MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 244da7e5507e828266a961e3f4bd165f1b8c408463157d6c1e01bef1cf162034. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 18

Intelligence 18 IOCs YARA 1 File information Comments

SHA256 hash:	244da7e5507e828266a961e3f4bd165f1b8c408463157d6c1e01bef1cf162034
SHA3-384 hash:	cb86d53613fbcec35d21f0e5b4fb74b6db5671d451a10e320819535524914b4e2dce9186f89208e6756d660819d2d3b3
SHA1 hash:	e09b69e9b87e029962e0734db32b9ef4f9c4af4d
MD5 hash:	92f39004939a97c8ce5eb4346e0f09ad
humanhash:	angel-fourteen-don-nitrogen
File name:	Doc#230822TRF.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	273'774 bytes
First seen:	2023-08-22 19:49:09 UTC
Last seen:	2023-08-28 12:15:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep	6144:/Ya6orng5+UXg/4CblAVFZLySPXxWFs6r6U5sk/N4fYyHl+sHs:/Yuj/HqFLRXAFs+6YN9is
Threatray	1'985 similar samples on MalwareBazaar
TLSH	T1B64412A414E4D15BE9F242B22EB50BE6BFE595062C68D70B3304AF1DBD361C1E42F366
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	malwarelabnet
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

317

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

Doc#230822TRF.exe

Verdict:

Malicious activity

Analysis date:

2023-08-22 19:51:22 UTC

Tags:

formbook xloader

Link:

https://app.any.run/tasks/058bd577-0fc4-4d61-b870-ae3f56a3993f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/444226/

Detection(s):

Sanesecurity.Malware.28885.BadCo.UNOFFICIAL

Sanesecurity.Rogue.0hr.20230822-1437.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a file

Unauthorized injection to a recently created process

Restart of the analyzed sample

Launching a process

Сreating synchronization primitives

Launching cmd.exe command interpreter

Setting browser functions hooks

Unauthorized injection to a system process

Unauthorized injection to a browser process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/108333/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/64e5116ba29d57e20389f05e/reports/46831d61-9184-4614-b171-d30392b87bbd/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/244da7e5507e828266a961e3f4bd165f1b8c408463157d6c1e01bef1cf162034

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/15ee62f1-6b04-49c4-a663-e6087da3feb9

Result

Threat name:

FormBook, NSISDropper

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1295470

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Yara detected NSISDropper

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/244da7e5507e828266a961e3f4bd165f1b8c408463157d6c1e01bef1cf162034/

Threat name:

Win32.Trojan.Nemesis

Status:

Malicious

First seen:

2023-08-22 08:50:23 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 38 (73.68%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=erg2pzkqp2biezvjmhr7jpiwl4nyyqeemmkx23a6ag7pdtywea2a._file

Verdict:

malicious

Label(s):

formbook

Formbook

200100b843cccd6b1fc8f2455de2d6069aa6272b3b2d94e805ee72d08bbfd665

Formbook

3fe2c04c33423019af7464d50b3df0775a565e9a31e1a289b49e4e180585ab00

Formbook

5cbfb7154648241fbec88e87e2ea973816c38ee892344bd742dfc4aeb044fae3

Formbook

80c6293d18c38b686ea6ab60d134247f8d72553be2d20a305b94c78115227667

Formbook

a1a882d7abefdec8678649330339a2f080a777450da1be5110b88e81a8ea38cc

Formbook

c930599e45ce9f8d2d1ffcce335e47b1beef8119dabef13eefe381927a4f6719

Formbook

da9ce816092043ded7f22e3368f1beaa75577190bdab4da16936d7c1bf774e84

Formbook

ebaa46d302bc220922a76189a85e48f24587ccab47f674d37b02cf4e605c4755

Formbook

eea29ccf59fa6a6aa5a3c14360db6068144f14601d987ec37ea21a35cdac9430

Formbook

+ 1'975 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:sn26 rat spyware stealer trojan

Link:

https://tria.ge/reports/230822-yj8q7sfb27/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Deletes itself

Loads dropped DLL

Formbook payload

Formbook

Unpacked files

SH256 hash:

5052c5afbe6ab1a3d27606c985848cb3ab2da75eb5f338b9daf5d91f5b36622b

MD5 hash:

6527c67785f7f845c419eafa42fcac80

SHA1 hash:

a84761d96f8be76fe112b92384d776a5d37c8a1f

Link:

https://www.unpac.me/results/0f06025e-941a-4f80-bfd7-5a7cd87b6f95/

SH256 hash:

244da7e5507e828266a961e3f4bd165f1b8c408463157d6c1e01bef1cf162034

MD5 hash:

92f39004939a97c8ce5eb4346e0f09ad

SHA1 hash:

e09b69e9b87e029962e0734db32b9ef4f9c4af4d

Link:

https://www.unpac.me/results/0f06025e-941a-4f80-bfd7-5a7cd87b6f95/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/244da7e5507e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/244da7e5507e828266a961e3f4bd165f1b8c408463157d6c1e01bef1cf162034

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.