MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7228634bbebee87d96a088337f7b0e59645e84561d1e658bc67ccf0fed6d6b80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7228634bbebee87d96a088337f7b0e59645e84561d1e658bc67ccf0fed6d6b80
SHA3-384 hash: 3c92b9853d64a7b7fa9a9e19d3c3fa28ac351f23be146abbeb9b14ff4813b435bf42b3c513fb8067885e40309799411d
SHA1 hash: b600bd5f37360e4f0b575c417fd2511dbcdd7684
MD5 hash: d94073b973ab572de04909cdbeee3c89
humanhash: uniform-thirteen-angel-bakerloo
File name:한라산업개발(2022-02-10).pdf.vbs
Download: download sample
Signature Formbook
Create hunting rule
File size:2'854 bytes
First seen:2022-02-10 06:03:09 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:8M+UNbQ6O9j5UNmu6Oq56ZQOLI6UASaUOIi0wmH+Dpg+LL78E50Kn:8MTPOwNmg2OLI6UA02DpTLLomNn
Threatray 13'693 similar samples on MalwareBazaar
TLSH T1A151A56E3307A5F0B5165DD1EC5F083E4CE6568AA17A8880760C83C11E28078ABC7E6F
Reporter abuse_ch
Tags:FormBook vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/240122/
Detection(s):
SecuriteInfo.com.Trojan.Script.Wacatac.Bml.24712.5885.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/937468
Signature
Command shell drops VBS files
DLL side loading technique detected
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Powershell drops PE file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Uses netstat to query active network connections and open ports
Very long command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Yara detected MSILLoadEncryptedAssembly
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 569942 Sample: #Ud55c#Ub77c#Uc0b0#Uc5c5#Ua... Startdate: 10/02/2022 Architecture: WINDOWS Score: 100 60 www.thrivingbravelife.com 2->60 62 www.emh.store 2->62 64 3 other IPs or domains 2->64 76 Malicious sample detected (through community Yara rule) 2->76 78 Yara detected FormBook 2->78 80 Uses an obfuscated file name to hide its real file extension (double extension) 2->80 82 2 other signatures 2->82 10 wscript.exe 14 2->10         started        14 wscript.exe 2->14         started        16 wscript.exe 13 2->16         started        signatures3 process4 dnsIp5 72 sinogytee.mywire.org 191.101.130.47, 49723, 49741, 49743 MAJESTIC-HOSTING-01US Chile 10->72 100 System process connects to network (likely due to code injection or exploit) 10->100 102 Wscript starts Powershell (via cmd or directly) 10->102 104 Very long command line found 10->104 106 2 other signatures 10->106 18 powershell.exe 14 24 10->18         started        23 cmd.exe 3 10->23         started        25 powershell.exe 14->25         started        27 powershell.exe 16->27         started        signatures6 process7 dnsIp8 66 sinogytee.mywire.org 18->66 54 C:\Users\user\AppData\...\AgileDotNetRT64.dll, PE32+ 18->54 dropped 56 C:\Users\user\AppData\...\AgileDotNetRT64.dll, PE32+ 18->56 dropped 90 Writes to foreign memory regions 18->90 92 DLL side loading technique detected 18->92 94 Injects a PE file into a foreign processes 18->94 96 Powershell drops PE file 18->96 29 calc.exe 18->29         started        32 calc.exe 18->32         started        34 conhost.exe 18->34         started        58 #Ud55c#Ub77c#Uc0b0...2022-02-10).pdf.vbs, ASCII 23->58 dropped 98 Command shell drops VBS files 23->98 36 conhost.exe 23->36         started        68 sinogytee.mywire.org 25->68 38 calc.exe 25->38         started        40 conhost.exe 25->40         started        70 sinogytee.mywire.org 27->70 42 calc.exe 27->42         started        44 conhost.exe 27->44         started        46 calc.exe 27->46         started        file9 signatures10 process11 signatures12 108 Modifies the context of a thread in another process (thread injection) 29->108 110 Maps a DLL or memory area into another process 29->110 112 Sample uses process hollowing technique 29->112 114 Queues an APC in another process (thread injection) 29->114 48 explorer.exe 29->48 injected 116 Tries to detect virtualization through RDTSC time measurements 32->116 process13 signatures14 74 Uses netstat to query active network connections and open ports 48->74 51 NETSTAT.EXE 48->51         started        process15 signatures16 84 Modifies the context of a thread in another process (thread injection) 51->84 86 Maps a DLL or memory area into another process 51->86 88 Tries to detect virtualization through RDTSC time measurements 51->88
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7228634bbebee87d96a088337f7b0e59645e84561d1e658bc67ccf0fed6d6b80/
Threat name:
Script-WScript.Downloader.Tnega
Create hunting rule
Status:
Malicious
First seen:
2022-02-10 06:04:08 UTC
File Type:
Text (VBS)
AV detection:
9 of 27 (33.33%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oiuggs56x3uh3fvarazx66yolfsf5bcwdupglc6gpthq73lnnoaa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3c3ef93ea804d5d80ecbdb244ddf7fe2ab657f54089a397f0c79d89dfef5c95c
Formbook
7cbd8cc35b03d65491ad01b6a44b84dc047e6663189554201c24dbfbeb81473c
Formbook
94517fa5a38b384136a3027f7588daa605494dd888e4658cb89d521f5fb2d55a
Formbook
a6e23730cd711af23e7900cbabb871b668d37a74dda0c97d63f3303167861cf5
Formbook
ae912e8263a9242ff6590f2c818cdc64c3a6f2f059576dc8d760a3af93db63fc
Formbook
b071cb00b3e3d8715ad31c24702fdd284f7cec5ac937b47f7c64f1e630f2c992
Formbook
b1e2238ed835357f061456c7a38d0620cef8b78f0e1a9856133cc5b2805e0ed1
Formbook
dbc4b30858a2fa9f7001f2347e1cb88f660b8e6651962519b78a7978c6cc2d72
Formbook
f777ad0feb1db2da7abb7c793515f7af49d06a7b4fc5904a9da436ccbd59ddc3
Formbook
fddfa27a56eb44a653c6d5d7947d62415896a15da7cbd4cf8e7b72334e6f0833
Formbook
+ 13'683 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:p7n9 loader rat suricata
Link:
https://tria.ge/reports/220210-gsljlafbcm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/240122/

Comments