MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 682eeaccd2f75abe35a1f7163b8c7d00138a7882b0fbf3ec7e5c39846802f37e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 682eeaccd2f75abe35a1f7163b8c7d00138a7882b0fbf3ec7e5c39846802f37e
SHA3-384 hash: af5721a158c5a28e9463a9073172d6a517fe08b250dfc7bd898dda72cb48fbe7162fcb0eb565547385ac4190e791ca4c
SHA1 hash: cde672b10f71abde56ebc830cc2d49d819536e8a
MD5 hash: a1934f34d6001ee4a3ec6871e9cb40c1
humanhash: october-salami-earth-leopard
File name:IRQ2207799_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:407'563 bytes
First seen:2022-04-04 09:53:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 6144:YNeZln859OGaaFB9iBI7X7e/XsjCRd/Dv6ckxnkQ:YNc8fOifwW78VvkkQ
Threatray 14'540 similar samples on MalwareBazaar
TLSH T179847B01B6B8D922C4710F30CBA686121E759E037E71F3DEE25872593B72AF69B152DC
File icon (PE):PE icon
dhash icon 00fcfcf0dcd8f040 (1 x Formbook)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/260445/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.29413.3621.3855.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Searching for synchronization primitives
Setting browser functions hooks
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/12523/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/624ac046db9ca5cf841a7be0/reports/79f701ec-c5a9-4c50-b1fd-bb07d7f09387/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ee693113-ae6c-4631-86c5-c2ea7aabc717
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/969898
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 602385 Sample: IRQ2207799_pdf.exe Startdate: 04/04/2022 Architecture: WINDOWS Score: 100 36 www.sildenafilfromusa.com 2->36 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus detection for URL or domain 2->50 52 4 other signatures 2->52 12 IRQ2207799_pdf.exe 18 2->12         started        15 explorer.exe 97 2->15         started        signatures3 process4 file5 34 C:\Users\user\AppData\...\rjbtiyaujv.exe, PE32 12->34 dropped 17 rjbtiyaujv.exe 12->17         started        process6 signatures7 38 Multi AV Scanner detection for dropped file 17->38 40 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 17->40 42 Tries to detect virtualization through RDTSC time measurements 17->42 44 Injects a PE file into a foreign processes 17->44 20 rjbtiyaujv.exe 17->20         started        process8 signatures9 54 Modifies the context of a thread in another process (thread injection) 20->54 56 Maps a DLL or memory area into another process 20->56 58 Sample uses process hollowing technique 20->58 60 Queues an APC in another process (thread injection) 20->60 23 explorer.exe 20->23 injected process10 process11 25 explorer.exe 23->25         started        signatures12 62 Modifies the context of a thread in another process (thread injection) 25->62 64 Maps a DLL or memory area into another process 25->64 66 Tries to detect virtualization through RDTSC time measurements 25->66 28 cmd.exe 1 25->28         started        30 explorer.exe 139 25->30         started        process13 process14 32 conhost.exe 28->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/682eeaccd2f75abe35a1f7163b8c7d00138a7882b0fbf3ec7e5c39846802f37e/
Threat name:
Win32.Trojan.DelfInject
Create hunting rule
Status:
Malicious
First seen:
2022-03-30 16:10:32 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
32 of 42 (76.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=naxovtgs65nl4nnb64ldxdd5aajyu6ecwd57h3d6lq4yi2ac6n7a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
51ca9a86ecb638b2805cd27a752159a05d4a3317c11ea43fb0f0cca78601c8dc
Formbook
6ecfdff224175dade2cbf63719974b5335c1a81cf787142681163ddf882ce00e
Formbook
6ed4597153654e9526d066d62bbf7cc0e7d7e0660049f9e3b826475d3fa71abe
Formbook
7c0eb4f6e8a6c770581fc781394e91ab7410cec4ae02e6c9399a52be3f16f6e6
Formbook
8392408d685d10ddf024a7e4f47976e03a00fd787bd4ee0932766c4b9b278bc0
Formbook
8c7c6966c40ca10cdb43c9520c24ae932e63429fbc858b2c05f94f1bedbe0efa
Formbook
aad5152504878bc2505e3274d65c3913c4e4274309e4ec5e03e9c555a1995678
Formbook
d3173c18c350a7fa99867f3ef7c9bf5375a4e1ca7f5706c60d883cb17322491f
Formbook
eb6a3606545277e3af8270d85b4940be7a710dcaf11c7351755675d81ce82d02
Formbook
+ 14'530 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:s09m rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220404-lw7nfshael/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
63babb250653c967089ff446fe153ade6ea4c6b893d1ef22733b25122d00b1e9
MD5 hash:
5b42595445d092db8cbdb88fb7ba02ae
SHA1 hash:
cdaf8cfb0a0edf56f7e689610e268873ca1fcb65
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/312102b7-0fc9-4037-9890-91a0d0be4b8b/
Parent samples :
83bfb1bf3d445b86e4aa3c753c9f3f80cd00dabcd51993f67aa4ba36df71eb16
682eeaccd2f75abe35a1f7163b8c7d00138a7882b0fbf3ec7e5c39846802f37e
ddfdab103d34dfc6ddd6518745c101342e9953e6c2e049576e15ea570fb16e3a
ec6cb0a51fe3d020e3989762f1b449f45413695c9ea7db67d3a2cf31c9e26ef1
SH256 hash:
fe4d8e3b061b8641d2bc97ef7de031b1cf81d468aedb6a935112b7eda14e84ab
MD5 hash:
f8f91a809792bad0cab2073b704690f1
SHA1 hash:
2bf117291df9d70387a13f2f258c809a8aa1dd69
Link:
https://www.unpac.me/results/312102b7-0fc9-4037-9890-91a0d0be4b8b/
SH256 hash:
91969a31f281704fda0070553ba51235dc61f674978460669ff7f15b69c2ca15
MD5 hash:
a577e0a43f090f3a777b1b296dd491b0
SHA1 hash:
94b434bd65c104b5674be1689a8ee42157243c34
Link:
https://www.unpac.me/results/312102b7-0fc9-4037-9890-91a0d0be4b8b/
SH256 hash:
682eeaccd2f75abe35a1f7163b8c7d00138a7882b0fbf3ec7e5c39846802f37e
MD5 hash:
a1934f34d6001ee4a3ec6871e9cb40c1
SHA1 hash:
cde672b10f71abde56ebc830cc2d49d819536e8a
Link:
https://www.unpac.me/results/312102b7-0fc9-4037-9890-91a0d0be4b8b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/682eeaccd2f75abe35a1f7163b8c7d00138a7882b0fbf3ec7e5c39846802f37e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 682eeaccd2f75abe35a1f7163b8c7d00138a7882b0fbf3ec7e5c39846802f37e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/260445/

Comments