MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79bcbfe90332fe976229f75f64723adcf0db4a0df4a088b1370fef38f20a6630. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79bcbfe90332fe976229f75f64723adcf0db4a0df4a088b1370fef38f20a6630
SHA3-384 hash: e19d4ce28539d635b51e224c1f96481e029766e0c73b85c8b609c1e5027533fd1fb6b9cb17042177496bc2649f3c2b77
SHA1 hash: a81f400dd105d3041fef6a84c42874b216b68162
MD5 hash: f3512395f5dc2b8bfa0bbca4bedfe15f
humanhash: snake-beer-alabama-failed
File name:order_doc.scr
Download: download sample
Signature Formbook
Create hunting rule
File size:258'281 bytes
First seen:2021-10-18 14:53:06 UTC
Last seen:2021-10-18 15:24:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:wBlL/c2QY/Wpo6H/uvspndzM3Q4WRPngKawZbjW:CeUepB/1pndzlLRPgKtE
Threatray 2'053 similar samples on MalwareBazaar
TLSH T18E441265B1DE52EBCB11897507B79BA3C3F6C2208538E7ABA7210D76A0303DB6635742
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
222
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/198242/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.17589.26865.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/616d8a90a9d585e6d52c16af/reports/7fffb1a7-d33c-4db5-b0cb-6d23f3b3e5ec/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5ebdb6ee-6633-4d83-9f0c-a20d7ae7d16b
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/872392
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 504818 Sample: order_doc.scr Startdate: 18/10/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Yara detected FormBook 2->40 42 4 other signatures 2->42 10 order_doc.exe 17 2->10         started        process3 file4 28 C:\Users\user\AppData\Local\Temp\...\rabh.dll, PE32 10->28 dropped 54 Detected unpacking (changes PE section rights) 10->54 56 Tries to detect virtualization through RDTSC time measurements 10->56 58 Injects a PE file into a foreign processes 10->58 14 order_doc.exe 10->14         started        signatures5 process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 14->60 62 Maps a DLL or memory area into another process 14->62 64 Sample uses process hollowing technique 14->64 66 Queues an APC in another process (thread injection) 14->66 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.thietkemietvuon.net 103.7.43.244, 49836, 80 SUPERDATA-AS-VNSUPERDATA-VN Viet Nam 17->30 32 www.reikiforthecollective.com 17->32 34 www.guidemining.com 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 cscript.exe 17->21         started        signatures10 process11 signatures12 46 Self deletion via cmd delete 21->46 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/79bcbfe90332fe976229f75f64723adcf0db4a0df4a088b1370fef38f20a6630/
Threat name:
Win32.Trojan.Nsisx
Create hunting rule
Status:
Malicious
First seen:
2021-10-18 14:53:11 UTC
AV detection:
14 of 45 (31.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pg6l72idgl7joyrj65pwi4r23tynwsqn6sqirmjxb7xtr4qkmyya._file
Verdict:
unknown
Similar samples:
09fdcf52fff7285e32960072d6e88300f70be978d41560b19a4175e9701500dd
Formbook
1eaac3194b53e9523347d6d8392bb9ac437437217b530f2c61a270459c7da06e
Formbook
22c6a5976ce7b78c9fc9be80c53945344670b5df128629f0d1e99d48b2e65121
Formbook
321614efdd982c05c30e11529158d445e17a49bef9437c17a95567aa3cccc890
Formbook
52dc772f8a1fba5d23b2bd62f1762d49f180579d561bbb64d84f97f4c3a7b2cd
Formbook
63d0937af7bf53fe0b74ae6631452ff2d254ab6c7e1d0a62372f1f6992a1a1fd
Formbook
66ba5ddfe4ba8eff18b461334b8e589d64ee3421fe7f5cd9e1c614e3661f70a3
Formbook
75beaf53680c0e6ee8a24d54255a86b1c4fd644bc010e48c6a2dc182697db766
Formbook
8c38dbbc3834ab600313e6cd32e0e1a077726f002a608b5cbf9baa87ff11f90f
Formbook
b8059fc344b91a7b02e6a15a94551fcb3450f1109ad59bd6f3a22e0342ad9ff5
Formbook
+ 2'043 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/211018-r9cywsdgc4/
Behaviour
Enumerates physical storage devices
Unpacked files
SH256 hash:
79bcbfe90332fe976229f75f64723adcf0db4a0df4a088b1370fef38f20a6630
MD5 hash:
f3512395f5dc2b8bfa0bbca4bedfe15f
SHA1 hash:
a81f400dd105d3041fef6a84c42874b216b68162
Link:
https://www.unpac.me/results/f50a9036-de63-46a1-841a-ff7db4e3aa23/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.47
Link:
https://yomi.yoroi.company/submissions/79bcbfe90332fe976229f75f64723adcf0db4a0df4a088b1370fef38f20a6630

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 79bcbfe90332fe976229f75f64723adcf0db4a0df4a088b1370fef38f20a6630

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/198242/

Comments