MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 203a614497e65ca21d42a4ed05f6efcbc9582ff5cb00652f83f4534f0cf1d953. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 12 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 203a614497e65ca21d42a4ed05f6efcbc9582ff5cb00652f83f4534f0cf1d953
SHA3-384 hash: 48fa5e2b0a41d163f7e3a62524939e43cf7d307ce11477d5365182c3aa2be42526e7d121565e6dd872d28aa5a15611a4
SHA1 hash: ae58cfd2293b8e24fa8cfa0f74f0bb4c57de5ba5
MD5 hash: 87edf2ffcb84c0d885dbdb74b16f6f54
humanhash: pizza-september-skylark-burger
File name:87edf2ffcb84c0d885dbdb74b16f6f54
Download: download sample
Signature Formbook
Create hunting rule
File size:1'595'904 bytes
First seen:2023-07-25 23:42:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ea8d56a6b9f4ce307f716636038657d2 (1 x ModiLoader, 1 x AveMariaRAT, 1 x AgentTesla)
ssdeep 24576:rbGHGrOrQ9gnMC6LO3cQoikKgti8PM2MCUrTDLwVIf2IOXkDtZ3NptsWbJZ:rbGWAJeDingti8P+TwSNO0n9vrbJZ
Threatray 3'399 similar samples on MalwareBazaar
TLSH T16B75F128B5E04537D173193C9C0A52999469FD613B34EC86BEF42C9DAF3CB513D2A28B
TrID 84.9% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
4.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.2% (.SCR) Windows screen saver (13097/50/3)
2.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon dc1bcbc4c4c4c4b4 (3 x ModiLoader, 1 x AgentTesla, 1 x Formbook)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
284
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
87edf2ffcb84c0d885dbdb74b16f6f54
Verdict:
Malicious activity
Analysis date:
2023-07-25 23:45:36 UTC
Tags:
dbatloader
Link:
https://app.any.run/tasks/e6aefe04-9bbb-413e-b82e-7ea40fcea3b3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/433304/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.1967.5044.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a process with a hidden window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Gathering data
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/203a614497e65ca21d42a4ed05f6efcbc9582ff5cb00652f83f4534f0cf1d953
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6faacceb-8760-4fb9-b6dc-8838cfe32853
Result
Threat name:
DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1279727
Signature
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected DBatLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1279727 Sample: EYrU6f23jz.exe Startdate: 26/07/2023 Architecture: WINDOWS Score: 88 38 Found malware configuration 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected DBatLoader 2->42 44 2 other signatures 2->44 6 EYrU6f23jz.exe 1 2 2->6         started        11 Cpwqczzf.PIF 2->11         started        process3 dnsIp4 26 web.fe.1drv.com 6->26 28 ph-files.fe.1drv.com 6->28 34 2 other IPs or domains 6->34 22 C:\Users\Public\Libraries\Cpwqczzf.PIF, PE32 6->22 dropped 46 Drops PE files with a suspicious file extension 6->46 13 WerFault.exe 24 9 6->13         started        16 logagent.exe 6->16         started        30 web.fe.1drv.com 11->30 32 ph-files.fe.1drv.com 11->32 36 2 other IPs or domains 11->36 48 Multi AV Scanner detection for dropped file 11->48 50 Machine Learning detection for dropped file 11->50 18 WerFault.exe 10 11->18         started        20 colorcpl.exe 2 11->20         started        file5 signatures6 process7 file8 24 C:\ProgramData\Microsoft\...\Report.wer, Unicode 13->24 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/203a614497e65ca21d42a4ed05f6efcbc9582ff5cb00652f83f4534f0cf1d953/
Threat name:
Win32.Trojan.DBatLoader
Create hunting rule
Status:
Malicious
First seen:
2023-07-25 21:00:07 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ea5gcrex4zokehkcutwql5xpzpevql7vzmagkl4d6rju6dhr3fjq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
36b01f2918bc713fb4a312e98ff091a0f36d227b4c3e51a77ccce6b554d45287
Formbook
5069d4603ed9201d98988deb46e1e5627d622f47a498b3decb96ae1b02da3496
Formbook
6362e9238ae682805b33d2503122e845994d69e1eb51f981cde99b04572cc85c
Formbook
7a91a1cbaa20e78c0e6814b51ed7d239074c95dd348159817e16606a6a04f344
Formbook
989f73c339df6cf640b06dedf92cec20ed8c715186d6839177d57c73f9491e32
Formbook
bddb79b43d9173dba1eaa807096a8d2f09fbcec0f9adb9c7f5f5fbb97cc82b48
Formbook
eb66ae0428282ee90ca78a2f0d37e322cc682bd9dccb9c7e50bf53da117fd0a4
Formbook
fca144f13d2819b16b527620ba2e1d844a41b3b91057b869751ff004ac6d9d3c
Formbook
+ 3'389 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader persistence trojan
Link:
https://tria.ge/reports/230725-3qkp6sgd62/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
ModiLoader Second Stage
ModiLoader, DBatLoader
Suspicious use of NtCreateProcessOtherParentProcess
Unpacked files
SH256 hash:
36f60fb09684923e86b288e69e45837bb133ef1d3239bd3cc35964babe72a80d
MD5 hash:
8156c46fcb7fd2624f3e268f1941659f
SHA1 hash:
50d49c1ea1b9f27b02dca6a97bcd9b5af57c1d79
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/54fdafd3-b3eb-4b04-bbb9-8c1a8808e2c8/
Parent samples :
869eb1b44b9d5e0ee5b99b1189edd21d706c58094387ba32ebf2aa45703a9c9b
a353487493238df8b80d02160ce8ab8391e99e228fb9403082c732f7c5e2a639
0d2f7e49186d74f6e8a320d41283d88fcd785f4b1e06abd18553ebc14b8c9f17
203a614497e65ca21d42a4ed05f6efcbc9582ff5cb00652f83f4534f0cf1d953
SH256 hash:
203a614497e65ca21d42a4ed05f6efcbc9582ff5cb00652f83f4534f0cf1d953
MD5 hash:
87edf2ffcb84c0d885dbdb74b16f6f54
SHA1 hash:
ae58cfd2293b8e24fa8cfa0f74f0bb4c57de5ba5
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/54fdafd3-b3eb-4b04-bbb9-8c1a8808e2c8/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/203a614497e6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/203a614497e65ca21d42a4ed05f6efcbc9582ff5cb00652f83f4534f0cf1d953

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 203a614497e65ca21d42a4ed05f6efcbc9582ff5cb00652f83f4534f0cf1d953

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/433304/

Comments


Avatar
zbet commented on 2023-07-25 23:42:20 UTC

url : hxxps://eu.wildfire.paloaltonetworks.com/panos/sample/cloud/U1ZLWnc1NEFPbWFsYTFkU0tMOWZjN0NiMGtzVDR4dVlFVE5XTTlLYjBSTUNJa0JIYi9UQmU5SmNiUGhhSXpESkI5VUFmczZVeEF5R05vckRhNWN6VWpVcngzT1ZuSFZLRm1FUGtwUWJjMW5RR0pnWG9IWG1iZ2xVRjFLNi85QW5BZjR6NUkxODRVbXlLRUI5YmVrVkt4eHVYYTlBSGlsc25zb3lXRzRTbW84M2MrVnR2ZFFpTDVVbkhNeG1pYVFWWG1pTHpWV0s5MkZrK3kwdzJqczlnZz09/