MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3048ff7c5057bf7ddf5e78dba7e21ba6c0093c6385b03a6c57e309e56c765d89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3048ff7c5057bf7ddf5e78dba7e21ba6c0093c6385b03a6c57e309e56c765d89
SHA3-384 hash: 50e265599a887733ce4e8958d4eeb7a33852109c961c41c56c7ece9ca3337850a0fd7d8959908c5e6c460927235d43c7
SHA1 hash: 1b04814d9152cf9692244ad2c1e532621ef032d9
MD5 hash: aa61eefa26537416118ec227de2c559d
humanhash: emma-ten-william-music
File name:Nova lista narudzbi.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:968'192 bytes
First seen:2022-09-13 06:25:47 UTC
Last seen:2022-09-16 19:57:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 15f300867bc81185bb5bfe58b28923ad (3 x ModiLoader, 1 x Formbook, 1 x DBatLoader)
ssdeep 12288:WblUacng1lreJF4PHWGtohtFpVfVGqnDo0yDTW0kVrhf7fvU5:WlU3ngaJF4P2NHPVdLo0t0kVlvq
Threatray 108 similar samples on MalwareBazaar
TLSH T150259EE6B2F08A33C063193ECF7F72998E7DBE511D24A44A67E13948DF35681342A617
TrID 68.5% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
27.0% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.3% (.SCR) Windows screen saver (13101/52/3)
0.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 33d0d89696d8d033 (14 x ModiLoader, 9 x DBatLoader, 6 x Formbook)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Nova lista narudzbi.exe
Verdict:
Malicious activity
Analysis date:
2022-09-13 06:50:09 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/e2e54128-1a0b-44b8-a83e-d7d606dda3db

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/309620/
Detection(s):
Win.Dropper.LokiBot-9938605-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Sending a custom TCP request
DNS request
Creating a file
Launching a process
Launching cmd.exe command interpreter
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/37511/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
evasive greyware keylogger overlay shell32.dll
Link:
https://www.filescan.io/uploads/6320229ba90642bcbb0a9ef3/reports/0a4b22a0-d627-44f1-9667-f0ee7ecf45c1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1d7ac99c-38bd-4de5-bdab-4b7d24e97bc1
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1069352
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 701881 Sample: Nova lista narudzbi.exe Startdate: 13/09/2022 Architecture: WINDOWS Score: 100 53 Multi AV Scanner detection for domain / URL 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->57 59 5 other signatures 2->59 7 Mvnxupba.exe 14 2->7         started        11 Nova lista narudzbi.exe 1 18 2->11         started        14 Mvnxupba.exe 14 2->14         started        process3 dnsIp4 31 ph-files.fe.1drv.com 7->31 39 2 other IPs or domains 7->39 61 Multi AV Scanner detection for dropped file 7->61 63 Writes to foreign memory regions 7->63 65 Allocates memory in foreign processes 7->65 16 iexpress.exe 7->16         started        33 ph-files.fe.1drv.com 11->33 41 2 other IPs or domains 11->41 25 C:\Users\Public\Libraries\Mvnxupba.exe, PE32 11->25 dropped 27 C:\Users\...\Mvnxupba.exe:Zone.Identifier, ASCII 11->27 dropped 29 C:\Users\Public\Libraries\Mvnxupba, data 11->29 dropped 67 Creates a thread in another existing process (thread injection) 11->67 69 Injects a PE file into a foreign processes 11->69 19 iexpress.exe 11->19         started        35 192.168.2.1 unknown unknown 14->35 37 ph-files.fe.1drv.com 14->37 43 2 other IPs or domains 14->43 21 iexpress.exe 14->21         started        file5 signatures6 process7 signatures8 45 Modifies the context of a thread in another process (thread injection) 16->45 47 Maps a DLL or memory area into another process 16->47 49 Tries to detect virtualization through RDTSC time measurements 16->49 51 Queues an APC in another process (thread injection) 16->51 23 explorer.exe 16->23 injected process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3048ff7c5057bf7ddf5e78dba7e21ba6c0093c6385b03a6c57e309e56c765d89/
Threat name:
Win32.Trojan.Hesv
Create hunting rule
Status:
Malicious
First seen:
2022-09-12 15:34:23 UTC
File Type:
PE (Exe)
Extracted files:
47
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gbep67cqk67x3x26pdn2pyq3u3aaspddqwydu3cx4me6k3dwlweq._file
Verdict:
malicious
Similar samples:
15e1d48f4ba136aa876c88c4fb16fe160795f40e9850252ce1a4f3a695b4fcb7
Formbook
1dddbd9bb1c2ed3b0ac846f3dcfbfd99909394f17a813be425b1870ef0f52c5e
Formbook
5fabffc9eb6177ac29a1e51bf2a8bde55ddd97e2f7c86134eb2512b927f1232e
Formbook
663b7bc66499e507ca1f8fad6e42195a54fe242db3cc71bf4762952fe04ce5ee
Formbook
7a8f0e1c47f8e29ca3f8741e8dc40796f0f4ac3745b620c6165fb80f3446b2a8
Formbook
868e3a9f49c41cd1823e765cc8d2e97453ada6baac959e58187e1a337db01b96
Formbook
88502779764c4ceacff4b4a39a389bf13389b734f99e76160c865a2da6d21bee
Formbook
aa4a3cf409c65c84e33841c92533d1781a01cd5b1b5ba372e0b3d4c333a8f5fe
Formbook
e233d86e74d3846be66e323c4850b495c66658ca63cd28ec1a47a3b0c95f7559
Formbook
+ 98 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:xloader campaign:euv4 loader persistence rat trojan
Link:
https://tria.ge/reports/220913-g67c8aehb9/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader Second Stage
Xloader payload
ModiLoader, DBatLoader
Xloader
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9ab7bf2a-d8d3-4d7f-9c2f-c17e0d55959b
Unpacked files
SH256 hash:
2f372058fe46bf0267b2d385b835ef8f0b31890af8830795813c4265546d6a62
MD5 hash:
bacdfc7245220f022d00ebfb05e2f204
SHA1 hash:
6f7ea257c3e3018177f04757216a703c74dd2c1c
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/871c62ce-de2c-4060-aed5-e65cbe2555e2/
Parent samples :
7a8f0e1c47f8e29ca3f8741e8dc40796f0f4ac3745b620c6165fb80f3446b2a8
3048ff7c5057bf7ddf5e78dba7e21ba6c0093c6385b03a6c57e309e56c765d89
dd248dcb742175c4ea98e085fc1a9a9dcad0feedee9a1c66006025de163a9789
b5d874ba88076fe352d977028ec0b46fb35d7ebb01ae4bec0e9e02e25c42d96c
SH256 hash:
3048ff7c5057bf7ddf5e78dba7e21ba6c0093c6385b03a6c57e309e56c765d89
MD5 hash:
aa61eefa26537416118ec227de2c559d
SHA1 hash:
1b04814d9152cf9692244ad2c1e532621ef032d9
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/871c62ce-de2c-4060-aed5-e65cbe2555e2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3048ff7c5057bf7ddf5e78dba7e21ba6c0093c6385b03a6c57e309e56c765d89

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 3048ff7c5057bf7ddf5e78dba7e21ba6c0093c6385b03a6c57e309e56c765d89

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/309620/

Comments