MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30b9abba303c9e7186148b7a36e0f6c8ba15fba0a266fd4bae27690219231cad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	30b9abba303c9e7186148b7a36e0f6c8ba15fba0a266fd4bae27690219231cad
SHA3-384 hash:	b4c95d1e427194e45151b8f229bc6ae08e9c8701318826ca99991e25026b6125c68f1b726edff6db82c6d6c52a37969f
SHA1 hash:	ec6122ae8afd55f0b9730b52e74765ca7feb0e16
MD5 hash:	aea73b37ecd7c94c48f84168927bd61f
humanhash:	lithium-minnesota-massachusetts-jersey
File name:	transfer copy.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	452'096 bytes
First seen:	2022-12-12 13:06:57 UTC
Last seen:	2022-12-12 13:07:24 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:dPQxXi5zsU7rS9SLZM6tRAHWhlj9lNaZWpD:doxSxsU7uWXtRACw
Threatray	786 similar samples on MalwareBazaar
TLSH	T1DBA4F1BBEA903007DF6AC0B597D4707F53220E066B3677E535A446B13C2611CDDB2BAA
TrID	56.5% (.EXE) Win64 Executable (generic) (10523/12/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter	lowmal3
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

169

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

transfer copy.exe

Verdict:

Malicious activity

Analysis date:

2022-12-12 13:09:31 UTC

Tags:

trojan formbook stealer

Link:

https://app.any.run/tasks/0801e3ba-5c2d-4bf2-952d-dd3a31cee70d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/345439/

Detection(s):

SecuriteInfo.com.Variant.MSILHeracles.55409.12198.27938.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Launching a process

Creating a file

Сreating synchronization primitives

Searching for synchronization primitives

DNS request

Sending an HTTP GET request

Reading critical registry keys

Creating a file in the %temp% directory

Unauthorized injection to a recently created process

Launching the default Windows debugger (dwwin.exe)

Forced shutdown of a system process

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63972779d4d7598ad9052bd9/reports/2a2d0df8-9ca5-41c2-8674-eaf2013691f5/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/68fcfecd-e9e2-4543-820d-694548c295d6

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1132637

Signature

.NET source code contains very large array initializations

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/30b9abba303c9e7186148b7a36e0f6c8ba15fba0a266fd4bae27690219231cad/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2022-12-12 12:46:39 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gc42xorqhsphdbqurn5dnyhwzc5bl65aujtp2s5oe5uqegjddswq._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/221212-qcmldseb3t/

Behaviour

Gathers network information

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Loads dropped DLL

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/7e328b62-35a1-418d-b039-5f4148089c83

Unpacked files

SH256 hash:

30b9abba303c9e7186148b7a36e0f6c8ba15fba0a266fd4bae27690219231cad

MD5 hash:

aea73b37ecd7c94c48f84168927bd61f

SHA1 hash:

ec6122ae8afd55f0b9730b52e74765ca7feb0e16

Link:

https://www.unpac.me/results/3f783bea-06a1-48b2-bfbf-a88c301d3913/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/30b9abba303c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/30b9abba303c9e7186148b7a36e0f6c8ba15fba0a266fd4bae27690219231cad

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 30b9abba303c9e7186148b7a36e0f6c8ba15fba0a266fd4bae27690219231cad

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/345439/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample