MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72cf82cbf24e740b354e9d3b86072b0ad4a741a8489870b42f559d93a364ce82. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 72cf82cbf24e740b354e9d3b86072b0ad4a741a8489870b42f559d93a364ce82
SHA3-384 hash: ff07e6a9e2b2f4e7572f3f138ad0fd7e777c86d6547228499826a77efadc2e5bd0a5ff013a17a3e52c88aeab686bee38
SHA1 hash: ddb9f289ef188d777d81c6954623e3551f35d231
MD5 hash: 8cba6efe195b956b63259435e723d80b
humanhash: earth-louisiana-missouri-zulu
File name:Order copy.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:920'576 bytes
First seen:2023-06-09 08:28:21 UTC
Last seen:2023-06-09 09:57:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash faffee6ddb737e162a2459239510b1e6 (3 x Formbook)
ssdeep 12288:H7uk7C8LDMu42r0Dyo6Te5rf1C7nh5YaGND23ax56pw1MJf:HC52r0WorR4DY23i+w1
Threatray 2'123 similar samples on MalwareBazaar
TLSH T128159E3371F3A477E9235634DC26B7B164743F122A1B9905BAE9BC6C8F37182292D253
TrID 86.8% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
4.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.3% (.SCR) Windows screen saver (13097/50/3)
1.4% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 74fcd4d6c4f61cdc (3 x Formbook)
Reporter malwarelabnet
Tags:exe FormBook ModiLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
253
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Order copy.exe
Verdict:
Malicious activity
Analysis date:
2023-06-09 08:30:38 UTC
Tags:
dbatloader formbook xloader
Link:
https://app.any.run/tasks/4c3e75bc-68d7-47f5-a432-365c5ebe026c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/397308/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67319816.12400.20278.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Creating a process from a recently created file
Launching a process
Sending an HTTP GET request
Reading critical registry keys
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/90108/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
explorer.exe formbook greyware keylogger lolbin modiloader overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6482e2cf39ba775c46e0b3c4/reports/e6cb9bf8-50ff-414c-833d-d0a9142a0164/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/72cf82cbf24e740b354e9d3b86072b0ad4a741a8489870b42f559d93a364ce82
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/520e48b2-c844-45b3-a102-773189677704
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1251791
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Drops PE files with a suspicious file extension
Early bird code injection technique detected
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 884815 Sample: Order_copy.exe Startdate: 09/06/2023 Architecture: WINDOWS Score: 100 43 www.youlian.fund 2->43 69 Snort IDS alert for network traffic 2->69 71 Multi AV Scanner detection for domain / URL 2->71 73 Found malware configuration 2->73 75 7 other signatures 2->75 10 Order_copy.exe 1 4 2->10         started        signatures3 process4 dnsIp5 63 web.fe.1drv.com 10->63 65 ph-files.fe.1drv.com 10->65 67 2 other IPs or domains 10->67 37 C:\Users\Public\Libraries\udnumqbP.pif, PE32 10->37 dropped 39 C:\Users\Public\Libraries\Pbqmundu.exe, PE32 10->39 dropped 41 C:\Users\...\Pbqmundu.exe:Zone.Identifier, ASCII 10->41 dropped 99 Drops PE files with a suspicious file extension 10->99 101 Writes to foreign memory regions 10->101 103 Allocates memory in foreign processes 10->103 105 2 other signatures 10->105 15 udnumqbP.pif 10->15         started        file6 signatures7 process8 signatures9 111 Modifies the context of a thread in another process (thread injection) 15->111 113 Maps a DLL or memory area into another process 15->113 115 Sample uses process hollowing technique 15->115 117 Queues an APC in another process (thread injection) 15->117 18 explorer.exe 9 4 15->18 injected process10 dnsIp11 45 www.youlian.fund 154.204.24.45, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 18->45 47 www.yougfatty.info 184.94.215.91, 49726, 49727, 49728 VXCHNGE-NC01US United States 18->47 49 7 other IPs or domains 18->49 77 System process connects to network (likely due to code injection or exploit) 18->77 79 Early bird code injection technique detected 18->79 22 Pbqmundu.exe 18->22         started        26 Pbqmundu.exe 18->26         started        28 help.exe 13 18->28         started        signatures12 process13 dnsIp14 51 web.fe.1drv.com 22->51 53 ph-files.fe.1drv.com 22->53 59 2 other IPs or domains 22->59 81 Multi AV Scanner detection for dropped file 22->81 83 Writes to foreign memory regions 22->83 85 Allocates memory in foreign processes 22->85 30 udnumqbP.pif 22->30         started        55 web.fe.1drv.com 26->55 57 ph-files.fe.1drv.com 26->57 61 2 other IPs or domains 26->61 87 Creates a thread in another existing process (thread injection) 26->87 89 Injects a PE file into a foreign processes 26->89 33 help.exe 26->33         started        35 udnumqbP.pif 26->35         started        91 Tries to steal Mail credentials (via file / registry access) 28->91 93 Tries to harvest and steal browser information (history, passwords, etc) 28->93 95 Modifies the context of a thread in another process (thread injection) 28->95 97 Maps a DLL or memory area into another process 28->97 signatures15 process16 signatures17 107 Maps a DLL or memory area into another process 30->107 109 Sample uses process hollowing technique 30->109
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/72cf82cbf24e740b354e9d3b86072b0ad4a741a8489870b42f559d93a364ce82/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-05-31 08:31:52 UTC
File Type:
PE (Exe)
Extracted files:
84
AV detection:
32 of 37 (86.49%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=olhyfs7sjz2awnkotu5ymbzlblkkoqnijcmhbnbpkwozhi3ez2ba._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
6df873769694ef3980e2e19d8c657e4d993938b9c9ee8912a95f83027f1a2ea0
Formbook
896a539c6cb6f313782dc5f1bc8c296abd6732b0907c573ddd12ab9f6a666eb1
Formbook
8f61fd5ce3c2fa9186c75e703ce9e38d66538b9fe2214dd78d2df4c2c7cbda1b
Formbook
a70b171c28645f51d9405f8429ae74f28d27ddb48786545bc21f35810f9501e4
Formbook
b0302231ae277b08e383cef527b093307edf552a1777b5c9a088e2e1c61ad6fe
Formbook
d99fdee30a323b0ed4cfbd9c4661530f45b368f829869604fb9a83debfff7a32
Formbook
e492e308b1967fc1dcd6cef3ad6f20d1a77ca5953460162d1d1ee71b000d66f7
Formbook
e539f80082f961c600e6ff2a21e969d0641aa787831259d3fdd772b28d469721
Formbook
eb66ae0428282ee90ca78a2f0d37e322cc682bd9dccb9c7e50bf53da117fd0a4
Formbook
ef2967d3d123dfc575f3b565943fc7354bc76ebade5256392073d1383a317d5b
Formbook
+ 2'113 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader campaign:nvp4 persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/230609-kdkkjacd4w/
Behaviour
Modifies Internet Explorer settings
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
ModiLoader Second Stage
ModiLoader, DBatLoader
Formbook
Unpacked files
SH256 hash:
91745aed333d9326a6add7d732b81d930282a4425bb96ebb1466d0b567f2d6f2
MD5 hash:
6f6cc425754b1f4c09e967a420f2ca4f
SHA1 hash:
b052b9051b2df24f8c9f0811d53cd84abca776db
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/30d19307-425d-40f6-9ec6-0125584b71ae/
Parent samples :
6362e9238ae682805b33d2503122e845994d69e1eb51f981cde99b04572cc85c
cd0120b7c1d114b73fd768a37de9e2c34fb1662a3e1dc620b34763410ccb6d7e
ad5131dfaba269367d500cd343ccc1956434b4cb21c2fcd163545c433deded66
545e53fd784db3a0227fcf431e81005c9f74ec6be1dcee9a1a2734fa103b6b27
c1bcaa3723fd87f8a0a537c14ecf7e5852a69d33995333b40a7a475eb2e1696c
ea2f8aca010aba1f0ebb0b5af2de53b2a4106d5feb147f34e0a8e615eccd77c1
a4a9151dee1026abcaec06ec7596983a05cc7df43c37d5646e17ae02e2902445
72cf82cbf24e740b354e9d3b86072b0ad4a741a8489870b42f559d93a364ce82
SH256 hash:
72cf82cbf24e740b354e9d3b86072b0ad4a741a8489870b42f559d93a364ce82
MD5 hash:
8cba6efe195b956b63259435e723d80b
SHA1 hash:
ddb9f289ef188d777d81c6954623e3551f35d231
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/30d19307-425d-40f6-9ec6-0125584b71ae/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/72cf82cbf24e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DBatLoader
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/72cf82cbf24e740b354e9d3b86072b0ad4a741a8489870b42f559d93a364ce82

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:azov_Dropped
Create hunting rule
Author:Potatech
Description:Azov Detection
Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/397308/

Comments