MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 195b26d8d5b91e3bdbf3c78679ef495687b6278f0e98e147bc13e1e634987619. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 195b26d8d5b91e3bdbf3c78679ef495687b6278f0e98e147bc13e1e634987619
SHA3-384 hash: 3438ad6d071ba2e75218163c4ee8f023c54d7d2b2b8a889b90799fa4c8b339aec22e5843c6143f72f9a4dc6e15fbf679
SHA1 hash: 2ff587df7c7b4f665756532bdeb8e46e1722e6b5
MD5 hash: 8f59fc0b09da6e550d8500ed08639e4f
humanhash: william-timing-oven-johnny
File name:ORDEN DE COMPRA URGENTE‮s؜x؜l؜x؜..exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'280'062 bytes
First seen:2024-06-21 05:29:57 UTC
Last seen:2024-06-26 20:21:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:9sR2w1Mc0Rufou0saPbMyIJKp8mbcRpfQxcZXGB3iK2FOGuH/WKCptlXp/B8h:q50Bu0rbUKprcRmcZXdoGuH/A3l5/Y
Threatray 9 similar samples on MalwareBazaar
TLSH T17045AF91B9474C87FC1212B1C8EAB9F010FD5D5B74F4520FEF657E2226B227E10A693A
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 1c189bda9b2d575b (14 x Formbook, 4 x SnakeKeylogger, 2 x DarkTortilla)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
4
# of downloads :
337
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
195b26d8d5b91e3bdbf3c78679ef495687b6278f0e98e147bc13e1e634987619.exe
Verdict:
Malicious activity
Analysis date:
2024-06-21 05:32:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/524a28ff-014e-4f83-9513-05a20a2a0fdb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Inject5.5967.20272.4308.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=667510afa9467d5d6f161bb6win7simulatehigh_evasion
Tags:
Banker Encryption Execution Generic Heur Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a process with a hidden window
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Blocking the User Account Control
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/195b26d8d5b91e3bdbf3c78679ef495687b6278f0e98e147bc13e1e634987619
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/022d3d63-b666-4b77-b105-df9f6ed411e4
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1460559
Signature
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for URL or domain
Disables UAC (registry)
Found direct / indirect Syscall (likely to bypass EDR)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Snort IDS alert for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1460559 Sample: ORDEN DE COMPRA URGENTEsxlx..exe Startdate: 21/06/2024 Architecture: WINDOWS Score: 100 68 www.vertilehub.xyz 2->68 70 xiaoyue.zhuangkou.com 2->70 72 30 other IPs or domains 2->72 94 Snort IDS alert for network traffic 2->94 96 Malicious sample detected (through community Yara rule) 2->96 98 Antivirus detection for URL or domain 2->98 102 9 other signatures 2->102 11 ORDEN DE COMPRA URGENTEsxlx..exe 1 3 2->11         started        14 iexplore.exe 2->14         started        16 svchost.exe 2->16         started        19 iexplore.exe 2->19         started        signatures3 100 Performs DNS queries to domains with low reputation 68->100 process4 dnsIp5 112 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->112 114 Writes to foreign memory regions 11->114 116 Allocates memory in foreign processes 11->116 118 3 other signatures 11->118 21 iexplore.exe 11->21         started        24 powershell.exe 23 11->24         started        26 WerFault.exe 22 16 11->26         started        28 iexplore.exe 11->28         started        30 iexplore.exe 107 14->30         started        66 127.0.0.1 unknown unknown 16->66 32 iexplore.exe 19->32         started        signatures6 process7 signatures8 106 Maps a DLL or memory area into another process 21->106 34 UXDPujYMYMFcEVbKxPZGllWMOIyS.exe 21->34 injected 108 Loading BitLocker PowerShell Module 24->108 38 conhost.exe 24->38         started        40 iexplore.exe 30->40         started        42 iexplore.exe 30->42         started        process9 dnsIp10 74 www.vertilehub.xyz 203.161.49.220, 60922, 60924, 60927 VNPT-AS-VNVNPTCorpVN Malaysia 34->74 76 www.xuzfceth.com 152.32.156.214, 60929, 60930, 60931 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK Hong Kong 34->76 84 10 other IPs or domains 34->84 104 Found direct / indirect Syscall (likely to bypass EDR) 34->104 44 sc.exe 1 13 34->44         started        78 code.jquery.com 151.101.66.137, 443, 49759, 49760 FASTLYUS United States 40->78 80 sb.scorecardresearch.com 18.244.18.122, 443, 49750, 49751 AMAZON-02US United States 40->80 47 ie_to_edge_stub.exe 40->47         started        49 ssvagent.exe 40->49         started        82 prod.appnexus.map.fastly.net 151.101.1.108, 443, 49794, 49795 FASTLYUS United States 42->82 signatures11 process12 signatures13 120 Tries to steal Mail credentials (via file / registry access) 44->120 122 Tries to harvest and steal browser information (history, passwords, etc) 44->122 124 Modifies the context of a thread in another process (thread injection) 44->124 126 2 other signatures 44->126 51 firefox.exe 44->51         started        53 msedge.exe 47->53         started        process14 dnsIp15 86 239.255.255.250 unknown Reserved 53->86 110 Maps a DLL or memory area into another process 53->110 57 msedge.exe 53->57         started        60 msedge.exe 53->60         started        62 identity_helper.exe 53->62         started        64 2 other processes 53->64 signatures16 process17 dnsIp18 88 clients2.googleusercontent.com 57->88 90 googlehosted.l.googleusercontent.com 142.250.185.225, 443, 49733 GOOGLEUS United States 57->90 92 5 other IPs or domains 57->92
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/195b26d8d5b91e3bdbf3c78679ef495687b6278f0e98e147bc13e1e634987619
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/195b26d8d5b91e3bdbf3c78679ef495687b6278f0e98e147bc13e1e634987619/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2024-06-20 11:52:08 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
3
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dfnsnwgvxepdxw7ty6dht32jk2d3mj4pb2mocr54cpq6mneyoymq._file
Verdict:
malicious
Similar samples:
46c56c73ef7f015efc0324de490c11519ff43d6e822967df67d3dde2ad9df8e8
Formbook
67bec7baee14d70a85f1277f311290c65dd4500848db28f9ded74b2ff9772586
Formbook
6fff1f87203cf11d9e314031c01680eb7220a5fd478dd08fd682ceeafd21c955
Formbook
a6660b06f32c33ba46600ccb1d3f2030d85ccc1262a09094e4f0fdc89755c3d3
Formbook
eec8ab21c693557b1b1702a097d1999daf151c029c5ba1d01df261ecc556efbb
Formbook
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion execution persistence trojan
Link:
https://tria.ge/reports/240621-f66k9atamq/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Launches sc.exe
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Checks computer location settings
Uses the VBS compiler for execution
Windows security modification
Adds policy Run key to start application
Command and Scripting Interpreter: PowerShell
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
195b26d8d5b91e3bdbf3c78679ef495687b6278f0e98e147bc13e1e634987619
MD5 hash:
8f59fc0b09da6e550d8500ed08639e4f
SHA1 hash:
2ff587df7c7b4f665756532bdeb8e46e1722e6b5
Link:
https://www.unpac.me/results/8830bdfa-7206-47a1-b57e-6f5ba1e3886c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/195b26d8d5b9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 195b26d8d5b91e3bdbf3c78679ef495687b6278f0e98e147bc13e1e634987619

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments