MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1900d46bb03d8aeb4a1bfef16cd5b45903dc56c89b0dc7784b45c89f17a9f895. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1900d46bb03d8aeb4a1bfef16cd5b45903dc56c89b0dc7784b45c89f17a9f895
SHA3-384 hash: 33cc266f23b7b1eac8021c9108c5eaf06bdb81a2d500a19cc60098107ce3265711458fc05f5f06c74af2a6b5ffcbe5be
SHA1 hash: 8cd2be38312ac4074411d92163fb72ff2c78eb0e
MD5 hash: e56926dc82f374200bdc1b2640803565
humanhash: florida-artist-item-mike
File name:Awb_shipping_BL_doc_5860000000000000822.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:242'366 bytes
First seen:2022-02-22 14:09:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:TxDgFYjqmBlf8uoP+bvwJj1N3JpDkwIxhCZ2nyOrxR8:mFIbDPoPwIZtIxwuyOrxS
Threatray 13'633 similar samples on MalwareBazaar
TLSH T12E34120B10D19CFAC219563017FAE5DAABFBF23A87251287AB701F9D6C155CE820C5E7
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter malwarelabnet
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
1
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/243274/
Detection(s):
SecuriteInfo.com.generic.ml.3670.26147.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Searching for synchronization primitives
DNS request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6214eecaa2660f3bb925e1ab/reports/b4b357cc-8bac-4634-a7bf-1d0e22a1b8d5/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/77cd49ef-f977-455a-be7e-bdff4a6dbbf5
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/944060
Signature
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 576543 Sample: Awb_shipping_BL_doc_5860000... Startdate: 22/02/2022 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 4 other signatures 2->55 11 Awb_shipping_BL_doc_5860000000000000822.exe 18 2->11         started        process3 file4 33 C:\Users\user\AppData\Local\...\hbfzsnsee.exe, PE32 11->33 dropped 14 hbfzsnsee.exe 1 11->14         started        process5 signatures6 67 Multi AV Scanner detection for dropped file 14->67 69 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 14->69 71 Tries to detect virtualization through RDTSC time measurements 14->71 73 Injects a PE file into a foreign processes 14->73 17 hbfzsnsee.exe 14->17         started        20 conhost.exe 14->20         started        process7 signatures8 41 Modifies the context of a thread in another process (thread injection) 17->41 43 Maps a DLL or memory area into another process 17->43 45 Sample uses process hollowing technique 17->45 47 Queues an APC in another process (thread injection) 17->47 22 explorer.exe 17->22 injected process9 dnsIp10 35 gmoviapp.com 209.217.224.2, 49758, 80 NTHLUS United States 22->35 37 a4.sddns.net 112.121.161.235, 49761, 80 NETSEC-HKNETSECHK Hong Kong 22->37 39 10 other IPs or domains 22->39 57 System process connects to network (likely due to code injection or exploit) 22->57 59 Performs DNS queries to domains with low reputation 22->59 26 wlanext.exe 22->26         started        signatures11 process12 signatures13 61 Modifies the context of a thread in another process (thread injection) 26->61 63 Maps a DLL or memory area into another process 26->63 65 Tries to detect virtualization through RDTSC time measurements 26->65 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1900d46bb03d8aeb4a1bfef16cd5b45903dc56c89b0dc7784b45c89f17a9f895/
Threat name:
Win32.Trojan.NSISInject
Create hunting rule
Status:
Malicious
First seen:
2022-02-22 14:10:14 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=deani25qhwfowsq373ywzvnuleb5yvwitmg4o6clixej6f5j7ckq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0da36b7f7e4b44b640ab5769532fdd7599032ca2b1d6b57807ba48ad1fa76780
Formbook
230f53c0367ccdf77ff1f665ea66fcb2e6bb18c999b798980d8e0c9c19421eb3
Formbook
2a4415721925c12ce8a80719697ffbda5daf88fe34804b0549bc5d5605790cdb
Formbook
64c7583a94ab474b9cd3509e8ca73eb7a19e70ffc2c4fa4582ccd7fd3f10c5ec
Formbook
705bf99df489a6945a540499bc8c6d7b7564d9a255629e326013d4a85bb77a78
Formbook
751fb21a072dc731a17478bec40fe550f4fc6be13fb6079f38d9fc19b41021cf
Formbook
acf40f9d3eea74324291c55f5ab8d3678e0dcc085581bdd9cf66897f4324bc3c
Formbook
da99d68a728c3a14d186c03c30b551914fe57073f231d334be7955131cb5f921
Formbook
f16768c3348ef6a7bde4d734eb1f407fe577d709bca21b0526ded6065be7cc92
Formbook
+ 13'623 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:rzwo loader rat suricata
Link:
https://tria.ge/reports/220222-rgqdhsagfj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
c6ceb3bbeb4b77c856253bee34ae3e19a235310111e828ee20ca3b879599e230
MD5 hash:
e39f92faf073501abbb52cc23af609fd
SHA1 hash:
3fd13d5c9e9df6cee41048284ec6fe99af7bfc16
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/24012300-ee72-4a95-bfe1-5a487b6cf6d1/
Parent samples :
1900d46bb03d8aeb4a1bfef16cd5b45903dc56c89b0dc7784b45c89f17a9f895
190845482673ae60d3df5d77f593e736e1e91a3bc5870e0d8057ac70c73e02ea
487abe718971e8c9415793ffe0c162a4843aeeb5d4667981bb0be983f7710f4e
9d42e6621d13c43c63721e4f9b4f63c00ef1d7e97cb0fe061bd19cbcc6e2e735
224f624a53eb1c209d1fc9161cb9d91464768960765e64855ccf547d0c64c478
SH256 hash:
d89c00b6a257f31ca07245bb828e65ce2f38f61bd9b12e6c9605c51bc4c13390
MD5 hash:
e5013fbdfd2bc351e5968d97f4389ba6
SHA1 hash:
1a5201378aa05288e9b46a85d99fb8098b0a00e6
Link:
https://www.unpac.me/results/24012300-ee72-4a95-bfe1-5a487b6cf6d1/
SH256 hash:
1900d46bb03d8aeb4a1bfef16cd5b45903dc56c89b0dc7784b45c89f17a9f895
MD5 hash:
e56926dc82f374200bdc1b2640803565
SHA1 hash:
8cd2be38312ac4074411d92163fb72ff2c78eb0e
Link:
https://www.unpac.me/results/24012300-ee72-4a95-bfe1-5a487b6cf6d1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1900d46bb03d8aeb4a1bfef16cd5b45903dc56c89b0dc7784b45c89f17a9f895

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/243274/

Comments