MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44e94b15723fb3ee7cf9d710939d7fda2273622f2284e30cfa67d280a206eb62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44e94b15723fb3ee7cf9d710939d7fda2273622f2284e30cfa67d280a206eb62
SHA3-384 hash: d41271157e0cf41ba52be53a90bfe296c71cdc9ae6444f95cde6e232434ee57645081198cd85522018bb35bf185db2f2
SHA1 hash: 1020db6554d30f6bfc155e2deb0d7b905844b787
MD5 hash: c1a531ccb95e07fef9e361de6c02ff5d
humanhash: twenty-utah-golf-twelve
File name:90324416271415.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:931'328 bytes
First seen:2022-09-17 17:03:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 382d9c538727c04c8c0ffa65db10afc6 (3 x ModiLoader, 1 x DBatLoader, 1 x Formbook)
ssdeep 12288:1Z3m2ifTnKeXXOeh0jbXGrapowu0ZDNDoCHjsG83q/rhf7fvQB:P9irKeXXOehw2rapowuCFoT3q/lvk
Threatray 18'383 similar samples on MalwareBazaar
TLSH T12115AFE3B2F0CF33C0231ABDCE2772999E7E7E602915B44A63E53E58CE74581242A557
TrID 28.1% (.EXE) Win32 Executable Delphi generic (14182/79/4)
25.9% (.SCR) Windows screen saver (13101/52/3)
20.8% (.EXE) Win64 Executable (generic) (10523/12/4)
8.9% (.EXE) Win32 Executable (generic) (4505/5/1)
4.1% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 33d0d89696d8d033 (14 x ModiLoader, 9 x DBatLoader, 6 x Formbook)
Reporter TeamDreier
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
408
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
90324416271415.exe
Verdict:
Malicious activity
Analysis date:
2022-09-17 17:04:10 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/579f6f75-b390-4772-869e-a1468049adbb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/310972/
Detection(s):
Porcupine.Unclassified.17311.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Variant.Jaik.95298.15189.21808.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a process with a hidden window
Launching cmd.exe command interpreter
Searching for synchronization primitives
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger overlay
Link:
https://www.filescan.io/uploads/6325fe186da26524a14699c1/reports/261094e6-d23f-414f-a0db-784933ad3d5d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/23f057d0-fa8d-4047-bad3-df2003b4ee71
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1072305
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected FormBook
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 704847 Sample: 90324416271415.exe Startdate: 17/09/2022 Architecture: WINDOWS Score: 100 37 www.maxproductdji.com 2->37 39 maxproductdji.com 2->39 67 Snort IDS alert for network traffic 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Antivirus detection for URL or domain 2->71 73 5 other signatures 2->73 11 90324416271415.exe 1 18 2->11         started        signatures3 process4 dnsIp5 53 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49712, 49714 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 11->53 55 ph-files.fe.1drv.com 11->55 57 2 other IPs or domains 11->57 35 C:\Users\Public\Libraries\Bokvwmyh.exe, PE32 11->35 dropped 87 Contains functionality to inject threads in other processes 11->87 89 Contains functionality to inject code into remote processes 11->89 91 Writes to foreign memory regions 11->91 93 3 other signatures 11->93 16 iexpress.exe 11->16         started        file6 signatures7 process8 signatures9 59 Modifies the context of a thread in another process (thread injection) 16->59 61 Maps a DLL or memory area into another process 16->61 63 Sample uses process hollowing technique 16->63 65 2 other signatures 16->65 19 explorer.exe 16->19 injected process10 dnsIp11 41 www.lovesoe.com 156.225.160.22, 49734, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 19->41 43 www.ozzyconstructionma.com 104.21.77.39, 49732, 80 CLOUDFLARENETUS United States 19->43 45 2 other IPs or domains 19->45 75 System process connects to network (likely due to code injection or exploit) 19->75 77 Uses netsh to modify the Windows network and firewall settings 19->77 23 netsh.exe 19->23         started        26 Bokvwmyh.exe 14 19->26         started        signatures12 process13 dnsIp14 79 Modifies the context of a thread in another process (thread injection) 23->79 81 Maps a DLL or memory area into another process 23->81 83 Tries to detect virtualization through RDTSC time measurements 23->83 29 cmd.exe 1 23->29         started        47 ph-files.fe.1drv.com 26->47 49 onedrive.live.com 26->49 51 55xpza.ph.files.1drv.com 26->51 85 Multi AV Scanner detection for dropped file 26->85 31 iexpress.exe 26->31         started        signatures15 process16 process17 33 conhost.exe 29->33         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/44e94b15723fb3ee7cf9d710939d7fda2273622f2284e30cfa67d280a206eb62/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-09-15 04:28:52 UTC
File Type:
PE (Exe)
Extracted files:
30
AV detection:
22 of 25 (88.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ituuwflsh6z647hz24ijhhl73irhgyrpekcogdh2m7jibiqg5nra._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
4a71e4db2ded6a9e2418c5a47506cc2a0b42feb42dc32692e8ef3ee3c959b3a6
Formbook
57023cbc586b92ef899c3299c174c2689ba5b5e6e970976adde29d9977be9ddb
Formbook
62422d7709489bd4bfe5e5feb34bfd22f0a91269b9b8e8246e407dd597d3f79a
Formbook
663b7bc66499e507ca1f8fad6e42195a54fe242db3cc71bf4762952fe04ce5ee
Formbook
770aee06bb2c48271eaaa6af3d44ac3c590f1a372007d1c92591ae65c053e682
Formbook
8545a266a50d8b5dc65790c7ce2b6d74f89641c731d53b44bc5b89cd143c3303
Formbook
899e3f377624c91677b2ddc324199eb854a630409145acf0941a32ed2d4cd005
Formbook
b47cf0eaed7e3798e77eaf01aac5783f2c03f7db7802a5215523d4ccdc631bc5
Formbook
d141b9e994a78ea1081fd3ea0768e3c7f01d3f570910923a5ace448b98e63e14
Formbook
f274c2da05a52d01da16c287803a7ea79306fe51c4220f55c19f2bfbe34288b7
Formbook
+ 18'373 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader family:xloader campaign:uj3c loader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220917-vk94waaag3/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Adds policy Run key to start application
ModiLoader Second Stage
Xloader payload
Formbook
ModiLoader, DBatLoader
Xloader
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ce060593-c2ff-440a-ba8a-abb91dd5ca51
Unpacked files
SH256 hash:
002d54f655cf8f16866c478261daadd51896310839a7e3da98ace9873323c9fc
MD5 hash:
eb295d7d7804e778f9f5ae4783379ccc
SHA1 hash:
d1b9df6113a548dd362fc0cb611c78eef2124f73
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/af6f897d-300a-4e2c-bcb1-3ff1eba79be5/
Parent samples :
e678b49addfe3e9fa2c9836bf6d0cc3bed0310f87cdcafd0fce458985c5276c8
911c27a105a2e71591d12567053d8024f4c15c95ce4f1d67937ef1a3d723c263
7ff888a459a2476f9e3dfcaf8799f30bc24808d103606512503949b3ab818cc4
61d2d7bcb9665785fd5571a546cbad026f349a138e2a32f2dbeed90f5480a0a3
24b237c6dcd5b3f5cb3e687e4fa169fef7bce3f6fe1eb5a89bafd99656dfd353
4272fd59d96204a2d503f3356fe96fed2c6d3bf019c7ef25aacff0e1c36a758a
f3feaf830444cc6786b6d4e06bd4a2aef79519ebe3e336882d410268db96292c
e7f4fdb02b9f0f43c5325e8b0ea8ce07ee78c5aa63ccfb1892b079bbd2400874
c60e8a14abc81ae3f2ffbe04b32240a92b900107e4acc9eb88e43632aee1266c
44e94b15723fb3ee7cf9d710939d7fda2273622f2284e30cfa67d280a206eb62
SH256 hash:
44e94b15723fb3ee7cf9d710939d7fda2273622f2284e30cfa67d280a206eb62
MD5 hash:
c1a531ccb95e07fef9e361de6c02ff5d
SHA1 hash:
1020db6554d30f6bfc155e2deb0d7b905844b787
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/af6f897d-300a-4e2c-bcb1-3ff1eba79be5/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/44e94b15723f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/44e94b15723fb3ee7cf9d710939d7fda2273622f2284e30cfa67d280a206eb62

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_Formbook_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest5
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 44e94b15723fb3ee7cf9d710939d7fda2273622f2284e30cfa67d280a206eb62

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/310972/

Comments