MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41a329a29ef2b80383739356d137646509dd5fcc91c40aacff48930d6ff6c407. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 41a329a29ef2b80383739356d137646509dd5fcc91c40aacff48930d6ff6c407
SHA3-384 hash: b162bba709dcdf6d9fb6fedb61c405a9a2a10f4090e9cf55eafe4094f1220d391aff24d8251ccbeb0883b6e1de5e9e63
SHA1 hash: b0673e08322ac7f6948b945a9d86b294d13424eb
MD5 hash: 90261e3d0141f06356de9fa0020bc527
humanhash: sad-spring-purple-kitten
File name:Bioteqs gmbh bestel BIO432.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:3'754'496 bytes
First seen:2022-02-01 19:15:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 49152:BRdpp2aGN0xFfo8VJGw3DlFMK8tEu71B/0TIoIhI:B3FGwpTAKoHV+
Threatray 13'022 similar samples on MalwareBazaar
TLSH T15B068D66F3484D63CDDF1E7370A51754BF38CA4B07869B4B124AA2D8DCB23C09E6166E
File icon (PE):PE icon
dhash icon 70c0d0d0c8ccf0f0 (8 x Formbook, 4 x NanoCore, 3 x RedLineStealer)
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Bioteqs gmbh bestel BIO432.exe
Verdict:
Malicious activity
Analysis date:
2022-01-31 18:30:13 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/be46b303-de44-4c5c-8398-7799be1c6cda

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/229306/
Detection(s):
Win.Trojan.Gamarue-9900774-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Adding an access-denied ACE
Launching a process
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Launching cmd.exe command interpreter
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/61f98704a0f6a794b3313b36/reports/01f2daba-b605-492e-9694-1716da377cd3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3bb389a4-9264-496f-8616-ea9679bb2971
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/932180
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 564659 Sample: Bioteqs gmbh bestel BIO432.exe Startdate: 01/02/2022 Architecture: WINDOWS Score: 100 36 www.quimicosypapelesdelnte.com 2->36 38 quimicosypapelesdelnte.com 2->38 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 10 other signatures 2->48 11 Bioteqs gmbh bestel BIO432.exe 1 2->11         started        signatures3 process4 file5 28 C:\...\Bioteqs gmbh bestel BIO432.exe.log, ASCII 11->28 dropped 14 subst.exe 11->14         started        process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 2 other signatures 14->62 17 explorer.exe 14->17 injected process8 dnsIp9 30 301.15-5.com 103.133.93.37, 49806, 80 ZNETUS Hong Kong 17->30 32 duncharis.com 74.220.219.94, 49822, 80 UNIFIEDLAYER-AS-1US United States 17->32 34 12 other IPs or domains 17->34 40 System process connects to network (likely due to code injection or exploit) 17->40 21 wlanext.exe 17->21         started        signatures10 process11 signatures12 50 Modifies the context of a thread in another process (thread injection) 21->50 52 Maps a DLL or memory area into another process 21->52 54 Tries to detect virtualization through RDTSC time measurements 21->54 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/41a329a29ef2b80383739356d137646509dd5fcc91c40aacff48930d6ff6c407/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-01-31 15:53:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
17 of 43 (39.53%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=igrstiu66k4aha3tsnlncn3emue52x6mshcavlh7jcjq237wyqdq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
204831bda7d04f0905f7bf0c39e45b3772935726d8a436ee9703a19098b37e21
Formbook
28562d1e97597dbe302d550277e91bd4aa6869bd3d356668bc7c48b2b6eaa3d1
Formbook
2a4415721925c12ce8a80719697ffbda5daf88fe34804b0549bc5d5605790cdb
Formbook
502303edd5a9de57b3667146e84f15fc4957242ca2ef8f75f5e503946c452ee2
Formbook
779f51468b459d7e4fa2fb6dafabd1771416f00bdd0ad587b1f3119da41edd5e
Formbook
9050768f69225078f05d535401510a5b361dd071430e40639e869c7247621908
Formbook
b8ab74dd84edb28eb65b60019e3420a82747b46e1d10d016dbf74fee5edb7ecb
Formbook
b96d8904afc128bf96f360fb2702b6eb0d4d70ae6cbf32e7e4bbdd90ff884a04
Formbook
+ 13'012 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:iepw loader rat
Link:
https://tria.ge/reports/220201-xys4mabag3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
00baff64dfe30fb663e0cc83791389730d48a44d65c79cb378310a1a82e3fa6b
MD5 hash:
35909a89e173ec9d3b0196be1fe68e82
SHA1 hash:
48c7c6bc7bfd82bef38aaa0ebcaf5f6c6541504f
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/2f5522fe-f0f9-4802-94c9-a74f11c5c12f/
SH256 hash:
350ab70501579c1bdc4a03e7cd21bf958729b4d7a7473c915e0a19c891d33bbc
MD5 hash:
e1d7a8ab43ce80e40f0d02d4975751ee
SHA1 hash:
dc33edeab63f6e71a5b7c384e541fdd58f7c013d
Link:
https://www.unpac.me/results/2f5522fe-f0f9-4802-94c9-a74f11c5c12f/
SH256 hash:
a003c13440cd1cf5d8b90ab955a86729abc034a7cf448cc5f220ef36c5c5570d
MD5 hash:
403c5659600dc098b1fd363367b3871b
SHA1 hash:
26748074311642a3715578e5cf7f951e2c87fee4
Link:
https://www.unpac.me/results/2f5522fe-f0f9-4802-94c9-a74f11c5c12f/
SH256 hash:
70b785e5cb5b2e61c0f5da4a71ab0bbd14d9a0849387f037e0d75cc1ffe0a082
MD5 hash:
5951b52c9b4d11ca7f4f33e5a3fb2c31
SHA1 hash:
0bc54fd699fff7b93e5c447a141c0d904924ab0d
Link:
https://www.unpac.me/results/2f5522fe-f0f9-4802-94c9-a74f11c5c12f/
SH256 hash:
41a329a29ef2b80383739356d137646509dd5fcc91c40aacff48930d6ff6c407
MD5 hash:
90261e3d0141f06356de9fa0020bc527
SHA1 hash:
b0673e08322ac7f6948b945a9d86b294d13424eb
Link:
https://www.unpac.me/results/2f5522fe-f0f9-4802-94c9-a74f11c5c12f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.91
Link:
https://yomi.yoroi.company/submissions/41a329a29ef2b80383739356d137646509dd5fcc91c40aacff48930d6ff6c407

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Adsterra_Adware_DOM
Create hunting rule
Author:IlluminatiFish
Description:Detects Adsterra adware script being loaded without the user's consent
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/229306/

Comments