MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49449720e228b03f82a7d148c4b91d0f136c104c65d0349eb1f349f27d0cf1d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49449720e228b03f82a7d148c4b91d0f136c104c65d0349eb1f349f27d0cf1d1
SHA3-384 hash: 7d701376479d818aa8f93e7cdfca0b72d556b94fa5c067e3102417f6102686d18d372ce88a602204efc97cc60ca975c6
SHA1 hash: 9bf67afacb3044c5645044f5fda1afe91059d32b
MD5 hash: 2fec843c06f3d44331b8dbc79e19ae8f
humanhash: zulu-stairway-eighteen-oscar
File name:Order_007136.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:2'225'152 bytes
First seen:2022-11-21 07:51:41 UTC
Last seen:2023-08-26 21:46:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:iHLGMRt68cEoDImz94DnUzcSDjdFeSAAQqZ2KC:3koE5SDjdFeXAz
TLSH T119A57DE96D4EE798B16E8D3B4FB4A02655440B3248F19EE5A95B2108D3316D23E3CC7F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 1d1c9b4a1b6d575b (3 x SnakeKeylogger, 2 x Loki, 2 x a310Logger)
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
4
# of downloads :
285
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://185.246.220.65/btc/Order_007136.exe
Verdict:
Malicious activity
Analysis date:
2022-11-21 05:58:34 UTC
Tags:
loader
Link:
https://app.any.run/tasks/cd626d98-a365-424f-9abe-a7cc1ed808e8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/336605/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.181.15911.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Creating a file
Searching for synchronization primitives
Launching cmd.exe command interpreter
Running batch commands
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/637b2e25fe7e1beee24193b9/reports/a6e1098b-3003-46ad-8cbd-e54437ca457f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1a6ee13e-27ae-44a5-b345-c4899ce3a3b1
Result
Threat name:
FormBook, Laplas Clipper
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1117885
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Yara detected Laplas Clipper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 750597 Sample: Order_007136.exe Startdate: 21/11/2022 Architecture: WINDOWS Score: 100 66 clipper.guru 2->66 70 Snort IDS alert for network traffic 2->70 72 Multi AV Scanner detection for domain / URL 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 11 other signatures 2->76 11 Order_007136.exe 1 6 2->11         started        15 Rijysqxiq.exe 2 2->15         started        17 svcupdater.exe 2->17         started        signatures3 process4 file5 58 C:\Users\user\AppData\...\Rijysqxiq.exe, PE32 11->58 dropped 60 Zlfldpkcnjbdcakgzp...ailing_info_021.exe, PE32 11->60 dropped 62 C:\Users\...\Rijysqxiq.exe:Zone.Identifier, ASCII 11->62 dropped 64 C:\Users\user\...\Order_007136.exe.log, ASCII 11->64 dropped 92 Encrypted powershell cmdline option found 11->92 94 Tries to detect virtualization through RDTSC time measurements 11->94 96 Injects a PE file into a foreign processes 11->96 19 Order_007136.exe 11->19         started        22 Zlfldpkcnjbdcakgzppurchase_detailing_info_021.exe 5 11->22         started        25 powershell.exe 16 11->25         started        31 3 other processes 11->31 98 Antivirus detection for dropped file 15->98 100 Multi AV Scanner detection for dropped file 15->100 102 Machine Learning detection for dropped file 15->102 27 Rijysqxiq.exe 15->27         started        29 powershell.exe 13 15->29         started        signatures6 process7 file8 78 Modifies the context of a thread in another process (thread injection) 19->78 80 Maps a DLL or memory area into another process 19->80 33 explorer.exe 19->33 injected 56 C:\Users\user\AppData\...\svcupdater.exe, PE32 22->56 dropped 82 Multi AV Scanner detection for dropped file 22->82 84 Machine Learning detection for dropped file 22->84 35 cmd.exe 22->35         started        38 conhost.exe 25->38         started        40 conhost.exe 29->40         started        signatures9 process10 signatures11 42 Rijysqxiq.exe 1 33->42         started        86 Uses schtasks.exe or at.exe to add and modify task schedules 35->86 45 conhost.exe 35->45         started        47 schtasks.exe 35->47         started        process12 signatures13 88 Encrypted powershell cmdline option found 42->88 90 Injects a PE file into a foreign processes 42->90 49 Rijysqxiq.exe 42->49         started        52 powershell.exe 10 42->52         started        process14 signatures15 68 Maps a DLL or memory area into another process 49->68 54 conhost.exe 52->54         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/49449720e228b03f82a7d148c4b91d0f136c104c65d0349eb1f349f27d0cf1d1/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-11-21 06:06:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
25 of 40 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jfcjoihcfcyd7avh2femjoi5b4jwyecmmxidjhvr6ne7e7im6hiq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
masslogger
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:nurs persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/221121-jqepdaab93/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Deletes itself
Loads dropped DLL
Executes dropped EXE
Formbook payload
Formbook
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a7db5267-fcb5-4d15-b9a9-c562ac683d20
Unpacked files
SH256 hash:
06584dc8637061fcb5616fe38ec76aab143c9aa005a00797cf03c4ac8fa7ff01
MD5 hash:
93fa4c12ece25549bdf314f3986d8d58
SHA1 hash:
a733fd06ef83e1a6fadd647f5e27c07eaa243b87
Detections:
FormBook
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/13ce0441-b9e0-48b1-9989-6a9a8749d76d/
Parent samples :
fd8d1fdc81053818002dd60fb8d7b0d8e37ee984d77760750456e1773c2c0bcc
cb51a857dc33e532754e21259545e94dd518baff0783b8dd0623a20621af3a28
49449720e228b03f82a7d148c4b91d0f136c104c65d0349eb1f349f27d0cf1d1
ebb76e46e178491fd48787e80ce952910124d6f1a00c92744a5f84278192030c
SH256 hash:
e27185c80d78a2f754e5b5566c3cbeb31e9dc842160d3c9b366b061d23d3587d
MD5 hash:
5f9c103342d40650f7653509318cc4aa
SHA1 hash:
20599ad5938e6e3de1834e4ec7361a820fe3210a
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/13ce0441-b9e0-48b1-9989-6a9a8749d76d/
SH256 hash:
9f0d1c31351e83c2ca133313237fadba9490276107cea6700a2a4c1b00090577
MD5 hash:
d6179f8865f25b41d12063745039acfc
SHA1 hash:
656e10c339b9a8800173cea721a98aa5e29910e6
Link:
https://www.unpac.me/results/13ce0441-b9e0-48b1-9989-6a9a8749d76d/
SH256 hash:
b1ec03b0d993c02b6e2e05a8feb82563bc5de5760bc2356d130016bf8f67d474
MD5 hash:
6db9fe4d4a5e7ff71b95957606756e6e
SHA1 hash:
db8fb0d25847201bb22e489996b8e93fd480692c
Link:
https://www.unpac.me/results/13ce0441-b9e0-48b1-9989-6a9a8749d76d/
SH256 hash:
49449720e228b03f82a7d148c4b91d0f136c104c65d0349eb1f349f27d0cf1d1
MD5 hash:
2fec843c06f3d44331b8dbc79e19ae8f
SHA1 hash:
9bf67afacb3044c5645044f5fda1afe91059d32b
Link:
https://www.unpac.me/results/13ce0441-b9e0-48b1-9989-6a9a8749d76d/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/49449720e228/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/49449720e228b03f82a7d148c4b91d0f136c104c65d0349eb1f349f27d0cf1d1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 49449720e228b03f82a7d148c4b91d0f136c104c65d0349eb1f349f27d0cf1d1

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/336605/
  
URLhaus
https://urlhaus.abuse.ch/url/2428328/

Comments