MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48f874286909722bc890448810d0ebd5b3b711e9511e08fcd07fea4f59910ba2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48f874286909722bc890448810d0ebd5b3b711e9511e08fcd07fea4f59910ba2
SHA3-384 hash: 6b7e0f099b04a7011f3c9c3fcc203bdfa835a8c05fa9d67904fcb1be57395966c54d654d54eac49ba3ad1d6676c487ca
SHA1 hash: 431aa8a67b018ed88e0bc19880125d8f6607977d
MD5 hash: 3cd3031ee2d634046cc2d254448dd140
humanhash: stream-jig-five-johnny
File name:Scan_Order.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:237'977 bytes
First seen:2022-11-16 07:39:27 UTC
Last seen:2022-11-16 09:53:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 29b61e5a552b3a9bc00953de1c93be41 (174 x Formbook, 82 x AgentTesla, 81 x Loki)
ssdeep 3072:WNJSq+ytGIon9KcvbNMUQKzhBJ/7QTW2ySYOqs6jyO4eyx39ptfaxX6+z/svBGd7:+Ea09bKYm/znYzGzELz/sZKHTNS3pyNn
TLSH T1D034120386D098ABD603A7301CF19757C3FFC9116681A6B70BE42E3B89376879E5644B
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0068717171716800 (2 x Formbook)
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Scan_Order.exe
Verdict:
Malicious activity
Analysis date:
2022-11-16 07:41:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6a318104-05a5-45c6-b844-29cb4b0bd1c8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/334682/
Detection(s):
SecuriteInfo.com.Trojan.Garf.Gen.6.14676.21772.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Reading critical registry keys
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/637493d565b4ed3de8c86463/reports/0d5a9e68-d6d3-4266-96e3-2680bf1055f9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/4e865f5f-19d7-42d1-b315-4ea5661f0952
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1114597
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netstat to query active network connections and open ports
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 747293 Sample: Scan_Order.exe Startdate: 16/11/2022 Architecture: WINDOWS Score: 100 28 www.dh2p.com 2->28 44 Snort IDS alert for network traffic 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 4 other signatures 2->50 10 Scan_Order.exe 18 2->10         started        signatures3 process4 file5 26 C:\Users\user\AppData\...\hbnlkvfesl.exe, PE32 10->26 dropped 13 hbnlkvfesl.exe 10->13         started        process6 signatures7 64 Antivirus detection for dropped file 13->64 66 Multi AV Scanner detection for dropped file 13->66 68 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 13->68 70 Maps a DLL or memory area into another process 13->70 16 hbnlkvfesl.exe 13->16         started        process8 signatures9 36 Modifies the context of a thread in another process (thread injection) 16->36 38 Maps a DLL or memory area into another process 16->38 40 Sample uses process hollowing technique 16->40 42 Queues an APC in another process (thread injection) 16->42 19 explorer.exe 16->19 injected process10 dnsIp11 30 vornek.com 77.245.159.4, 49696, 49697, 80 NIOBEBILISIMHIZMETLERITR Turkey 19->30 32 qumicon.info 103.123.17.195, 49694, 49695, 80 IDNIC-CITRAHOST-IDPTCITRAWEBDIGITALMULTISOLUSIID Indonesia 19->32 34 6 other IPs or domains 19->34 52 System process connects to network (likely due to code injection or exploit) 19->52 54 Uses netstat to query active network connections and open ports 19->54 23 NETSTAT.EXE 13 19->23         started        signatures12 process13 signatures14 56 Tries to steal Mail credentials (via file / registry access) 23->56 58 Tries to harvest and steal browser information (history, passwords, etc) 23->58 60 Modifies the context of a thread in another process (thread injection) 23->60 62 Maps a DLL or memory area into another process 23->62
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/48f874286909722bc890448810d0ebd5b3b711e9511e08fcd07fea4f59910ba2/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-11-16 03:05:44 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jd4hikdjbfzcxseqisebbuhl2wz3oepjkepar7gqp7ve6wmrbora._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:6obn rat spyware stealer trojan
Link:
https://tria.ge/reports/221116-jhjncsdf2t/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/66d21916-b928-4a3d-b7ee-5de44d52a7c5
Unpacked files
SH256 hash:
b8e91bc5bf0ab3a4f4b57d3852b10c7c0e6ef8349cd3f0f4216389e508859f56
MD5 hash:
0416a0713de665dd54448a2422c98656
SHA1 hash:
400303606895efb6ec00385efaee584be0fe67fe
Detections:
XLoader
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/ba44894d-d4c7-4a35-9dfa-462bd4a464ae/
SH256 hash:
4cdf5e83784947d69e975843fcaabb6e68a6a34756510569563996cbc7fc9554
MD5 hash:
7c5c7e186ba253a8eeea8fa8cc377824
SHA1 hash:
39d7cc5b958e08fb4694e541d8780ff1ea51f80c
Link:
https://www.unpac.me/results/ba44894d-d4c7-4a35-9dfa-462bd4a464ae/
SH256 hash:
441833cf6a25266bbeec6ab682c8e9cb74a974ccf1057406610c2af46416f7a8
MD5 hash:
29f14ffcd0200e436d37c17a7abfb015
SHA1 hash:
ebe9529e7bb6e78fe498993246a92cc4323af7e2
Link:
https://www.unpac.me/results/ba44894d-d4c7-4a35-9dfa-462bd4a464ae/
SH256 hash:
48f874286909722bc890448810d0ebd5b3b711e9511e08fcd07fea4f59910ba2
MD5 hash:
3cd3031ee2d634046cc2d254448dd140
SHA1 hash:
431aa8a67b018ed88e0bc19880125d8f6607977d
Link:
https://www.unpac.me/results/ba44894d-d4c7-4a35-9dfa-462bd4a464ae/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/48f874286909/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.18
Link:
https://yomi.yoroi.company/submissions/48f874286909722bc890448810d0ebd5b3b711e9511e08fcd07fea4f59910ba2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 619d4e1b1790067c1e4479df8480461ee7d2317ceff763d5c7eb86b566feb54d

Formbook

Executable exe 48f874286909722bc890448810d0ebd5b3b711e9511e08fcd07fea4f59910ba2

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 619d4e1b1790067c1e4479df8480461ee7d2317ceff763d5c7eb86b566feb54d
Cape
Cape
https://www.capesandbox.com/analysis/334682/
  
Dropped by
MD5 38c4db11055aa27addbad4bbd008df8c

Comments