MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d0f5a98613789c1f2ca5370d85e9b30348da8ce282ddbf9c5e53b1d3a05022d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7d0f5a98613789c1f2ca5370d85e9b30348da8ce282ddbf9c5e53b1d3a05022d
SHA3-384 hash: c39ba5d971fcba7dd7c78c2ce7e89d3134e3b0c2ed57630d14b4449920bfcb4872656fb7439d563e4cb661f433b05372
SHA1 hash: bb67b59a343bf8f7fc469fff1ba2b038c3b05ae3
MD5 hash: 0f97ad66d936db3f7d18749048420623
humanhash: pennsylvania-early-wisconsin-black
File name:vbc.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:956'416 bytes
First seen:2023-03-06 15:51:10 UTC
Last seen:2023-03-13 07:09:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:Fc62iNawENb3cOQ7qZLCjj++XGuHw9L0NJ5jqLKQWe8dSj7+PP5lf7YfaARs+5qp:H1Qwe3cOQuYG+XFHwaJ5t3nIzjWbym
Threatray 2'336 similar samples on MalwareBazaar
TLSH T12115AF9132B1D4B3F5CB017564287ACC2D3CB153F6D4E24B6A777AC09601ABBF6A8E11
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter JAMESWT_WT
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
239
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
vbc.exe
Verdict:
Malicious activity
Analysis date:
2023-03-06 15:53:44 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/cb4789a5-c672-4a54-8e3a-8ca6d6727e75

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/372074/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64060c25fa4a461fbd257c45/reports/7ae1ead8-c6da-412e-95cb-d86647ec1b6d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7d0f5a98613789c1f2ca5370d85e9b30348da8ce282ddbf9c5e53b1d3a05022d
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1f4740dd-516e-4206-b299-77077fead7c1
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1187916
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 820790 Sample: vbc.exe Startdate: 06/03/2023 Architecture: WINDOWS Score: 100 32 Snort IDS alert for network traffic 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 Antivirus detection for URL or domain 2->36 38 3 other signatures 2->38 8 vbc.exe 3 2->8         started        process3 file4 24 C:\Users\user\AppData\Local\...\vbc.exe.log, ASCII 8->24 dropped 50 Writes to foreign memory regions 8->50 52 Allocates memory in foreign processes 8->52 54 Injects a PE file into a foreign processes 8->54 12 RegSvcs.exe 8->12         started        15 RegSvcs.exe 8->15         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 12->56 58 Maps a DLL or memory area into another process 12->58 60 Sample uses process hollowing technique 12->60 62 Queues an APC in another process (thread injection) 12->62 17 explorer.exe 4 1 12->17 injected process8 dnsIp9 26 ikroop.com 162.214.80.79, 49705, 49706, 49707 UNIFIEDLAYER-AS-1US United States 17->26 28 www.estates.team 64.190.63.111, 49711, 49712, 49713 NBS11696US United States 17->28 30 7 other IPs or domains 17->30 40 System process connects to network (likely due to code injection or exploit) 17->40 21 chkdsk.exe 13 17->21         started        signatures10 process11 signatures12 42 Tries to steal Mail credentials (via file / registry access) 21->42 44 Tries to harvest and steal browser information (history, passwords, etc) 21->44 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7d0f5a98613789c1f2ca5370d85e9b30348da8ce282ddbf9c5e53b1d3a05022d/
Threat name:
ByteCode-MSIL.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2023-03-06 13:50:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
19 of 25 (76.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=puhvvgdbg6e4d4wkknynqxu3ga2i3kgofaw5x6of4u5r2oqfaiwq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
12d38622f7319731f4ff01c6cd2cd7a9cf458658f6a7438e1d1d1f2a5c2edfe5
Formbook
4e76c680beb65149bcd635087a716ec03bbeed03d722482a959a3ddaa8671fc4
Formbook
5fe93d9730b1f7d667b106fb482894dcdc0aeeac61ab1c1f26227cb46c27c947
Formbook
6aae46140819f63ba6d8021f344c1e45fe751050aa6fa5d47e87711f4beb0e90
Formbook
76cded40cd51eeb98f734dafed6ac0b0562d847a48b5d42a9b55d11dd73f1d21
Formbook
81eeb17cfcd81f15427dcc3c88390712bfba7d19aa3f3e7e8d9ac43401456eb7
Formbook
a97aa6604d2ad5146a8ef252e571d4b0c1e2ee8566964be8086532ef049b10d4
Formbook
adaa96068e4072db205354abc3394d59db0cc04248c7ed3022f95da4efa94438
Formbook
e1556a1dda46c2e872e9a18f21d8cbbf8f71d0dd65094e9ec6cac22a9a1aa915
Formbook
f8942728742c053d4ea847b57494bc495dbe64d2aad58633fa7334d5538e1860
Formbook
+ 2'326 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230306-ta25vace8t/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Uses the VBS compiler for execution
Unpacked files
SH256 hash:
e8e28ca56eab480adb40a4c2e984d3b9b31a0ea78d0341022df0716d80ed5d8a
MD5 hash:
868ab400ff064c5825b52ef8d7031923
SHA1 hash:
0d3bd79d0be9dc61392141bed496d7461bf29611
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/613f79ec-3491-4d4e-8eeb-80b834770c28/
Parent samples :
7d0f5a98613789c1f2ca5370d85e9b30348da8ce282ddbf9c5e53b1d3a05022d
4ea3d22ec69a4b7c9382037516b64d5eecc70e14423281ac2697c22ac7bfeb72
SH256 hash:
1edd47e2e51026f17de28c988c10f052d7b191bd48f5751d225bbaff924f7860
MD5 hash:
21ee6831c8b0c412a13a145e1866a19a
SHA1 hash:
67fed28cd8b8250344446b991fde9b103627ffbc
Link:
https://www.unpac.me/results/613f79ec-3491-4d4e-8eeb-80b834770c28/
SH256 hash:
498c0460da26cfc2c4ec95b9b394bbd3db719ba08ccbd5964a533bc9006dcf8f
MD5 hash:
f4e7e91d4fdda2d3feb401b5b1d53abf
SHA1 hash:
cf9e76e6418850ac853bd9c6ce82a0be7920fc1d
Link:
https://www.unpac.me/results/613f79ec-3491-4d4e-8eeb-80b834770c28/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/613f79ec-3491-4d4e-8eeb-80b834770c28/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
ad2f188002bc04824305d99cfe28b01d0464fc380228d80fdcdc6437f7dd8780
MD5 hash:
5070109f5905dab3ca44baaa9feed949
SHA1 hash:
5d0b2467d1ef8e46978c8a760522333d32885b19
Link:
https://www.unpac.me/results/613f79ec-3491-4d4e-8eeb-80b834770c28/
SH256 hash:
60458db3e51ba89a2d563c89688a3d2b7ea87be53399c9f7ff44b750e5ef8639
MD5 hash:
283391aa59e90512c76d0a8b13844a9a
SHA1 hash:
55168238a95532fa1edac4d6d5664d620a8c3181
Link:
https://www.unpac.me/results/613f79ec-3491-4d4e-8eeb-80b834770c28/
SH256 hash:
7d0f5a98613789c1f2ca5370d85e9b30348da8ce282ddbf9c5e53b1d3a05022d
MD5 hash:
0f97ad66d936db3f7d18749048420623
SHA1 hash:
bb67b59a343bf8f7fc469fff1ba2b038c3b05ae3
Link:
https://www.unpac.me/results/613f79ec-3491-4d4e-8eeb-80b834770c28/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7d0f5a986137/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/7d0f5a98613789c1f2ca5370d85e9b30348da8ce282ddbf9c5e53b1d3a05022d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 7d0f5a98613789c1f2ca5370d85e9b30348da8ce282ddbf9c5e53b1d3a05022d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2560528/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/372074/

Comments