MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 770c04c7c3a53d584af17e38e8e3fe5767d431e26ca59b4dc20de71045354295. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 770c04c7c3a53d584af17e38e8e3fe5767d431e26ca59b4dc20de71045354295
SHA3-384 hash: 5527fadc5dee91be2e5b851db043fb19b5d53184d362bb0698c65018e4397fd2284f9409146d918c0e891f1ee87e5d6c
SHA1 hash: 08610039c44dcbbd9e352d174e44cdc1968ca897
MD5 hash: f34a9eb165527229a5d67e1029c58f7c
humanhash: robin-hotel-magazine-november
File name:f34a9eb165527229a5d67e1029c58f7c
Download: download sample
Signature Formbook
Create hunting rule
File size:1'191'936 bytes
First seen:2022-01-18 17:41:45 UTC
Last seen:2022-01-18 19:29:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 929996171266e5a6dd3b8694331428a5 (2 x Formbook)
ssdeep 24576:vFTAm/Ba7CWMVY11xbbVxYBD5LSdiHXranXKT7v:vFkWadXpQSdiAg
Threatray 12'814 similar samples on MalwareBazaar
TLSH T1A1459F12F3C04837D1231F394C6BA3A95529BF112E28B9477AF47E4C6F7A6803925E97
File icon (PE):PE icon
dhash icon 7cf6b6aa8ed8e8b4 (18 x Formbook, 8 x DBatLoader, 7 x AveMariaRAT)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f34a9eb165527229a5d67e1029c58f7c
Verdict:
Malicious activity
Analysis date:
2022-01-19 05:15:33 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/774c512e-8985-4cdb-bf85-bc1fdb95dbb5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/220286/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.24629.18901.25689.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Sending an HTTP GET request
Searching for synchronization primitives
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4596/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe greyware keylogger packed replace.exe
Link:
https://www.filescan.io/uploads/61e6fbf40f8c757253c93fb6/reports/faedf88f-e1db-4380-8cff-bb4c85921b2a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ce0fe33e-2bdc-4fd1-a7a0-6b3eb672d8e9
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/922692
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 555171 Sample: e65ajzPmCQ Startdate: 18/01/2022 Architecture: WINDOWS Score: 100 41 www.hxbyouni25.xyz 2->41 75 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->75 77 Found malware configuration 2->77 79 Malicious sample detected (through community Yara rule) 2->79 81 6 other signatures 2->81 10 e65ajzPmCQ.exe 1 17 2->10         started        signatures3 process4 dnsIp5 61 onedrive.live.com 10->61 63 lqwasg.db.files.1drv.com 10->63 65 db-files.fe.1drv.com 10->65 37 C:\Users\user\Contacts\Dmblflpwar.exe, PE32 10->37 dropped 39 C:\Users\...\Dmblflpwar.exe:Zone.Identifier, ASCII 10->39 dropped 99 Writes to foreign memory regions 10->99 101 Creates a thread in another existing process (thread injection) 10->101 103 Injects a PE file into a foreign processes 10->103 15 DpiScaling.exe 10->15         started        file6 signatures7 process8 signatures9 105 Modifies the context of a thread in another process (thread injection) 15->105 107 Maps a DLL or memory area into another process 15->107 109 Sample uses process hollowing technique 15->109 111 2 other signatures 15->111 18 explorer.exe 2 15->18 injected process10 dnsIp11 43 www.v-kulture.info 141.8.192.193, 49821, 80 SPRINTHOSTRU Russian Federation 18->43 45 servicios-royale.com 206.189.227.19, 49788, 80 DIGITALOCEAN-ASNUS United States 18->45 47 8 other IPs or domains 18->47 83 System process connects to network (likely due to code injection or exploit) 18->83 22 Dmblflpwar.exe 15 18->22         started        26 Dmblflpwar.exe 15 18->26         started        28 msiexec.exe 18->28         started        30 colorcpl.exe 18->30         started        signatures12 process13 dnsIp14 49 192.168.2.1 unknown unknown 22->49 51 onedrive.live.com 22->51 59 2 other IPs or domains 22->59 85 Multi AV Scanner detection for dropped file 22->85 87 Writes to foreign memory regions 22->87 89 Creates a thread in another existing process (thread injection) 22->89 32 logagent.exe 22->32         started        53 onedrive.live.com 26->53 55 lqwasg.db.files.1drv.com 26->55 57 db-files.fe.1drv.com 26->57 91 Injects a PE file into a foreign processes 26->91 35 DpiScaling.exe 26->35         started        93 Modifies the context of a thread in another process (thread injection) 28->93 95 Maps a DLL or memory area into another process 28->95 97 Tries to detect virtualization through RDTSC time measurements 30->97 signatures15 process16 signatures17 67 Modifies the context of a thread in another process (thread injection) 32->67 69 Maps a DLL or memory area into another process 32->69 71 Sample uses process hollowing technique 32->71 73 Tries to detect virtualization through RDTSC time measurements 32->73
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/770c04c7c3a53d584af17e38e8e3fe5767d431e26ca59b4dc20de71045354295/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-01-18 17:33:00 UTC
File Type:
PE (Exe)
Extracted files:
53
AV detection:
20 of 43 (46.51%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=o4gajr6duu6vqsxrpy4ory76k5t5impcnsszwtocbxtrarjvikkq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2863a8690acd578ea41d8ef458f493c7bab50c34d8d6fd668f8ef56d429094de
Formbook
5c175aad872d219fa23de0c83ea085fbdca8d76601167089b4e55ee66d520276
Formbook
7195589ba87f4b77bc10af665070180cf807ff7d2f8198743248edda2e85b6a5
Formbook
8968808899b3e810e675fc87e6ff0f61c82b444183fd7f8febdb276eee05e683
Formbook
a7d0cff6a05994c0ae576fa842e44a101879317f62466923f1d96adee2c4a898
Formbook
b88385613d90ebbd240b11a3847fc2117c0d832fdf7a3c45f1ed68692ed68038
Formbook
bc42c1e528e70d0f4152e78278ed1a0e4bacf4cab8bb21da9ea8f99a48676355
Formbook
c11992880daecda35958fd14fcf3b6e5d32a6bda8c904a888ede0dcbb1f91aa6
Formbook
ff577215d4aaa29ae63860167282ceeb0a703daadfdaef2155102500c269caa2
Formbook
+ 12'804 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:fu6b loader persistence rat
Link:
https://tria.ge/reports/220118-v925kaccd7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Xloader Payload
Xloader
Unpacked files
SH256 hash:
9cebbcef1bd6016dfebf4c69f4c49501d914d5a8607777eba952d7ad40346f9a
MD5 hash:
322f2da5c29542aaecc9ee17e1fe7f00
SHA1 hash:
734c432e2595d53c82ee28604f909d3390018dd8
Detections:
win_dbatloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/3e5486df-37db-44d7-8513-f39e80be610f/
Parent samples :
a7d0cff6a05994c0ae576fa842e44a101879317f62466923f1d96adee2c4a898
770c04c7c3a53d584af17e38e8e3fe5767d431e26ca59b4dc20de71045354295
c1bd90e8816e506f387b5552b7487423da84b9818cf4e94f175ed7206cffe4f5
b93811479bf82f08e97be19c596166482cdb2b31b8762c8c310307dfd6dab61e
bed2b6abf700b607d4f856c63832bae23f4120a8786b5af4cbdaa0d8525a47bc
0d9facf6b7073de4e3db19eb64e80589d98cfe35b66942191390a891bb8b241c
3add41c98717984fa6f6d1bff7b1506024e2d91932b60a43810498c44daaef86
ddfc4415217ec461350071b0965a1132ad43472bdc15980da23c46d8f1da188e
b5cea089bb899e75deef98dc1569dc3af17a070f6fa594377b49299d63bbbd8f
7b2232160ba59858c112d6dcb2252701cdb5c1e38b216fb046bd13718c2716ce
b83152fc7fc7aa9950add1de9c3d12e107e3b6eb481c1a368018ed26d3792cdc
0ba0cd39397ce42a5a678b0ef803f99267dc16de6383f61107e298633e23e436
f69c67cbf4e8f7e6d0f9157de994b80e6eb0f7b251dcc461940d51659055640f
5508d3fe5c41c4dec4a7570f0d60af3b6ba8cb9251ee1eae91e8fc061c3f58ef
cab0b398ecbf051d2fefcd25624c8f2b8119d52304c4e9836ede3b5391119fe6
4e837a08dd24b1f710c6fce10f974a49141decf103d6aeb290c0d36bba75121b
7a5846b1a7c0bbada0892d8b315bef3b4682192268da9ea779e98449681dd7ed
94ca0af32ea93d62fa355e450747ae9755c5dcd09e7b4186cd5bd04d7fc56565
0183d2fd44e215d6dc408bec45db9767a765767737b737032ff97e75adca46cd
5a04697834016e869389ef0d6a08656669cf5597fe0a6378a993250d311482e3
01e537ab28cea013b9a08939057369aa9369e8ff009231cb95101dc24348bb2e
76389098be8a410aaf6b21297912f6ef745db6e8a2f2aaaddda8685bd91091c3
662c7dc1c6b6fbc7cb4622876c0b0b2a42dba7081adede8a65182aef085f7082
7793e93512bcef7b9d90de59ef17b8771ecc9da854da2f4c8b3be8ba3c5a2c20
SH256 hash:
770c04c7c3a53d584af17e38e8e3fe5767d431e26ca59b4dc20de71045354295
MD5 hash:
f34a9eb165527229a5d67e1029c58f7c
SHA1 hash:
08610039c44dcbbd9e352d174e44cdc1968ca897
Link:
https://www.unpac.me/results/3e5486df-37db-44d7-8513-f39e80be610f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/770c04c7c3a53d584af17e38e8e3fe5767d431e26ca59b4dc20de71045354295

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 770c04c7c3a53d584af17e38e8e3fe5767d431e26ca59b4dc20de71045354295

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1986806/
Cape
Cape
https://www.capesandbox.com/analysis/220286/

Comments


Avatar
zbet commented on 2022-01-18 17:41:46 UTC

url : hxxp://172.245.163.220/666/vbc.exe