MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79efff3c21df7739b3bf710f18e7ab3c90ae86e0a189f494a59b1cecc2b2b7bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79efff3c21df7739b3bf710f18e7ab3c90ae86e0a189f494a59b1cecc2b2b7bc
SHA3-384 hash: 18b52341d07a97d07ba31456a87ffa52c200e4fe36e6e3fe9877a5c0d1ffe0071e424be45c41c4ce79219dd2f1a1fe3d
SHA1 hash: 2406dac08b7123ac0c7443db1abdd9cc45de59dd
MD5 hash: 610eb36cbca9053a48efc8e6439eb24e
humanhash: uncle-bravo-bacon-quebec
File name:05267389200-2-9002.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'475'072 bytes
First seen:2022-06-10 05:38:38 UTC
Last seen:2022-06-13 10:04:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 66ebe8b38da518dd5e3cdb7bfad8bde7 (3 x RemcosRAT, 3 x Formbook)
ssdeep 24576:Og/2082AZjjVzLh5eZO0rq8PS+C5zONkMsTWDHX:OULAZjrI/BDH
Threatray 16'885 similar samples on MalwareBazaar
TLSH T1C7659D62A252C833D3621A38CC379BF856667E11E920B9876AF13D6CFF753A03537185
TrID 22.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
20.6% (.SCR) Windows screen saver (13101/52/3)
16.5% (.EXE) Win64 Executable (generic) (10523/12/4)
15.7% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
7.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 8770d8d4d4d87087 (7 x RemcosRAT, 5 x Formbook, 1 x Loki)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
4
# of downloads :
309
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
05267389200-2-9002.exe
Verdict:
Malicious activity
Analysis date:
2022-06-10 05:39:39 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/1a0efb74-fbd7-40d0-b7fe-d9be18c5ed09

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/278554/
Detection(s):
SecuriteInfo.com.Fareit-FDBIFE5B8BEC57E3.27402.792.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Searching for synchronization primitives
Launching cmd.exe command interpreter
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit greyware keylogger remcos wacatac zusy
Link:
https://www.filescan.io/uploads/62a2d8f7f944eda443fd07ea/reports/ba093315-c8d8-4023-95f6-35baf2454a50/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fde7d939-1e80-4628-b730-a525e19a3d9c
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1010610
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 643106 Sample: 05267389200-2-9002.exe Startdate: 10/06/2022 Architecture: WINDOWS Score: 100 48 www.allmnlenem.quest 2->48 80 Multi AV Scanner detection for domain / URL 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 Multi AV Scanner detection for submitted file 2->84 86 3 other signatures 2->86 11 05267389200-2-9002.exe 1 18 2->11         started        16 Recqzucyvn.exe 14 2->16         started        signatures3 process4 dnsIp5 52 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49772, 49774 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 11->52 54 onedrive.live.com 11->54 62 2 other IPs or domains 11->62 44 C:\Users\Public\Libraries\Recqzucyvn.exe, PE32 11->44 dropped 46 C:\Users\...\Recqzucyvn.exe:Zone.Identifier, ASCII 11->46 dropped 110 Writes to foreign memory regions 11->110 112 Allocates memory in foreign processes 11->112 114 Creates a thread in another existing process (thread injection) 11->114 18 logagent.exe 11->18         started        56 onedrive.live.com 16->56 58 bjth2a.am.files.1drv.com 16->58 60 am-files.fe.1drv.com 16->60 116 Multi AV Scanner detection for dropped file 16->116 118 Injects a PE file into a foreign processes 16->118 21 DpiScaling.exe 16->21         started        file6 signatures7 process8 signatures9 70 Modifies the context of a thread in another process (thread injection) 18->70 72 Maps a DLL or memory area into another process 18->72 74 Sample uses process hollowing technique 18->74 76 Queues an APC in another process (thread injection) 18->76 23 explorer.exe 18->23 injected 78 Tries to detect virtualization through RDTSC time measurements 21->78 process10 dnsIp11 50 www.allmnlenem.quest 37.123.118.150, 80 UK2NET-ASGB United Kingdom 23->50 94 System process connects to network (likely due to code injection or exploit) 23->94 27 Recqzucyvn.exe 17 23->27         started        31 cmmon32.exe 23->31         started        33 cscript.exe 23->33         started        35 2 other processes 23->35 signatures12 process13 dnsIp14 64 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49805, 49821 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 27->64 66 onedrive.live.com 27->66 68 3 other IPs or domains 27->68 96 Writes to foreign memory regions 27->96 98 Allocates memory in foreign processes 27->98 100 Creates a thread in another existing process (thread injection) 27->100 102 Injects a PE file into a foreign processes 27->102 37 logagent.exe 27->37         started        104 Modifies the context of a thread in another process (thread injection) 31->104 106 Maps a DLL or memory area into another process 31->106 108 Tries to detect virtualization through RDTSC time measurements 31->108 40 cmd.exe 1 31->40         started        signatures15 process16 signatures17 88 Modifies the context of a thread in another process (thread injection) 37->88 90 Maps a DLL or memory area into another process 37->90 92 Sample uses process hollowing technique 37->92 42 conhost.exe 40->42         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/79efff3c21df7739b3bf710f18e7ab3c90ae86e0a189f494a59b1cecc2b2b7bc/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-06-09 05:54:16 UTC
File Type:
PE (Exe)
Extracted files:
48
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=phx76pbb353ttm57oehrrz5lhsik5bxauge7jffftmoozqvsw66a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
5711679832ca14467c62d275e991128c25ffc174f3a1539a46d51b724e1c9078
Formbook
6fd7a41af249df56ac2cc4f2b9175421c9ffa25b71c759657a24a97296bd3bd8
Formbook
897d218b958ece913adb5670a36e54f96f7d5279174c21f11cef92e31876a772
Formbook
a65520867c851b43c93d5e7c390bb4fedef94a648c70631bc02f396e4dbff522
Formbook
a7d2dcd22de6c9f87960fbad826eafd2a0f300a9a5844d72c39497375020ae47
Formbook
d4e437669746f9e7b805c76df906b7b1ed0aeca2dafb7249e8535aae116e1b6a
Formbook
dcd5d7cfe84d0687294f0990eaba6b407d250877fe61c3a28dc9ff6a30638bce
Formbook
ea5a2cf2a4c8ddc7f01d6b8a573efa20b7dd35fe633e0d1413b0d41e2cd31874
Formbook
+ 16'875 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:xloader campaign:euv4 loader persistence rat suricata trojan
Link:
https://tria.ge/reports/220610-gcagdsceb8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader Second Stage
Xloader Payload
ModiLoader, DBatLoader
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
0b4b7d7628499c9d0c62562dc64f22baf5390cd32f71e0317c259511ae85b5b6
MD5 hash:
d6e8fb9c9383709a7475144fbc74cb44
SHA1 hash:
3dc32f98eb13d725511b64924730132883ad3591
Link:
https://www.unpac.me/results/dff0014f-9abd-4464-b6d2-a66de0e8ca68/
SH256 hash:
79efff3c21df7739b3bf710f18e7ab3c90ae86e0a189f494a59b1cecc2b2b7bc
MD5 hash:
610eb36cbca9053a48efc8e6439eb24e
SHA1 hash:
2406dac08b7123ac0c7443db1abdd9cc45de59dd
Link:
https://www.unpac.me/results/dff0014f-9abd-4464-b6d2-a66de0e8ca68/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/79efff3c21df/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.94
Link:
https://yomi.yoroi.company/submissions/79efff3c21df7739b3bf710f18e7ab3c90ae86e0a189f494a59b1cecc2b2b7bc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 79efff3c21df7739b3bf710f18e7ab3c90ae86e0a189f494a59b1cecc2b2b7bc

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/278554/

Comments