MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 68635ba1023b53f99082894ea103cd967c00866238a77029660c76738cac4440. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 68635ba1023b53f99082894ea103cd967c00866238a77029660c76738cac4440
SHA3-384 hash: 31647fe24027317a958ec37277bb79a6d86dafbd3e261e3f5014882832daa248b8a4d827beee9c3f5703d045ec58f9a5
SHA1 hash: 4dfc32fa85a8b61b92485b02002a18b8fdef42fa
MD5 hash: 267cdf24b98f968949182c31f0b9196e
humanhash: illinois-connecticut-hot-football
File name:profile.xll
Download: download sample
Signature Formbook
Create hunting rule
File size:885'760 bytes
First seen:2022-10-24 17:55:38 UTC
Last seen:Never
File type:Excel file xll
MIME type:application/x-dosexec
imphash be710ba34b048ab0098050ccf62e369c (18 x Formbook, 14 x Dridex, 9 x AgentTesla)
ssdeep 12288:hx2s7IMrR4yVld8bzbBSrelqZGDx0mnShqrrioz2Jxk7tG2s+/gsm:hx7PkX11FxtBiKYwD
TLSH T1A415AF56BECA6EA2EF7F42B78361D62D1126736D03A1A6CF760301D93951FC2443EA07
TrID 58.0% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
34.3% (.OCX) Windows ActiveX control (116521/4/18)
3.0% (.EXE) Win64 Executable (generic) (10523/12/4)
1.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.3% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:FormBook xll

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
profile.xll
Verdict:
No threats detected
Analysis date:
2022-10-24 17:57:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ec1424fa-fc78-4cd6-b638-8c83765cb3fc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Dropper.Detected-9941731-0
Create hunting rule

Win.Dropper.Detected-9943897-0
Create hunting rule

Result
Verdict:
Malicious
File Type:
Office Add-Ins - Suspicious
Link:
https://app.docguard.net/68635ba1023b53f99082894ea103cd967c00866238a77029660c76738cac4440/results/dashboard
Behaviour
BlacklistAPI detected
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1096961
Signature
C2 URLs / IPs found in malware configuration
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Office process drops PE file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netstat to query active network connections and open ports
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 729604 Sample: profile.xll Startdate: 24/10/2022 Architecture: WINDOWS Score: 100 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Document exploit detected (drops PE files) 2->56 58 4 other signatures 2->58 11 cmd.exe 7 2 2->11         started        process3 process4 13 EXCEL.EXE 22 25 11->13         started        17 conhost.exe 11->17         started        file5 40 C:\Windows\Temp\oaiEFbE.exe, PE32 13->40 dropped 82 Document exploit detected (creates forbidden files) 13->82 19 oaiEFbE.exe 18 13->19         started        signatures6 process7 file8 38 C:\Users\user\AppData\Local\Temp\smjjuo.exe, PE32 19->38 dropped 68 Machine Learning detection for dropped file 19->68 23 smjjuo.exe 1 19->23         started        signatures9 process10 signatures11 70 Machine Learning detection for dropped file 23->70 72 Maps a DLL or memory area into another process 23->72 26 smjjuo.exe 23->26         started        29 conhost.exe 23->29         started        process12 signatures13 74 Modifies the context of a thread in another process (thread injection) 26->74 76 Maps a DLL or memory area into another process 26->76 78 Sample uses process hollowing technique 26->78 80 Queues an APC in another process (thread injection) 26->80 31 explorer.exe 26->31 injected process14 dnsIp15 42 saudeespetacular.online 162.241.62.39, 49704, 49705, 49706 UNIFIEDLAYER-AS-1US United States 31->42 44 take-solar.shop 81.169.145.78, 49701, 49702, 49703 STRATOSTRATOAGDE Germany 31->44 46 5 other IPs or domains 31->46 48 System process connects to network (likely due to code injection or exploit) 31->48 50 Uses netstat to query active network connections and open ports 31->50 35 NETSTAT.EXE 13 31->35         started        signatures16 process17 signatures18 60 Tries to steal Mail credentials (via file / registry access) 35->60 62 Tries to harvest and steal browser information (history, passwords, etc) 35->62 64 Modifies the context of a thread in another process (thread injection) 35->64 66 Maps a DLL or memory area into another process 35->66
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/68635ba1023b53f99082894ea103cd967c00866238a77029660c76738cac4440/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-10-24 18:21:11 UTC
File Type:
PE (Dll)
Extracted files:
2
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nbrvxiichnj7teecrfhkca6nsz6abbtchctxaklgbr3hhdfmiraa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:00up rat spyware stealer trojan
Link:
https://tria.ge/reports/221024-wh19mahhf2/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/68635ba1023b53f99082894ea103cd967c00866238a77029660c76738cac4440

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Find_Any_Xll_Files
Create hunting rule
Author:David Ledbetter @Ledtech3
Description:Find Any XLL File
Rule name:Hunt_Excel_DNA_Built_XLL_Files
Create hunting rule
Author:David Ledbetter @Ledtech3
Description:Hunt for Excel Addin dll files generated with Excel-DNA builder https://excel-dna.net/
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments