MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5373c20a65136de3e43b1e86b9fa37baff682541089164b4be57318bb9a52291. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5373c20a65136de3e43b1e86b9fa37baff682541089164b4be57318bb9a52291
SHA3-384 hash: 10e62183f1b70f35b8aaa1af1de307d5869b0b8ad2a7ce8dc1e445d0dabde834edf2245e173af4375d75a4ff6130e945
SHA1 hash: f02fdb0b4cc41e2a7fed2b2e4c2b10021521df84
MD5 hash: 64ea7919f57b74ea7531143f6d0013ba
humanhash: bacon-michigan-robert-yankee
File name:RFQ864.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'191'936 bytes
First seen:2022-01-18 14:23:59 UTC
Last seen:2022-01-18 16:21:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 929996171266e5a6dd3b8694331428a5 (2 x Formbook)
ssdeep 24576:vFTAm/Ba7CWMVY11xbbVxYBD5LSdiHXranXKT7v:vFkWadXpQSdiAg
TLSH T153459E62B3C04833D1231E755C67A3A86529BF112F28B9477AF47D4C2F7A7813829E97
File icon (PE):PE icon
dhash icon 7cf6b6aa8ed8e8b4 (18 x Formbook, 8 x DBatLoader, 7 x AveMariaRAT)
Reporter GovCERT_CH
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
2
# of downloads :
160
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/220175/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.24629.32330.26473.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Launching cmd.exe command interpreter
Sending an HTTP GET request
Searching for synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4563/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe greyware keylogger packed replace.exe
Link:
https://www.filescan.io/uploads/61e6cd8e0f8c757253c8b223/reports/94cb6909-41c6-4e9b-ab70-10c00edd5d81/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/157e21fc-5214-4b71-b1bf-57349bb3b7f8
Result
Threat name:
DBatLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/923045
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 555520 Sample: RFQ864.exe Startdate: 19/01/2022 Architecture: WINDOWS Score: 100 36 www.stanislauslabs.com 2->36 38 www.artmuseummatch.com 2->38 56 Multi AV Scanner detection for domain / URL 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 6 other signatures 2->62 11 RFQ864.exe 1 17 2->11         started        signatures3 process4 dnsIp5 46 rwrd.org 3.219.196.50, 443, 49691, 49692 AMAZON-AESUS United States 11->46 34 C:\Users\user\Contacts\Pbmbhusole.exe, PE32 11->34 dropped 74 Writes to foreign memory regions 11->74 76 Creates a thread in another existing process (thread injection) 11->76 78 Injects a PE file into a foreign processes 11->78 16 DpiScaling.exe 11->16         started        file6 signatures7 process8 signatures9 48 Modifies the context of a thread in another process (thread injection) 16->48 50 Maps a DLL or memory area into another process 16->50 52 Sample uses process hollowing technique 16->52 54 2 other signatures 16->54 19 explorer.exe 2 16->19 injected process10 signatures11 64 Uses ipconfig to lookup or modify the Windows network settings 19->64 22 ipconfig.exe 19->22         started        25 Pbmbhusole.exe 12 19->25         started        28 Pbmbhusole.exe 12 19->28         started        process12 dnsIp13 66 Modifies the context of a thread in another process (thread injection) 22->66 68 Maps a DLL or memory area into another process 22->68 70 Tries to detect virtualization through RDTSC time measurements 22->70 30 cmd.exe 1 22->30         started        40 rwrd.org 25->40 42 192.168.2.1 unknown unknown 25->42 72 Multi AV Scanner detection for dropped file 25->72 44 rwrd.org 28->44 signatures14 process15 process16 32 conhost.exe 30->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5373c20a65136de3e43b1e86b9fa37baff682541089164b4be57318bb9a52291/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2022-01-18 14:02:13 UTC
File Type:
PE (Exe)
Extracted files:
53
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=knz4ectfcnw6hzb3d2dlt6rxxl7wqjkbbciwjnf6k4yyxonfekiq._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:xloader campaign:gvqa loader persistence rat trojan
Link:
https://tria.ge/reports/220118-rqq2eabef7/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader First Stage
ModiLoader Second Stage
Xloader Payload
ModiLoader, DBatLoader
Xloader
Unpacked files
SH256 hash:
178ab3315a2bc29e61be0eb6b83970cf622588ca90ce0905e6c2138630163905
MD5 hash:
8f8384a01bbffb026083df6001364525
SHA1 hash:
6c448d033354841722b7c2807f0ee9e9831ddbe4
Detections:
win_dbatloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/8beb1c58-4dfe-4b58-98f5-c974e60cc03d/
Parent samples :
5373c20a65136de3e43b1e86b9fa37baff682541089164b4be57318bb9a52291
a7017af2c60c1c5bc06d07f88e12d3b471a8787e233969d92ac6048d303cd682
1c031e5ad00a53c0138ec05e36045979a920dfabeed6751292c59b695af80291
6801e72d76e2131ff91a42e054fdcf34f0c024e203b1e314beefe8dee734acf2
69c7e7d8730b4998b848f2731fa5b3db7783c390d23daebb00e02cbc5a53205e
112bdfee4547b7d7d8cb4fdc7a47021a17e164441ca10f4177bcf9980a46d89c
SH256 hash:
5373c20a65136de3e43b1e86b9fa37baff682541089164b4be57318bb9a52291
MD5 hash:
64ea7919f57b74ea7531143f6d0013ba
SHA1 hash:
f02fdb0b4cc41e2a7fed2b2e4c2b10021521df84
Link:
https://www.unpac.me/results/8beb1c58-4dfe-4b58-98f5-c974e60cc03d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5373c20a65136de3e43b1e86b9fa37baff682541089164b4be57318bb9a52291

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 5373c20a65136de3e43b1e86b9fa37baff682541089164b4be57318bb9a52291

(this sample)

  
Dropped by
xloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/220175/

Comments