MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55a7fd2df3009816980dc8c5ab8d4b5e2bfeb5c583a3f2af5224de8e375f544b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 55a7fd2df3009816980dc8c5ab8d4b5e2bfeb5c583a3f2af5224de8e375f544b
SHA3-384 hash: c25ec5e05b64849683e07c3e4b4bf9070202cb88e0a3eca321f5d053096e51ff1ed5f5874b164dd33604aa72de2eeebf
SHA1 hash: 145bfd8d1799af133f7e2efad8f3c5b6983b61dc
MD5 hash: aae4b4eee3503ef2e168fdac871ce27c
humanhash: hotel-papa-table-fruit
File name:SecuriteInfo.com.Trojan.DownLoader44.65070.24175.19564
Download: download sample
Signature Formbook
Create hunting rule
File size:1'162'752 bytes
First seen:2022-07-04 16:34:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9c6d72504caee99d6f79636b4ec0876d (1 x RemcosRAT, 1 x Formbook, 1 x DBatLoader)
ssdeep 24576:j0MESs7F/WvmnaMKQaD+Mme3rmyPtFvDgIF7c5:ofJ83rlPtFvDpF7c
TLSH T18E35BEA2B3A3403AC0E215358D1BB66D98D77E122DECA8D667F57A0F3E35681381DC53
TrID 26.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
24.5% (.SCR) Windows screen saver (13101/52/3)
19.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon 27d0d4d6d0d87007 (4 x RemcosRAT, 3 x AveMariaRAT, 2 x Formbook)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
222
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.65070.24175.19564.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Fareit-FCVN04B0AC04354F.30114.16185.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Launching cmd.exe command interpreter
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/23749/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger
Link:
https://www.filescan.io/uploads/62c316b9dd037e27032f3964/reports/96268333-3495-4938-9385-c8c8ec7eb330/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8ca9704e-3e96-429d-a989-87ecb3234bd1
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1024315
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 656812 Sample: SecuriteInfo.com.Trojan.Dow... Startdate: 04/07/2022 Architecture: WINDOWS Score: 100 45 www.thirsty-monkey.com 2->45 47 thirsty-monkey.com 2->47 83 Malicious sample detected (through community Yara rule) 2->83 85 Antivirus detection for URL or domain 2->85 87 Antivirus / Scanner detection for submitted sample 2->87 89 5 other signatures 2->89 11 SecuriteInfo.com.Trojan.DownLoader44.65070.24175.exe 1 19 2->11         started        signatures3 process4 dnsIp5 61 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49723, 49727 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 11->61 63 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49720, 49726 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 11->63 65 3 other IPs or domains 11->65 41 C:\Users\Public\Libraries\Mtifajpgvi.exe, PE32 11->41 dropped 43 C:\Users\...\Mtifajpgvi.exe:Zone.Identifier, ASCII 11->43 dropped 111 Writes to foreign memory regions 11->111 113 Allocates memory in foreign processes 11->113 115 Creates a thread in another existing process (thread injection) 11->115 117 Injects a PE file into a foreign processes 11->117 16 DpiScaling.exe 11->16         started        file6 signatures7 process8 signatures9 67 Modifies the context of a thread in another process (thread injection) 16->67 69 Maps a DLL or memory area into another process 16->69 71 Sample uses process hollowing technique 16->71 73 2 other signatures 16->73 19 explorer.exe 2 16->19 injected process10 signatures11 91 Uses netsh to modify the Windows network and firewall settings 19->91 22 Mtifajpgvi.exe 16 19->22         started        26 Mtifajpgvi.exe 16 19->26         started        28 netsh.exe 19->28         started        30 2 other processes 19->30 process12 dnsIp13 49 192.168.2.1 unknown unknown 22->49 51 onedrive.live.com 22->51 57 4 other IPs or domains 22->57 93 Antivirus detection for dropped file 22->93 95 Multi AV Scanner detection for dropped file 22->95 97 Writes to foreign memory regions 22->97 32 logagent.exe 22->32         started        53 onedrive.live.com 26->53 55 loqbra.am.files.1drv.com 26->55 59 2 other IPs or domains 26->59 99 Allocates memory in foreign processes 26->99 101 Creates a thread in another existing process (thread injection) 26->101 103 Injects a PE file into a foreign processes 26->103 35 logagent.exe 26->35         started        105 Modifies the context of a thread in another process (thread injection) 28->105 107 Maps a DLL or memory area into another process 28->107 109 Tries to detect virtualization through RDTSC time measurements 28->109 37 cmd.exe 1 28->37         started        signatures14 process15 signatures16 75 Modifies the context of a thread in another process (thread injection) 32->75 77 Maps a DLL or memory area into another process 32->77 79 Sample uses process hollowing technique 32->79 81 Tries to detect virtualization through RDTSC time measurements 32->81 39 conhost.exe 37->39         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/55a7fd2df3009816980dc8c5ab8d4b5e2bfeb5c583a3f2af5224de8e375f544b/
Threat name:
Win32.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2022-07-04 08:53:36 UTC
File Type:
PE (Exe)
Extracted files:
56
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kwt72lptacmbnganzdc2xdkllyv75nofqor7fl2setpi4n27krfq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader family:remcos family:xloader botnet:remotehost campaign:gqvv loader persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220704-t3m7dsacdj/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Reads user/profile data of web browsers
Adds policy Run key to start application
Executes dropped EXE
ModiLoader Second Stage
Xloader Payload
Formbook
ModiLoader, DBatLoader
Remcos
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Malware Config
C2 Extraction:
bitcoinpage.dynu.net:2404
Unpacked files
SH256 hash:
0b4b7d7628499c9d0c62562dc64f22baf5390cd32f71e0317c259511ae85b5b6
MD5 hash:
d6e8fb9c9383709a7475144fbc74cb44
SHA1 hash:
3dc32f98eb13d725511b64924730132883ad3591
Link:
https://www.unpac.me/results/ac37ee92-03cc-478b-9182-9ac8ac2fc87d/
SH256 hash:
55a7fd2df3009816980dc8c5ab8d4b5e2bfeb5c583a3f2af5224de8e375f544b
MD5 hash:
aae4b4eee3503ef2e168fdac871ce27c
SHA1 hash:
145bfd8d1799af133f7e2efad8f3c5b6983b61dc
Link:
https://www.unpac.me/results/ac37ee92-03cc-478b-9182-9ac8ac2fc87d/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/55a7fd2df300/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments