MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78293551b34e91e229f40f1f79d41f3864f490f5871040e353fb1faade238544. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 78293551b34e91e229f40f1f79d41f3864f490f5871040e353fb1faade238544
SHA3-384 hash: d638b9965b7dd95e26f15fe1f1922f65f08f5e6e09f71ddf9dc51531879006a6b010496b0136956648d9d88f5140ef08
SHA1 hash: cbaac634394b368d496ca6ceae796b5a3c67ef9c
MD5 hash: 11cfcd0851318e65777c602767173a75
humanhash: robin-five-september-carolina
File name:78293551b34e91e229f40f1f79d41f3864f490f5871040e353fb1faade238544
Download: download sample
Signature Formbook
Create hunting rule
File size:1'406'157 bytes
First seen:2022-12-07 13:23:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (866 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:IAOcZloYkC0uKi8dEIV9jJw89E54S9jLzCXPQ+T5bwQU:mQKCcdFVFJtEPdCXY+TiQU
Threatray 16'443 similar samples on MalwareBazaar
TLSH T170550142F6D048F2E9761F359837ED1838B93C355E30D66EA3A9B9358B71242011BF6B
TrID 54.2% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
40.3% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
2.1% (.EXE) Win64 Executable (generic) (10523/12/4)
1.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0d1818183227311f (1 x Formbook)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
188
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
78293551b34e91e229f40f1f79d41f3864f490f5871040e353fb1faade238544
Verdict:
Malicious activity
Analysis date:
2022-12-07 13:23:03 UTC
Tags:
formbook xloader trojan stealer
Link:
https://app.any.run/tasks/3e9d293b-0e9b-4689-80f2-87639cbfb364

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/343959/
Detection(s):
SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
evasive greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/639093f49a505ad9423ddea3/reports/22d70ac9-e721-4488-91cd-3abf3b74e834/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5e627b27-703f-49ae-903e-faf2bab675dc
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1130057
Signature
Antivirus detection for dropped file
Creates autostart registry keys with suspicious values (likely registry only malware)
Disables the Windows task manager (taskmgr)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM autoit script
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 762785 Sample: B5QdEQB9AI.exe Startdate: 07/12/2022 Architecture: WINDOWS Score: 84 62 Multi AV Scanner detection for submitted file 2->62 64 Yara detected AntiVM autoit script 2->64 66 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->66 10 B5QdEQB9AI.exe 3 67 2->10         started        13 rkgbmnic.exe 2->13         started        16 wscript.exe 2->16         started        18 wscript.exe 2->18         started        process3 dnsIp4 56 C:\Users\user\AppData\Local\...\rkgbmnic.exe, PE32 10->56 dropped 20 wscript.exe 1 10->20         started        60 192.168.2.1 unknown unknown 13->60 22 mshta.exe 13->22         started        24 mshta.exe 13->24         started        26 cmd.exe 16->26         started        28 cmd.exe 18->28         started        file5 process6 process7 30 rkgbmnic.exe 3 7 20->30         started        34 conhost.exe 26->34         started        36 rkgbmnic.exe 26->36         started        38 conhost.exe 28->38         started        40 rkgbmnic.exe 28->40         started        file8 58 C:\Users\user\AppData\Local\...\start.vbs, ASCII 30->58 dropped 68 Antivirus detection for dropped file 30->68 70 Multi AV Scanner detection for dropped file 30->70 72 Creates autostart registry keys with suspicious values (likely registry only malware) 30->72 74 Disables the Windows task manager (taskmgr) 30->74 42 wscript.exe 30->42         started        44 mshta.exe 30->44         started        46 mshta.exe 30->46         started        48 5 other processes 30->48 signatures9 process10 process11 50 rkgbmnic.exe 42->50         started        process12 52 mshta.exe 50->52         started        54 mshta.exe 50->54         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/78293551b34e91e229f40f1f79d41f3864f490f5871040e353fb1faade238544/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2022-11-22 07:52:42 UTC
File Type:
PE (Exe)
Extracted files:
82
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pautkuntj2i6ekpub4pxtva7hbspjehvq4ieby2t7mp2vxrdqvca._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1abcc38e288d1e4c36001ae4ee4373d0dfaf32d4feb0710a25ad3c281b6eeaf5
Formbook
2a6896423cc62446d775c28aedc44306fbf3ee3c4e15eff8ebb4cf148360b4d9
Formbook
4ae67a52de5f2bcaea6c9158b4b2dfd3b2953885c34063547b736a4a1096fcb2
Formbook
51571264ea17f6eb11267797cfd17a462c408580ecbfd10587dd8f848a79e15f
Formbook
594d61a4bcbcc6503743aae78c47f798557492ba9c0704c3aa188f528b50c5e3
Formbook
886581e4b23e851f4244fb1a1d028e0ba1ed11d5b85868519cc606a40a06457c
Formbook
a0aac3dc5832026a3d12d50f3c39e988a334d87ea2fc8fbcd1ff33484606d2d3
Formbook
dc6132f9c63cd966c76790f0761299f92c31684197e40a949c4e1eb9a539bfc8
Formbook
e510aadd7609c9ec1e54c9b8c036c9a10dfe8ef9c67feb54f1b30399a7605c4d
Formbook
+ 16'433 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/221207-qnc64afa45/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Drops startup file
Loads dropped DLL
Disables Task Manager via registry modification
Executes dropped EXE
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a0fd0f77-b394-477a-912b-aac02c41dc97
Unpacked files
SH256 hash:
ae67c26fbd593468522fd4168b9d2a161e86bae3049333a928beb2e15b10fae0
MD5 hash:
03e685f5bdb544e57bdf8094e7efb851
SHA1 hash:
5e8436432bc1e535cb9936fa459fdf1a26534685
Link:
https://www.unpac.me/results/1dc2db78-34ac-4f60-813b-1a662f203817/
SH256 hash:
78293551b34e91e229f40f1f79d41f3864f490f5871040e353fb1faade238544
MD5 hash:
11cfcd0851318e65777c602767173a75
SHA1 hash:
cbaac634394b368d496ca6ceae796b5a3c67ef9c
Link:
https://www.unpac.me/results/1dc2db78-34ac-4f60-813b-1a662f203817/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/78293551b34e91e229f40f1f79d41f3864f490f5871040e353fb1faade238544

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:sfx_pdb_winrar_restrict
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/343959/

Comments