MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 779e93f492a484c35faed67a96c0a64d843f66ed242a979de370ddb29c094877. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 779e93f492a484c35faed67a96c0a64d843f66ed242a979de370ddb29c094877
SHA3-384 hash: bc68f4c864fe519dafae69a22782ba9629d5bf3a945643fbec029ea9e65f59f817927e5627c80c2251941d8cd32d46e5
SHA1 hash: 3397bf8819aca625619d90b120bb2a232c4fa4bf
MD5 hash: d15f94bd8f51b08fc32f062428527929
humanhash: zulu-timing-don-green
File name:RFQ02811968.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:367'588 bytes
First seen:2023-11-20 08:48:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:3BlL/dL2eLick4a8+iD4LybEeWF53KCvNBjD3txf21YkG/Z3akzxZN3G87avIDV0:xXqeLiR4ES4L1FfvNBfdxf21YzZ3ak9a
TLSH T19974126366EA4A67E43342FBCD6B47FAD273D1005C24A35B0F606F5AED115C20D8E6CA
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 62ccc17ebaf10400 (4 x Formbook, 2 x DarkCloud)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
293
Origin country :
DE DE
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/459269/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Sending a custom TCP request
Launching a process
DNS request
Sending an HTTP GET request
Reading critical registry keys
Sending an HTTP POST request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Unauthorized injection to a system process
Gathering data
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/779e93f492a484c35faed67a96c0a64d843f66ed242a979de370ddb29c094877
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ca2cd355-6de8-43d4-9931-d683e7c420d7
Result
Threat name:
FormBook, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1345049
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1345049 Sample: RFQ02811968.exe Startdate: 20/11/2023 Architecture: WINDOWS Score: 100 34 www.wangbaomen23.xyz 2->34 36 www.warnernc.com 2->36 38 17 other IPs or domains 2->38 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 54 Multi AV Scanner detection for submitted file 2->54 58 3 other signatures 2->58 11 RFQ02811968.exe 17 2->11         started        signatures3 56 Performs DNS queries to domains with low reputation 34->56 process4 file5 32 C:\Users\user\AppData\Local\Temp\pmegx.exe, PE32 11->32 dropped 14 pmegx.exe 11->14         started        process6 signatures7 68 Multi AV Scanner detection for dropped file 14->68 70 Detected unpacking (changes PE section rights) 14->70 72 Machine Learning detection for dropped file 14->72 74 2 other signatures 14->74 17 pmegx.exe 14->17         started        process8 signatures9 46 Maps a DLL or memory area into another process 17->46 48 Queues an APC in another process (thread injection) 17->48 20 hZJATLiqwYMfqIgNcLRydaM.exe 17->20 injected process10 process11 22 help.exe 13 20->22         started        signatures12 60 Tries to steal Mail credentials (via file / registry access) 22->60 62 Tries to harvest and steal browser information (history, passwords, etc) 22->62 64 Writes to foreign memory regions 22->64 66 3 other signatures 22->66 25 explorer.exe 36 1 22->25 injected 28 hZJATLiqwYMfqIgNcLRydaM.exe 22->28 injected 30 firefox.exe 22->30         started        process13 dnsIp14 40 www.doonc.xyz 91.195.240.123, 49713, 49714, 49715 SEDO-ASDE Germany 25->40 42 www.blackgrow.info 203.161.53.83, 49721, 49722, 49723 VNPT-AS-VNVNPTCorpVN Malaysia 25->42 44 9 other IPs or domains 25->44
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/779e93f492a484c35faed67a96c0a64d843f66ed242a979de370ddb29c094877
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/779e93f492a484c35faed67a96c0a64d843f66ed242a979de370ddb29c094877/
Threat name:
Win32.Trojan.NSISInject
Create hunting rule
Status:
Malicious
First seen:
2023-11-16 03:58:48 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
21 of 23 (91.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o6pjh5esuscmgx5o2z5jnqfgjwcd6zxneqvjphpdodo3fhajjb3q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231120-kq1saafe9s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
1d84b1165c357db22e12c181f7b97b44d6ae0ba5ef718a1f2af97ba97386763d
MD5 hash:
4c5a23b7059e7c6ce5c704377a1aff9f
SHA1 hash:
627f184c6cbcf89e14a74389f4688c98697f30a3
Link:
https://www.unpac.me/results/1c07f615-b013-4f29-b313-a0f289702beb/
SH256 hash:
779e93f492a484c35faed67a96c0a64d843f66ed242a979de370ddb29c094877
MD5 hash:
d15f94bd8f51b08fc32f062428527929
SHA1 hash:
3397bf8819aca625619d90b120bb2a232c4fa4bf
Link:
https://www.unpac.me/results/1c07f615-b013-4f29-b313-a0f289702beb/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/779e93f492a4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/779e93f492a484c35faed67a96c0a64d843f66ed242a979de370ddb29c094877

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 779e93f492a484c35faed67a96c0a64d843f66ed242a979de370ddb29c094877

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/459269/

Comments