MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74db13b26d2854e3e6005bb2cd3d304df34c25149c717811008a41bbd4e6da3f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 74db13b26d2854e3e6005bb2cd3d304df34c25149c717811008a41bbd4e6da3f
SHA3-384 hash: bb630d51f41c8d700176d403ec9e2d7a6ffa38b750e9f371020c012666bdbd50d658434019f38ee1396f43ca088bd941
SHA1 hash: 364a1fe147482160e3dde718123c6b051affd377
MD5 hash: 82ddedc13989499dfd47a7f7d711150b
humanhash: yankee-mango-artist-oregon
File name:inquiry ESP1285.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:365'315 bytes
First seen:2023-11-20 06:48:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:3BlL/SbHNz3Un31C5LbcPDz+d2EeDB8VMb9qk6WwHy95E40jb:x8bHJ3ulC50PeNet+MEk/Ri40
TLSH T11F7412927BF41AB7E54205B1893BC994D9785D349421A6832BA0FE3F5EF02C64D8339B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon fcd8d0d2dac0c0e4 (44 x Formbook, 1 x AgentTesla, 1 x XWorm)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
295
Origin country :
DE DE
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/459217/
Detection(s):
SecuriteInfo.com.FileRepMalware.10885.7884.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/655b015ee5d5331f5c5aa968/reports/c30d3946-7866-4f2d-9d13-a0ffc17f1913/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/74db13b26d2854e3e6005bb2cd3d304df34c25149c717811008a41bbd4e6da3f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1657b194-283c-406d-b6fa-1e7e76c96554
Result
Threat name:
FormBook, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1344963
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1344963 Sample: inquiry_ESP1285.exe Startdate: 20/11/2023 Architecture: WINDOWS Score: 100 34 www.warnernc.com 2->34 36 www.vevo-verify.com 2->36 38 19 other IPs or domains 2->38 50 Multi AV Scanner detection for domain / URL 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus detection for URL or domain 2->54 56 5 other signatures 2->56 11 inquiry_ESP1285.exe 17 2->11         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\...\mjazljmu.exe, PE32 11->30 dropped 32 C:\Users\user\AppData\Local\...\njtvctvzoc.oe, DOS 11->32 dropped 14 mjazljmu.exe 11->14         started        process6 signatures7 66 Detected unpacking (changes PE section rights) 14->66 68 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 14->68 70 Maps a DLL or memory area into another process 14->70 17 mjazljmu.exe 14->17         started        process8 signatures9 46 Maps a DLL or memory area into another process 17->46 48 Queues an APC in another process (thread injection) 17->48 20 syGudiPaNrhyYdpzOfGdjCeZVrYkDV.exe 17->20 injected process10 process11 22 cmmon32.exe 13 20->22         started        signatures12 58 Tries to steal Mail credentials (via file / registry access) 22->58 60 Tries to harvest and steal browser information (history, passwords, etc) 22->60 62 Writes to foreign memory regions 22->62 64 2 other signatures 22->64 25 syGudiPaNrhyYdpzOfGdjCeZVrYkDV.exe 22->25 injected 28 firefox.exe 22->28         started        process13 dnsIp14 40 www.doonc.xyz 91.195.240.123, 49708, 49709, 49710 SEDO-ASDE Germany 25->40 42 www.blackgrow.info 203.161.53.83, 49715, 49716, 49717 VNPT-AS-VNVNPTCorpVN Malaysia 25->42 44 11 other IPs or domains 25->44
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/74db13b26d2854e3e6005bb2cd3d304df34c25149c717811008a41bbd4e6da3f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/74db13b26d2854e3e6005bb2cd3d304df34c25149c717811008a41bbd4e6da3f/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-11-19 22:42:38 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=otnrhmtnfbkohzqalozm2pjqjxzuyjiutryxqeiarja3xvhg3i7q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231120-hlbw9afa2y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
d2780f85f861932ada6b36e3ba136b19af98e182c45ff55c285149b311f33ead
MD5 hash:
5d1e8df537bf6bc4e0c62e206d7904c1
SHA1 hash:
0e8e6a4a9825e13447cfaaf4503ebf0a681dfca5
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/7bd8f805-6bfd-46c1-8184-29c1f14f62ec/
SH256 hash:
568a7da2bff42094514b3c8cda6ddbb35ee512c1555e6108bc4a8f1b0ca82f05
MD5 hash:
9c399b7c7da398a5912deba1b7712327
SHA1 hash:
8b914fe46df7335df48e5abf6cda0a668af17faf
Link:
https://www.unpac.me/results/7bd8f805-6bfd-46c1-8184-29c1f14f62ec/
SH256 hash:
d4955311bc53c90571a8cc84fcf385da504c5f558b227b6650bebb376d68cbc2
MD5 hash:
cb26edda7c1ac9335b606addfba7a44a
SHA1 hash:
f587fb310df37f151e8d89854d4954e20008e87c
Link:
https://www.unpac.me/results/7bd8f805-6bfd-46c1-8184-29c1f14f62ec/
SH256 hash:
74db13b26d2854e3e6005bb2cd3d304df34c25149c717811008a41bbd4e6da3f
MD5 hash:
82ddedc13989499dfd47a7f7d711150b
SHA1 hash:
364a1fe147482160e3dde718123c6b051affd377
Link:
https://www.unpac.me/results/7bd8f805-6bfd-46c1-8184-29c1f14f62ec/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/74db13b26d28/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/74db13b26d2854e3e6005bb2cd3d304df34c25149c717811008a41bbd4e6da3f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 74db13b26d2854e3e6005bb2cd3d304df34c25149c717811008a41bbd4e6da3f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/459217/

Comments