MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6329761ed8d074d0dbab760d4814300b50cec64944a5f9f25658a7709e7c94e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6329761ed8d074d0dbab760d4814300b50cec64944a5f9f25658a7709e7c94e7
SHA3-384 hash: 63e5868b84dc3c984dab8fa381a54b274c84baa3879a70110697b94e5684943beb30954882e2218199fba8cfa21fd69d
SHA1 hash: 5e3dddc05d5c4c1ac0e1e746afa1caffc052e223
MD5 hash: ea069dbab7dc5402de6db17a6d527da8
humanhash: missouri-juliet-xray-fix
File name:Dovada platii bancare.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'811'688 bytes
First seen:2024-07-29 15:23:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24576:yeeifie2s14xjUEuR1e4vJ93cspSCfsf7o:Wifl+UELOz3cspSCr
Threatray 12 similar samples on MalwareBazaar
TLSH T12085EF4631A74E97FC5A0178D1E278F142FE6E5778F2926FCF58BE0A213A23D640447A
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon e0e4a3a6a4b8b8a8 (37 x Formbook, 9 x AZORult, 9 x Loki)
Reporter threatcat_ch
Tags:exe FormBook signed

Code Signing Certificate

Organisation:Microsoft Code Signing PCA 2011
Issuer:Microsoft Code Signing PCA 2011
Algorithm:sha256WithRSAEncryption
Valid from:2024-07-28T22:59:09Z
Valid to:2025-07-28T22:59:09Z
Serial number: 6ac554268eb8cd85ff58421c4044e81c
Thumbprint Algorithm:SHA256
Thumbprint: 5f978188438ec4b954f7102ef6531a1c1f008d87565e166ce903846d0f2733cb
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
371
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Dovada platii bancare.exe
Verdict:
Malicious activity
Analysis date:
2024-07-29 15:26:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d76e79cb-d27c-4971-b4d6-25662204c6f7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a7b413c06bd32e596e61fe
Tags:
Encryption Execution Network Static Stealth Swotter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Forced system process termination
Blocking the User Account Control
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay
Link:
https://www.filescan.io/uploads/66a7b41b78d5c73fb1c8a024/reports/fe338afa-5e7c-470f-bf9c-7b00b1da3d19/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/6329761ed8d074d0dbab760d4814300b50cec64944a5f9f25658a7709e7c94e7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0a69a299-e234-47db-aed4-d0cdca62c9e7
Result
Threat name:
Coinhive, FormBook, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1484154
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for URL or domain
Disables UAC (registry)
Downloads suspicious files via Chrome
Found direct / indirect Syscall (likely to bypass EDR)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Coinhive miner
Yara detected FormBook
Yara detected UAC Bypass using CMSTP
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1484154 Sample: Dovada platii bancare.exe Startdate: 29/07/2024 Architecture: WINDOWS Score: 100 75 www.yedurrum.xyz 2->75 77 www.onemuslimmentors.xyz 2->77 79 33 other IPs or domains 2->79 103 Malicious sample detected (through community Yara rule) 2->103 105 Antivirus detection for URL or domain 2->105 107 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->107 111 10 other signatures 2->111 11 Dovada platii bancare.exe 1 4 2->11         started        14 iexplore.exe 2->14         started        16 svchost.exe 2->16         started        19 iexplore.exe 2->19         started        signatures3 109 Performs DNS queries to domains with low reputation 77->109 process4 dnsIp5 119 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->119 121 Writes to foreign memory regions 11->121 123 Allocates memory in foreign processes 11->123 125 3 other signatures 11->125 21 iexplore.exe 11->21         started        24 powershell.exe 23 11->24         started        26 WerFault.exe 19 16 11->26         started        32 3 other processes 11->32 28 iexplore.exe 101 14->28         started        73 127.0.0.1 unknown unknown 16->73 30 iexplore.exe 19->30         started        signatures6 process7 signatures8 115 Maps a DLL or memory area into another process 21->115 34 CAmYOzGiHUmgDw.exe 21->34 injected 117 Loading BitLocker PowerShell Module 24->117 37 conhost.exe 24->37         started        39 iexplore.exe 28->39         started        42 iexplore.exe 28->42         started        process9 dnsIp10 101 Found direct / indirect Syscall (likely to bypass EDR) 34->101 44 grpconv.exe 1 13 34->44         started        89 18.165.242.4, 443, 51326, 51327 MIT-GATEWAYSUS United States 39->89 91 code.jquery.com 151.101.2.137, 443, 51330, 51331 FASTLYUS United States 39->91 47 ie_to_edge_stub.exe 39->47         started        49 ssvagent.exe 39->49         started        93 prod.appnexus.map.fastly.net 151.101.129.108, 443, 51360, 51361 FASTLYUS United States 42->93 signatures11 process12 signatures13 127 Tries to steal Mail credentials (via file / registry access) 44->127 129 Tries to harvest and steal browser information (history, passwords, etc) 44->129 131 Modifies the context of a thread in another process (thread injection) 44->131 133 3 other signatures 44->133 51 CAmYOzGiHUmgDw.exe 44->51 injected 55 firefox.exe 44->55         started        57 msedge.exe 47->57         started        process14 dnsIp15 81 anavamarketing.com 3.33.130.190, 51356, 57011, 57012 AMAZONEXPANSIONGB United States 51->81 83 www.hawalaz.xyz 162.0.213.72, 57863, 57864, 57865 ACPCA Canada 51->83 87 7 other IPs or domains 51->87 113 Found direct / indirect Syscall (likely to bypass EDR) 51->113 85 239.255.255.250 unknown Reserved 57->85 67 C:\Users\user\AppData\...\adblock_snippet.js, ASCII 57->67 dropped 69 C:\Users\user\AppData\Local\Temp\...\Part-FR, data 57->69 dropped 71 C:\Users\user\AppData\Local\Temp\...\Part-RU, DOS 57->71 dropped 60 msedge.exe 57->60         started        63 msedge.exe 57->63         started        65 msedge.exe 57->65         started        file16 signatures17 process18 dnsIp19 95 clients2.googleusercontent.com 60->95 97 googlehosted.l.googleusercontent.com 142.250.186.97, 443, 51308 GOOGLEUS United States 60->97 99 3 other IPs or domains 60->99
Score:
93%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6329761ed8d074d0dbab760d4814300b50cec64944a5f9f25658a7709e7c94e7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6329761ed8d074d0dbab760d4814300b50cec64944a5f9f25658a7709e7c94e7/
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2024-07-29 05:22:08 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
17
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mmuxmhwy2b2nbw5loyguqfbqbnim5rsjiss7t4swlctxbht4sttq._file
Verdict:
malicious
Similar samples:
38ab1533c224b90043299dc9b2a42bf456d0521de6d89a8eeb44336771943c3f
Formbook
49116eb9df67b39271c13a80c5044023c55044c2cb4c6303f2b8c2a936524cee
Formbook
5390645d905bb685705fd00b242961c6b59ec0dd22073e20f4036d15b6eb613e
Formbook
60e4ea673b7e3c945d1a35dce00619be03cdc1121e8a23e6846a1e1f879d833e
Formbook
64228cf1befbf976a01cbd2800e65c4f15129d2c3d7976b2a905147d5808735c
Formbook
8ccbbdf3c267b13bc55f9c1c6d7752868310de3787635e775d015b0874f566ad
Formbook
9c581c4cec9f25a55ee985d08ad3ba40a268aff6ea05aebff399c31f86b98065
Formbook
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
credential_access discovery evasion execution persistence stealer trojan
Link:
https://tria.ge/reports/240729-ss1t3ayfjh/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
System policy modification
Modifies Internet Explorer settings
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Checks computer location settings
Windows security modification
Adds policy Run key to start application
Command and Scripting Interpreter: PowerShell
Credentials from Password Stores: Credentials from Web Browsers
UAC bypass
Windows security bypass
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/47359d10-0907-4474-9374-e73d79c5d7f9
Unpacked files
SH256 hash:
6329761ed8d074d0dbab760d4814300b50cec64944a5f9f25658a7709e7c94e7
MD5 hash:
ea069dbab7dc5402de6db17a6d527da8
SHA1 hash:
5e3dddc05d5c4c1ac0e1e746afa1caffc052e223
Link:
https://www.unpac.me/results/12d801b6-26fe-472d-b6f8-8b3aca723fd0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6329761ed8d074d0dbab760d4814300b50cec64944a5f9f25658a7709e7c94e7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 6329761ed8d074d0dbab760d4814300b50cec64944a5f9f25658a7709e7c94e7

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments