MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 678aa6c076f895db645c592cb306c005b685d8f8629e98da6bff6bbd9db661ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 678aa6c076f895db645c592cb306c005b685d8f8629e98da6bff6bbd9db661ff
SHA3-384 hash: 18bec8144fe07d5f0cad4770253c6a56ccaedef30a3699b321290b9544fcba0246756565c5ad966788d3d34709a7b4cc
SHA1 hash: 33fe91592c79b63af6f15ceebfed4f9960fa73c3
MD5 hash: d295211b783d0ef3be258ab3c84eaf74
humanhash: football-eleven-pasta-winter
File name:SecuriteInfo.com.Gen.Variant.Nemesis.22803.4515.12611
Download: download sample
Signature Formbook
Create hunting rule
File size:293'277 bytes
First seen:2023-06-19 17:29:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:vYa6BTppMsDGDqKv/1AgOEloa62ZNwvZESHhFVlibpOfJtmLivX:vYbTpOsDGDz31AgPPfwthFVliQmL4X
Threatray 1'203 similar samples on MalwareBazaar
TLSH T14D54122D57A4C5B3E84238321D3E9F339F65E41A1890621B63E0AD5D7E36782C90DB7B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
284
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Gen.Variant.Nemesis.22803.4515.12611
Verdict:
Malicious activity
Analysis date:
2023-06-19 17:32:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d72bcdb6-2a24-4b78-b992-402c82d4b25f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/400632/
Detection(s):
SecuriteInfo.com.Gen.Variant.Nemesis.22803.4515.12611.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/91650/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6490909d3067ea15b656636d/reports/0f198841-22ac-4686-856c-073fe8b6d635/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/678aa6c076f895db645c592cb306c005b685d8f8629e98da6bff6bbd9db661ff
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0587290a-d728-44b0-9bff-41b07437e4c0
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1257686
Signature
Antivirus detection for URL or domain
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 890702 Sample: SecuriteInfo.com.Gen.Varian... Startdate: 19/06/2023 Architecture: WINDOWS Score: 100 67 Snort IDS alert for network traffic 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Antivirus detection for URL or domain 2->71 73 5 other signatures 2->73 9 foktdy.exe 19 2->9         started        13 SecuriteInfo.com.Gen.Variant.Nemesis.22803.4515.12611.exe 1 21 2->13         started        15 foktdy.exe 19 2->15         started        17 foktdy.exe 19 2->17         started        process3 file4 41 C:\Users\user\AppData\...\yxqaybnsjj.dll, PE32 9->41 dropped 85 Multi AV Scanner detection for dropped file 9->85 87 Detected unpacking (changes PE section rights) 9->87 89 Machine Learning detection for dropped file 9->89 19 foktdy.exe 9->19         started        43 C:\Users\user\AppData\Roaming\...\foktdy.exe, PE32 13->43 dropped 45 C:\Users\user\AppData\...\yxqaybnsjj.dll, PE32 13->45 dropped 91 Creates multiple autostart registry keys 13->91 93 Maps a DLL or memory area into another process 13->93 22 SecuriteInfo.com.Gen.Variant.Nemesis.22803.4515.12611.exe 13->22         started        47 C:\Users\user\AppData\...\yxqaybnsjj.dll, PE32 15->47 dropped 24 foktdy.exe 15->24         started        49 C:\Users\user\AppData\...\yxqaybnsjj.dll, PE32 17->49 dropped 26 foktdy.exe 17->26         started        signatures5 process6 signatures7 75 Maps a DLL or memory area into another process 19->75 77 Sample uses process hollowing technique 19->77 79 Queues an APC in another process (thread injection) 19->79 28 foktdy.exe 19 19->28         started        process8 file9 51 C:\Users\user\AppData\...\yxqaybnsjj.dll, PE32 28->51 dropped 95 Maps a DLL or memory area into another process 28->95 32 rundll32.exe 1 13 28->32         started        35 foktdy.exe 28->35         started        signatures10 process11 signatures12 59 Tries to steal Mail credentials (via file / registry access) 32->59 61 Creates multiple autostart registry keys 32->61 63 Tries to harvest and steal browser information (history, passwords, etc) 32->63 65 2 other signatures 32->65 37 explorer.exe 1 1 32->37 injected process13 dnsIp14 53 www.nicejunq.com 91.195.240.123, 49698, 49699, 49700 SEDO-ASDE Germany 37->53 55 www.ketocanadmqy.cloud 195.161.62.100, 49685, 80 RTCOMM-ASRU Russian Federation 37->55 57 14 other IPs or domains 37->57 81 System process connects to network (likely due to code injection or exploit) 37->81 83 Performs DNS queries to domains with low reputation 37->83 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/678aa6c076f895db645c592cb306c005b685d8f8629e98da6bff6bbd9db661ff/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-06-19 17:30:08 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m6fknqdw7ck5wzc4lewlgbwaaw3ilwhymkpjrwtl75v33hnwmh7q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
151fb5746b08b95408b92e08f4bbeac8c4a1a3fc3ad6f43d237357f10476b33f
Formbook
2548c04db4ea5f38623e33475254f4429f0278f86da3326d742746a46dfb5d85
Formbook
4eaa6cbb07ff01de61ba87d140ca4dcd5c4054f9796bc6c15e6946ef484991ff
Formbook
54d71b452ceceb7769f2ab610d157005849ec32aae5544acaa99d08f8d12cd95
Formbook
b0fb5dfefc02f70b63a1421dc68ef14470cebc829b3e2b8a80f1841a7cb15a6d
Formbook
bbb16ff7e472adf4acdcf9576a2977b930f36622848b2f0c3e954f6916a273c9
Formbook
c2e38b05804fa43eb0cd54de0187ef7d90aa79191877124a504690172ca33b78
Formbook
d8202bc99e99754c2626904e992cf30f9ed5b1d505affc8aea915d29a1053cfd
Formbook
f448dfefcbd40ad805030d90957598cf16c67ace42cf1107fa95f041f78883f2
Formbook
fac68be8d34387e18062a7bc14ce9c070022c9cb3ff9ce8cc6cd58c18c00764d
Formbook
+ 1'193 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230619-v25kqagd91/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Unpacked files
SH256 hash:
510021369daf99bd595993aeaa78a66c5d33ea9b51212b0dd5386f6e2fc760b5
MD5 hash:
59070edef852a9f3eb577c93ae69aeca
SHA1 hash:
de41509ebdad811c6a3a36cdb2f145533ce1252b
Link:
https://www.unpac.me/results/e3df0c33-53ff-42a3-a692-d5e300329aee/
SH256 hash:
678aa6c076f895db645c592cb306c005b685d8f8629e98da6bff6bbd9db661ff
MD5 hash:
d295211b783d0ef3be258ab3c84eaf74
SHA1 hash:
33fe91592c79b63af6f15ceebfed4f9960fa73c3
Link:
https://www.unpac.me/results/e3df0c33-53ff-42a3-a692-d5e300329aee/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/678aa6c076f8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/678aa6c076f895db645c592cb306c005b685d8f8629e98da6bff6bbd9db661ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 678aa6c076f895db645c592cb306c005b685d8f8629e98da6bff6bbd9db661ff

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/400632/
  
URLhaus
https://urlhaus.abuse.ch/url/2666211/
  
Delivery method
Distributed via web download

Comments