MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57023cbc586b92ef899c3299c174c2689ba5b5e6e970976adde29d9977be9ddb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57023cbc586b92ef899c3299c174c2689ba5b5e6e970976adde29d9977be9ddb
SHA3-384 hash: 9cdbeae4856c5cd0c44ab3d2ed64ff8ba430a7dd72156d53eb208c9e7ea5a896c4a523c4c8225b06088d104271bff1c2
SHA1 hash: 6f5bd5f70bc21389c4d9ba4870bb8d4f97983a06
MD5 hash: 6597a0fbd9b2ee3bcf4a801fe4b69ae0
humanhash: nine-october-arkansas-purple
File name:Siparis eklendi.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:749'568 bytes
First seen:2022-06-14 00:43:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8ac356ba54e2a9cd05d8375fe9316be5 (2 x AveMariaRAT, 2 x FormBook, 1 x RemcosRAT)
ssdeep 12288:PWKyfz+e4WiTD4Iz82EwDQMFeofpEFOCOtVSX3x7FRSJWeOkDUHg:ObCe4WiP4O82rtFNOFOCOtVSn52
TLSH T123F48C22EAF1CE36C13215778F07F2A45D2DBD103925B58A6AE97D4C6F39A803C39197
TrID 22.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
20.6% (.SCR) Windows screen saver (13101/52/3)
16.5% (.EXE) Win64 Executable (generic) (10523/12/4)
15.7% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
7.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 07d0d8dcd4d8d007 (8 x RemcosRAT, 7 x FormBook, 2 x AgentTesla)
Reporter malwarelabnet
Tags:exe FormBook formbook modiloader xloader

Intelligence

File Origin
# of uploads :
1
# of downloads :
270
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Siparis eklendi.exe
Verdict:
Malicious activity
Analysis date:
2022-06-14 00:55:49 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/6d53e231-2e8a-4b95-8414-d576ae4d98d8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/279545/
Detection(s):
SecuriteInfo.com.Malware.AI.246493350.11524.25887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Searching for synchronization primitives
Reading critical registry keys
Launching cmd.exe command interpreter
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/21089/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger packed
Link:
https://www.filescan.io/uploads/62a7da125aca718dcaf3f0e7/reports/60b72a5a-a6dc-4553-bda4-fb31981248ef/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7f0906b7-cd7e-4212-a35b-6fc7d8c6c312
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1012474
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 644970 Sample: Siparis eklendi.exe Startdate: 14/06/2022 Architecture: WINDOWS Score: 100 48 www.westlifinance.online 2->48 50 www.shopwithtrooperdavecom.com 2->50 52 3 other IPs or domains 2->52 82 Snort IDS alert for network traffic 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 Antivirus detection for URL or domain 2->86 88 4 other signatures 2->88 11 Siparis eklendi.exe 1 17 2->11         started        16 Ykhseldguv.exe 15 2->16         started        signatures3 process4 dnsIp5 60 192.168.2.1 unknown unknown 11->60 62 onedrive.live.com 11->62 70 2 other IPs or domains 11->70 44 C:\Users\Public\Libraries\Ykhseldguv.exe, PE32 11->44 dropped 46 C:\Users\...\Ykhseldguv.exe:Zone.Identifier, ASCII 11->46 dropped 110 Writes to foreign memory regions 11->110 112 Allocates memory in foreign processes 11->112 114 Creates a thread in another existing process (thread injection) 11->114 18 logagent.exe 11->18         started        64 onedrive.live.com 16->64 66 campza.am.files.1drv.com 16->66 68 am-files.fe.1drv.com 16->68 116 Multi AV Scanner detection for dropped file 16->116 118 Injects a PE file into a foreign processes 16->118 21 DpiScaling.exe 16->21         started        file6 signatures7 process8 signatures9 72 Modifies the context of a thread in another process (thread injection) 18->72 74 Maps a DLL or memory area into another process 18->74 76 Sample uses process hollowing technique 18->76 78 Queues an APC in another process (thread injection) 18->78 23 explorer.exe 18->23 injected 80 Tries to detect virtualization through RDTSC time measurements 21->80 process10 process11 25 Ykhseldguv.exe 15 23->25         started        29 colorcpl.exe 23->29         started        31 WWAHost.exe 23->31         started        33 colorcpl.exe 23->33         started        dnsIp12 54 onedrive.live.com 25->54 56 campza.am.files.1drv.com 25->56 58 am-files.fe.1drv.com 25->58 96 Writes to foreign memory regions 25->96 98 Allocates memory in foreign processes 25->98 100 Creates a thread in another existing process (thread injection) 25->100 102 Injects a PE file into a foreign processes 25->102 35 DpiScaling.exe 25->35         started        104 Modifies the context of a thread in another process (thread injection) 29->104 106 Maps a DLL or memory area into another process 29->106 108 Tries to detect virtualization through RDTSC time measurements 29->108 38 cmd.exe 1 29->38         started        40 explorer.exe 99 29->40         started        signatures13 process14 signatures15 90 Modifies the context of a thread in another process (thread injection) 35->90 92 Maps a DLL or memory area into another process 35->92 94 Sample uses process hollowing technique 35->94 42 conhost.exe 38->42         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/57023cbc586b92ef899c3299c174c2689ba5b5e6e970976adde29d9977be9ddb/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-06-13 07:32:26 UTC
File Type:
PE (Exe)
Extracted files:
42
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k4bdzpcynojo7cm4gkm4c5gcncn2lnpg5fyjo2w54kozs556txnq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader family:xloader campaign:uj3c loader persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220614-a3g6laffc8/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Executes dropped EXE
ModiLoader Second Stage
Xloader Payload
Formbook
ModiLoader, DBatLoader
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Unpacked files
SH256 hash:
0b4b7d7628499c9d0c62562dc64f22baf5390cd32f71e0317c259511ae85b5b6
MD5 hash:
d6e8fb9c9383709a7475144fbc74cb44
SHA1 hash:
3dc32f98eb13d725511b64924730132883ad3591
Link:
https://www.unpac.me/results/bf34710f-7b80-4699-9bcc-84e6be13157b/
SH256 hash:
57023cbc586b92ef899c3299c174c2689ba5b5e6e970976adde29d9977be9ddb
MD5 hash:
6597a0fbd9b2ee3bcf4a801fe4b69ae0
SHA1 hash:
6f5bd5f70bc21389c4d9ba4870bb8d4f97983a06
Link:
https://www.unpac.me/results/bf34710f-7b80-4699-9bcc-84e6be13157b/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/57023cbc586b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DBatLoader
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/57023cbc586b92ef899c3299c174c2689ba5b5e6e970976adde29d9977be9ddb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/279545/

Comments