MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7889ddde3b3df39bc42c7498aeee8809aeeded17b50e7fb7d3d0e6027ab55ada. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7889ddde3b3df39bc42c7498aeee8809aeeded17b50e7fb7d3d0e6027ab55ada
SHA3-384 hash: f9122ebd9f752ce02fa4cfe03ae5c8f6c3d2fae8f14b244eaf6a54678f9991dd54499db4eb25c182b65c3a7c26bbfd7a
SHA1 hash: a8c597443e8f1aca2282281d09cc9f293bb6a79c
MD5 hash: 5a517cbad20948daa9044af901b4f746
humanhash: nineteen-sierra-skylark-oscar
File name:rOmranZolal.jpg.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:631'296 bytes
First seen:2023-09-19 19:45:47 UTC
Last seen:2023-09-19 19:45:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:rw2iNV1UpHtZzDjbiXmN5kcZdStsR6LxCR5dYc6hQ3VrGX1l:k1bcZTbpuBtm6LAARh6Gll
Threatray 1'947 similar samples on MalwareBazaar
TLSH T1C6D412096AEC2F15C1F947F234D1282A43B855197AD0F7E52CDAB0DB2C33B529728DA7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter FXOLabs
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
275
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
rOmranZolal.jpg.exe
Verdict:
Malicious activity
Analysis date:
2023-09-19 19:48:22 UTC
Tags:
formbook xloader stealer spyware
Link:
https://app.any.run/tasks/e16a5973-8dc1-400f-83f2-f528d95aa132

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/449831/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Creating a process with a hidden window
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/6509fa7b83a0c6425df9dd0b/reports/a6deef83-0caf-48a0-b1f0-c82a94dcbcb1/overview
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/7889ddde3b3df39bc42c7498aeee8809aeeded17b50e7fb7d3d0e6027ab55ada
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f9985179-e79a-4f8e-8fd5-a641953710e5
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1311098
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1311098 Sample: rOmranZolal.jpg.exe Startdate: 19/09/2023 Architecture: WINDOWS Score: 100 68 Snort IDS alert for network traffic 2->68 70 Found malware configuration 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 10 other signatures 2->74 10 rOmranZolal.jpg.exe 7 2->10         started        14 qkDyIYCTBUbTs.exe 5 2->14         started        process3 file4 50 C:\Users\user\AppData\...\qkDyIYCTBUbTs.exe, PE32 10->50 dropped 52 C:\Users\user\AppData\Local\...\tmp3CE6.tmp, XML 10->52 dropped 82 Uses schtasks.exe or at.exe to add and modify task schedules 10->82 84 Adds a directory exclusion to Windows Defender 10->84 86 Tries to detect virtualization through RDTSC time measurements 10->86 16 rOmranZolal.jpg.exe 10->16         started        19 powershell.exe 20 10->19         started        21 schtasks.exe 1 10->21         started        88 Multi AV Scanner detection for dropped file 14->88 90 Machine Learning detection for dropped file 14->90 92 Injects a PE file into a foreign processes 14->92 23 qkDyIYCTBUbTs.exe 14->23         started        25 schtasks.exe 14->25         started        signatures5 process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 16->60 62 Maps a DLL or memory area into another process 16->62 64 Sample uses process hollowing technique 16->64 66 Queues an APC in another process (thread injection) 16->66 27 explorer.exe 7 6 16->27 injected 31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        35 conhost.exe 25->35         started        process8 dnsIp9 54 www.pnlbz.cfd 43.129.212.107, 49723, 80 LILLY-ASUS Japan 27->54 56 www.gktkbr.com 164.88.86.127, 49744, 80 CLAYERLIMITED-AS-APClayerLimitedHK South Africa 27->56 58 11 other IPs or domains 27->58 94 System process connects to network (likely due to code injection or exploit) 27->94 96 Performs DNS queries to domains with low reputation 27->96 37 control.exe 27->37         started        40 rundll32.exe 27->40         started        42 autoconv.exe 27->42         started        44 autochk.exe 27->44         started        signatures10 process11 signatures12 76 Modifies the context of a thread in another process (thread injection) 37->76 78 Maps a DLL or memory area into another process 37->78 80 Tries to detect virtualization through RDTSC time measurements 37->80 46 cmd.exe 37->46         started        process13 process14 48 conhost.exe 46->48         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7889ddde3b3df39bc42c7498aeee8809aeeded17b50e7fb7d3d0e6027ab55ada/
Threat name:
ByteCode-MSIL.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2023-09-19 16:25:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
19 of 34 (55.88%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pce53xr3hxzzxrbmosmk53uibgxo33ixwuhh7n6t2dtae6vvllna._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
40f5c4cf3de1461b42dc81ddaf6bf3c1956d27e85773d8828e798b79402e6e13
Formbook
87d3bbd8edcab168832890e4d362542e2be35fe286ce9a2ebeeb8216d08cca0f
Formbook
8ac5dceeed786e06a01cec7ce9d550a0f48c50511ad81db887c69fd5d720ff3e
Formbook
8b61335080ce37e107d3798d34f7e281c66238a0bf63d08b846a7b81d2969fcf
Formbook
99ec8b8e93e7a91dab1a16b9353333fa340d52569de4b88f5703bbc5a666211c
Formbook
a200ca72553397e7d6a4c746a52411f62819d7860e7330e2d45df32f3c952dfa
Formbook
a96ec414b99747cf8859a77e2d05ea24053db3fa343474a007180dfefda658ca
Formbook
df810d99cd1588f21a80f27dc691efb44083567f1385978dad10611858bad134
Formbook
ee0603d9ad98809ae728d4d1ebee72fcb97b28d493df380a6805f7d45a086b64
Formbook
+ 1'937 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:a0e6 rat spyware stealer trojan
Link:
https://tria.ge/reports/230919-ygyhfsdg79/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
6b4a3bc98ec893c40cfe722c0f48731f7608fe22dcc734d5c9ce48e2dc9abf89
MD5 hash:
ea08f7a9e50a363e3fed5136a65e4274
SHA1 hash:
39c3513aead1fce85f308db6eb67b9ea1334d14d
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/acb94eb7-e1d1-4c2b-949d-9ddd993aa81d/
Parent samples :
8b61335080ce37e107d3798d34f7e281c66238a0bf63d08b846a7b81d2969fcf
7889ddde3b3df39bc42c7498aeee8809aeeded17b50e7fb7d3d0e6027ab55ada
SH256 hash:
4a8d70ece798fb6955e46bdb4b4813924a3bbcf205e585fd0aef148123a44489
MD5 hash:
3bcd5e9d69da03ebe27b9c2e472d9e8d
SHA1 hash:
aa268bd00ed60a5907b4b2a669ddd21a1b8bb4da
Link:
https://www.unpac.me/results/acb94eb7-e1d1-4c2b-949d-9ddd993aa81d/
SH256 hash:
a93ab27d9bd9aa5b52288ff259e1dd2e8de2c873ee8fd5bbae64bca6f7624ce0
MD5 hash:
f2a2d829d920d375609a49544173df5a
SHA1 hash:
2af0e17de7935177d0a503ec980836fae9e17920
Link:
https://www.unpac.me/results/acb94eb7-e1d1-4c2b-949d-9ddd993aa81d/
SH256 hash:
f3036acf385ebfab405b810f3d17babdd2be6b5ea9d266f28ab042057778a9c4
MD5 hash:
03208a99fb2d11b518c6735e99ec6a8c
SHA1 hash:
02fb8dbe7fe1f02bb5e35c95967203e6fa5ccf22
Link:
https://www.unpac.me/results/acb94eb7-e1d1-4c2b-949d-9ddd993aa81d/
SH256 hash:
7889ddde3b3df39bc42c7498aeee8809aeeded17b50e7fb7d3d0e6027ab55ada
MD5 hash:
5a517cbad20948daa9044af901b4f746
SHA1 hash:
a8c597443e8f1aca2282281d09cc9f293bb6a79c
Link:
https://www.unpac.me/results/acb94eb7-e1d1-4c2b-949d-9ddd993aa81d/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7889ddde3b3d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7889ddde3b3df39bc42c7498aeee8809aeeded17b50e7fb7d3d0e6027ab55ada

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 7889ddde3b3df39bc42c7498aeee8809aeeded17b50e7fb7d3d0e6027ab55ada

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/449831/

Comments