MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42dab012fe2a77f42f3021e2f31128ac964eb588b9e31736544fc4f789159197. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 42dab012fe2a77f42f3021e2f31128ac964eb588b9e31736544fc4f789159197
SHA3-384 hash: 1d49370a1fa503b27539b5716b9e3f98f2994ab3c1ae3b1b5c7c3e0739442ca08b158ac2fb3e82caaf0e9e3db0e7fd7f
SHA1 hash: 89a2add283343d61ce52f25213960c20e562f59e
MD5 hash: 56d6874ec63492330b6442e90e1744fb
humanhash: july-robert-north-potato
File name:urun_ornekleri_pdf.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:607'232 bytes
First seen:2022-10-03 21:52:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 09c042bdee297ff19a7c3e76c0267374 (1 x DBatLoader, 1 x FormBook)
ssdeep 12288:x8WkhRLHuTnv9b/EYXrUhNV257IzYFeUG6pbZe:xHcHuTnbXr/GQ9ppbZe
Threatray 19'241 similar samples on MalwareBazaar
TLSH T18ED49E2AF6C08477D123117D9D9FD668C82DBEA13924284B1FEA2DCC5F783813836697
TrID 68.5% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
27.0% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.3% (.SCR) Windows screen saver (13101/52/3)
0.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 32324cecc4d0c4d4 (2 x ModiLoader, 1 x FormBook)
Reporter Racco42
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
298
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316245/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.150270.29353.10639.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Creating a process with a hidden window
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching cmd.exe command interpreter
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/40935/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
67%
Tags:
formbook keylogger overlay packed remcos
Link:
https://www.filescan.io/uploads/633b59bf5c60ccc9fcff2484/reports/eaf83af5-47c6-47a7-9fd3-dca704bd1e70/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/500ad214-0542-42e2-8fae-b8baeca299bc
Result
Threat name:
FormBook, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1082833
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Detected FormBook malware
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netstat to query active network connections and open ports
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 715390 Sample: urun_ornekleri_pdf.exe Startdate: 03/10/2022 Architecture: WINDOWS Score: 100 77 Malicious sample detected (through community Yara rule) 2->77 79 Antivirus detection for URL or domain 2->79 81 Multi AV Scanner detection for submitted file 2->81 83 8 other signatures 2->83 10 urun_ornekleri_pdf.exe 1 20 2->10         started        process3 dnsIp4 57 ph-files.fe.1drv.com 10->57 59 onedrive.live.com 10->59 61 cle7ug.ph.files.1drv.com 10->61 43 C:\Users\Public\Libraries\Xhharsrg.exe, PE32 10->43 dropped 45 C:\Users\...\Xhharsrg.exe:Zone.Identifier, ASCII 10->45 dropped 47 C:\Users\Public\Libraries\Xhharsrg, data 10->47 dropped 107 Writes to foreign memory regions 10->107 109 Allocates memory in foreign processes 10->109 111 Creates a thread in another existing process (thread injection) 10->111 113 Injects a PE file into a foreign processes 10->113 15 colorcpl.exe 2 10->15         started        file5 signatures6 process7 signatures8 115 Modifies the context of a thread in another process (thread injection) 15->115 117 Maps a DLL or memory area into another process 15->117 119 Sample uses process hollowing technique 15->119 121 2 other signatures 15->121 18 explorer.exe 4 2 15->18 injected process9 dnsIp10 51 11ramshornroad.com 173.192.101.249, 49710, 49711, 49712 SOFTLAYERUS United States 18->51 53 www.soycmo.com 18->53 55 www.11ramshornroad.com 18->55 85 System process connects to network (likely due to code injection or exploit) 18->85 87 Uses netstat to query active network connections and open ports 18->87 22 NETSTAT.EXE 18 18->22         started        26 Xhharsrg.exe 16 18->26         started        29 mstsc.exe 18->29         started        signatures11 process12 dnsIp13 39 C:\Users\user\AppData\...\J1Llogrv.ini, data 22->39 dropped 41 C:\Users\user\AppData\...\J1Llogri.ini, data 22->41 dropped 89 Detected FormBook malware 22->89 91 Tries to steal Mail credentials (via file / registry access) 22->91 93 Tries to harvest and steal browser information (history, passwords, etc) 22->93 103 2 other signatures 22->103 31 cmd.exe 2 22->31         started        63 ph-files.fe.1drv.com 26->63 65 onedrive.live.com 26->65 67 cle7ug.ph.files.1drv.com 26->67 95 Multi AV Scanner detection for dropped file 26->95 97 Machine Learning detection for dropped file 26->97 99 Writes to foreign memory regions 26->99 105 3 other signatures 26->105 35 msiexec.exe 26->35         started        101 Tries to detect virtualization through RDTSC time measurements 29->101 file14 signatures15 process16 file17 49 C:\Users\user\AppData\Local\Temp\DB1, SQLite 31->49 dropped 69 Tries to harvest and steal browser information (history, passwords, etc) 31->69 37 conhost.exe 31->37         started        71 Modifies the context of a thread in another process (thread injection) 35->71 73 Maps a DLL or memory area into another process 35->73 75 Sample uses process hollowing technique 35->75 signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/42dab012fe2a77f42f3021e2f31128ac964eb588b9e31736544fc4f789159197/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-10-03 09:12:56 UTC
File Type:
PE (Exe)
Extracted files:
46
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ilnlaex6fj37ilzqehrpgejivsle5nmixhrronsuj7cppcivsglq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
179131fddae5e6ad00f8e20140b2a916de1b25f0185e4151d450a746c1cf130c
FormBook
1e6bdda859cf7324cbbb98eba3f817db4cc00f8495b93cbdd46adb64be1b3c01
FormBook
7d41c471d4c5893ee0dd1c50cb44d7215e6b9cb5a693a587a0d33d894dea13d7
FormBook
84cd1092d3d60114702dd6db25a79ac062b5f8f481413bb3e5eaf263a06016d8
FormBook
8a728c1fb664386652b92e9384d57eb3c2b9a65e0d02769600ea5cd6bf45698d
FormBook
ac5e5935c877d48be14314d53a7154e370426a35168c82cb9ee83b7e98d02f28
FormBook
e678b49addfe3e9fa2c9836bf6d0cc3bed0310f87cdcafd0fce458985c5276c8
FormBook
+ 19'231 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader trojan
Link:
https://tria.ge/reports/221003-1rlyhshbbp/
Behaviour
ModiLoader Second Stage
ModiLoader, DBatLoader
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b2850e6f-f519-48b0-ba7a-4805d2077fdd
Unpacked files
SH256 hash:
42dab012fe2a77f42f3021e2f31128ac964eb588b9e31736544fc4f789159197
MD5 hash:
56d6874ec63492330b6442e90e1744fb
SHA1 hash:
89a2add283343d61ce52f25213960c20e562f59e
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/67cece62-d169-4d0a-abea-513dfd25b2cf/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/42dab012fe2a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/42dab012fe2a77f42f3021e2f31128ac964eb588b9e31736544fc4f789159197

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:RansomwareTest8
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

Executable exe 42dab012fe2a77f42f3021e2f31128ac964eb588b9e31736544fc4f789159197

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/316245/

Comments