MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 412bcb0abe4197be23ae265308d96f9db0f0fd5f96ec0ac053d744d1565e80eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 412bcb0abe4197be23ae265308d96f9db0f0fd5f96ec0ac053d744d1565e80eb
SHA3-384 hash: 446111d42a37087f1e6b7677fea583d42329c4997a664790ea2384cead283b401778cf174cf3f58297fd81b33eda2f6a
SHA1 hash: a146d7670d4ae5ae335343a312f8e92d9de12fe8
MD5 hash: b7136b8c5c7e7efe559bd3a70d8200e0
humanhash: louisiana-tennessee-gee-king
File name:b7136b8c5c7e7efe559bd3a70d8200e0
Download: download sample
Signature Formbook
Create hunting rule
File size:451'584 bytes
First seen:2021-06-24 02:32:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f4693fc0c511135129493f2161d1e86 (253 x Neshta, 15 x Formbook, 14 x AgentTesla)
ssdeep 12288:21ddw9mDvPIoUzWkEpNLBGuheBKIYaMo1lTXp:8dwAUzWkEpHC1JHp
Threatray 5'921 similar samples on MalwareBazaar
TLSH B6A4BF10F690C035E5B612FC8D76D378A93D3EB06B3451CB62E51AEE5A386E0AC32717
Reporter zbetcheckin
Tags:32 exe Neshta

Intelligence

File Origin
# of uploads :
1
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b7136b8c5c7e7efe559bd3a70d8200e0
Verdict:
Suspicious activity
Analysis date:
2021-06-24 02:36:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/489e7cbe-dcad-41b1-a8cb-3676afa5bfd4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Neshuta-1
Create hunting rule

PUA.Win.Packer.Pequake-4
Create hunting rule

Win.Virus.Neshta-7101689-0
Create hunting rule

Win.Trojan.Mokes-9872775-0
Create hunting rule

Win.Malware.Generic-9872779-0
Create hunting rule

Win.Malware.SmokeLoader-9872708-1
Create hunting rule

Win.Malware.Redline-9873006-1
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Win.Trojan.Jadtre-5
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b3ad305e-7c27-4d9b-8eb5-ac952583d658
Result
Threat name:
FormBook Neshta
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807100
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Drops executable to a common third party application directory
Drops PE files with a suspicious file extension
Found malware configuration
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Yara detected FormBook
Yara detected Neshta
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 439511 Sample: hJ0qGegSUy Startdate: 24/06/2021 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 10 other signatures 2->47 8 hJ0qGegSUy.exe 4 2->8         started        12 explorer.exe 2->12         started        process3 dnsIp4 27 C:\Windows\svchost.com, PE32 8->27 dropped 29 C:\Users\user\AppData\Local\...\DismHost.exe, PE32 8->29 dropped 31 C:\Users\user\AppData\Local\...\setup.exe, PE32 8->31 dropped 33 117 other malicious files 8->33 dropped 57 Creates an undocumented autostart registry key 8->57 59 Drops PE files with a suspicious file extension 8->59 61 Drops executable to a common third party application directory 8->61 63 Infects executable files (exe, dll, sys, html) 8->63 15 hJ0qGegSUy.exe 8->15         started        35 www.mentorbp.com 12->35 37 mentorbp.com 52.70.100.34, 49721, 80 AMAZON-AESUS United States 12->37 39 www.mpaiji.com 12->39 65 System process connects to network (likely due to code injection or exploit) 12->65 67 Uses ipconfig to lookup or modify the Windows network settings 12->67 18 ipconfig.exe 12->18         started        file5 signatures6 process7 signatures8 69 Detected unpacking (changes PE section rights) 15->69 71 Contains functionality to inject code into remote processes 15->71 73 Tries to detect virtualization through RDTSC time measurements 15->73 75 Injects a PE file into a foreign processes 15->75 20 hJ0qGegSUy.exe 15->20         started        77 Modifies the context of a thread in another process (thread injection) 18->77 79 Maps a DLL or memory area into another process 18->79 23 cmd.exe 1 18->23         started        process9 signatures10 49 Modifies the context of a thread in another process (thread injection) 20->49 51 Maps a DLL or memory area into another process 20->51 53 Sample uses process hollowing technique 20->53 55 Queues an APC in another process (thread injection) 20->55 25 conhost.exe 23->25         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/412bcb0abe4197be23ae265308d96f9db0f0fd5f96ec0ac053d744d1565e80eb/
Threat name:
Win32.Virus.Neshta
Create hunting rule
Status:
Malicious
First seen:
2021-06-22 03:20:20 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
45 of 46 (97.83%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
00f2c3d90acc43620ca49351cea48c603955c50032ee5b6705c69bed68921570
Formbook
046bf8a6c9bc47b10b80a2ca83289714a931b5d10d864e02d2e20fdc09301108
Formbook
0f832876e5226548ea1d6460e26f546c344b9edb63c9009176e04ebbb562aa08
Formbook
93fae9b54c0f1960139aa4007a0b8f695d61cdc5219fbfbe885c850a4f43a92d
Formbook
a2cdf452f83aa86c0f3ade321cfc00a9ed3671082372081a67cad84a26492051
Formbook
bdc84c917558fe1a4055309a8d6ad6d89d2cdf5a6741c218ace44f70489f9260
Formbook
cdcb4d8c4292e945bd519f6d50039a4f5fc933b909eacd6ac1286fbf1ff2142a
Formbook
e8be28fabd7cdb2d4e96137dae73bd9b227a86b654c696e9fd401cb37ec68267
Formbook
ef4cb9aea5d837610a28160c179ef3c4f381f84a8cbdd3464563800c53a95f15
Formbook
f62f23f0f2a417ce32f3249502507a6036482bc41939eff23c92b1d5d44e480b
Formbook
+ 5'911 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/210624-zfjq621m7s/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Formbook Payload
Formbook
Modifies system executable filetype association
Malware Config
C2 Extraction:
http://www.mpaiji.com/c244/
Unpacked files
SH256 hash:
412bcb0abe4197be23ae265308d96f9db0f0fd5f96ec0ac053d744d1565e80eb
MD5 hash:
b7136b8c5c7e7efe559bd3a70d8200e0
SHA1 hash:
a146d7670d4ae5ae335343a312f8e92d9de12fe8
Link:
https://www.unpac.me/results/eed9f552-00a2-40ae-8411-623c81bae0e5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.39
Link:
https://yomi.yoroi.company/submissions/412bcb0abe4197be23ae265308d96f9db0f0fd5f96ec0ac053d744d1565e80eb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 412bcb0abe4197be23ae265308d96f9db0f0fd5f96ec0ac053d744d1565e80eb

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1393341/

Comments