MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b931e14bdbf51c88c98a13c7f934dd3c9e8e1b8583d8d95129e1a0b3a03eece. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b931e14bdbf51c88c98a13c7f934dd3c9e8e1b8583d8d95129e1a0b3a03eece
SHA3-384 hash: 4c19faaa2a38ef2f0a0305a7441b5b8ede45d4096a2dd5e115db14180573f9ee32509b868a84ea5ff31ad449d4eefa2f
SHA1 hash: 25c25c70ba0e88f4952fb739df0e9d48896b71fd
MD5 hash: 20f7d95a5ff1ad22ebabc1037556c014
humanhash: bluebird-xray-angel-mars
File name:Adjunto orden de compra.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'156'096 bytes
First seen:2022-03-20 09:57:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 066f2adf6884c84166ea572f3442e2f3 (8 x Formbook, 2 x RemcosRAT)
ssdeep 12288:RbojJKNbgMwT2NRAvS/yqenMbJjRsBp8oziAO8Iz2sVW3MUqI6F3HAhcAszeVQ18:elKiCRAvS6qOMZGBNgzyqTHAhU2
Threatray 14'519 similar samples on MalwareBazaar
TLSH T185355BF2E2908832D4223A384C5F5EB9B52A7E01DDE86546E6E43F093F3D571EC12A57
File icon (PE):PE icon
dhash icon 342c6c9c97cc6492 (11 x Formbook, 9 x RemcosRAT, 1 x AveMariaRAT)
Reporter TeamDreier
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
301
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/253077/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.46763.10737.7957.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Searching for synchronization primitives
Launching cmd.exe command interpreter
Setting browser functions hooks
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/9896/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm control.exe keylogger replace.exe
Link:
https://www.filescan.io/uploads/6236fab0b94fb38cb4b74e5c/reports/82206e3e-0113-4649-ae02-ea5ca93669de/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3186d4f0-e104-4f19-acc0-0d60b7c96b75
Result
Threat name:
DBatLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/960268
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Drops PE files to the user root directory
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 592749 Sample: Adjunto orden de compra.exe Startdate: 20/03/2022 Architecture: WINDOWS Score: 100 63 Multi AV Scanner detection for domain / URL 2->63 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 9 other signatures 2->69 10 Adjunto orden de compra.exe 1 17 2->10         started        15 explorer.exe 26 2->15         started        process3 dnsIp4 49 onedrive.live.com 10->49 51 dm-files.fe.1drv.com 10->51 53 1o0srw.dm.files.1drv.com 10->53 37 C:\Users\Public\Pbadbrs.exe, PE32 10->37 dropped 39 C:\Users\Public\srbdabP.url, MS 10->39 dropped 41 C:\Users\Public\Pbadbrs.exe:Zone.Identifier, ASCII 10->41 dropped 85 Writes to foreign memory regions 10->85 87 Allocates memory in foreign processes 10->87 89 Creates a thread in another existing process (thread injection) 10->89 91 Injects a PE file into a foreign processes 10->91 17 logagent.exe 10->17         started        file5 signatures6 process7 signatures8 55 Modifies the context of a thread in another process (thread injection) 17->55 57 Maps a DLL or memory area into another process 17->57 59 Sample uses process hollowing technique 17->59 61 2 other signatures 17->61 20 explorer.exe 17->20 injected process9 process10 22 Pbadbrs.exe 15 20->22         started        26 cmd.exe 20->26         started        28 help.exe 20->28         started        dnsIp11 43 l-0004.dc-msedge.net 13.107.43.13, 443, 49785, 49788 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->43 45 192.168.2.1 unknown unknown 22->45 47 3 other IPs or domains 22->47 71 Multi AV Scanner detection for dropped file 22->71 73 Writes to foreign memory regions 22->73 75 Allocates memory in foreign processes 22->75 83 2 other signatures 22->83 30 logagent.exe 22->30         started        77 Modifies the context of a thread in another process (thread injection) 26->77 79 Maps a DLL or memory area into another process 26->79 81 Tries to detect virtualization through RDTSC time measurements 26->81 33 cmd.exe 1 26->33         started        signatures12 process13 signatures14 93 Modifies the context of a thread in another process (thread injection) 30->93 95 Maps a DLL or memory area into another process 30->95 97 Sample uses process hollowing technique 30->97 35 conhost.exe 33->35         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1b931e14bdbf51c88c98a13c7f934dd3c9e8e1b8583d8d95129e1a0b3a03eece/
Threat name:
Win32.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2022-03-17 10:12:21 UTC
File Type:
PE (Exe)
Extracted files:
43
AV detection:
28 of 42 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dojr4ff5x5i4rdeyue6h7e2n2pe6rynyla6y3fistynawoqd53ha._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3d5d161635b1d409b28564bb95c9006687b720caa5bfb6ed8679b87e889baf3a
Formbook
3da43dfd3613eeaf2ed56f10624f2dabdb80948c842c98fd0e26688fe55728a7
Formbook
4d80ab79360b092bb5d8fa41d14388dffe5ef42839b6dbbf741f0ce5c3424d1e
Formbook
5145f1759e79b4d29641c6c604173b0bae2a3d7b156b49e8c267da63e0cd94d6
Formbook
6b93224c145b221ac786bf10b1471af61722e45bbd41a029789170ea7f1c0751
Formbook
87946dcd976eb13af37e24ff68e36a03d2f46a9ae474f336207cf03cbbb0b508
Formbook
a84bdf209b862ffbdf3d963611eec3c1c2d70024e24041727a49bc618d6ff4cd
Formbook
b6788527f99a436b0e8925eb14c8800ced61fd406edd4182aa00072b3f74f39e
Formbook
c839e1036e4c8c7568d66cfb7c269ab8ed8048f9fc5a89464d82572a6efc1c28
Formbook
d87618f7840361408c1bd318a1977714dedc8b346684986842e0f32cdc94f758
Formbook
+ 14'509 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:3nop persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220320-lzhhqsbga6/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Formbook Payload
Formbook
Unpacked files
SH256 hash:
910643e097087347bc2ba8a94762e0a7ab1f0abe57d2ed9fce948e396196f9eb
MD5 hash:
9a7f54f375f5d0a3b346f23744469228
SHA1 hash:
36f360ed7b51f4a4db4fc23781185581a5464323
Detections:
win_dbatloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/450a0f67-fd7b-4f1b-8d75-081875a8ec08/
Parent samples :
30e4c4c41a6a4d31abc2f98c77a01a5d5fdb562bdc19362728a65d986820352e
dc49e679a8f14b6c628039f81d56f9ceda64f57c571116d06a1898502e8bf46e
f8912392c18231844c4e49111d668fab371e0854ce732571e0b171fdbd0758a9
6ad7f99fc894da684e1ca13e427c11d5f3656e4687cf1c9a9748196463913826
97c616bf4d72290ec5613fab2937c2a47a91a0d80ae8ff6a590d7f3b6787675a
1626048e312535d0b32cfe1825419e39a40a6f5181f96b2082d8e127238b7706
1b931e14bdbf51c88c98a13c7f934dd3c9e8e1b8583d8d95129e1a0b3a03eece
SH256 hash:
1b931e14bdbf51c88c98a13c7f934dd3c9e8e1b8583d8d95129e1a0b3a03eece
MD5 hash:
20f7d95a5ff1ad22ebabc1037556c014
SHA1 hash:
25c25c70ba0e88f4952fb739df0e9d48896b71fd
Link:
https://www.unpac.me/results/450a0f67-fd7b-4f1b-8d75-081875a8ec08/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1b931e14bdbf51c88c98a13c7f934dd3c9e8e1b8583d8d95129e1a0b3a03eece

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 1b931e14bdbf51c88c98a13c7f934dd3c9e8e1b8583d8d95129e1a0b3a03eece

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/253077/

Comments