57fc9d2bdc71df78fb757d3d8c7820ddbbe90

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/230337/

Comments