MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d7d6f46787e230d59ce6b73c39f7b63510c7a6d13a886959a27bad0f8477162. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7d7d6f46787e230d59ce6b73c39f7b63510c7a6d13a886959a27bad0f8477162
SHA3-384 hash: 422f14fc9e978bb90d27ae4b4095d0b281e9b0219f66b4ea05ca873fe882ab3523ab0263b7972f7483691b374009f4aa
SHA1 hash: 510b2531a367da1e102506c31787d43fdc6ecea0
MD5 hash: e150e8abd40ad906acf19f718e610ef8
humanhash: alabama-snake-twelve-lithium
File name:rCheq0004783.bat
Download: download sample
Signature Formbook
Create hunting rule
File size:4'442 bytes
First seen:2024-05-15 00:59:34 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 96:jSZSwSPSKmOxJ9AKjf2sHizvyVVty4B9MADdi2A3dY+ybc4T:3x39CsVg47MADdDJFbca
TLSH T16791B51CDC030A2F6B7B644598569019C7E850769077AC677CDA438F9E874FCE2DE3A4
Reporter FXOLabs
Tags:bat FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
123
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
7d7d6f46787e230d59ce6b73c39f7b63510c7a6d13a886959a27bad0f8477162.bat
Verdict:
Malicious activity
Analysis date:
2024-05-15 01:01:55 UTC
Tags:
formbook stealer spyware
Link:
https://app.any.run/tasks/4e22a78e-49b5-4680-bb9e-2f7d6cb8b1c2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Malware.30643.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/6644091654aa07c307fb3b41/reports/c26d0e47-90bc-4c9f-9bbb-a683e2c715fa/overview
Verdict:
Suspicious
Labled as:
PowerShell/Agent.BOG trojan
Link:
https://www.hybrid-analysis.com/sample/7d7d6f46787e230d59ce6b73c39f7b63510c7a6d13a886959a27bad0f8477162
Result
Verdict:
MALICIOUS
Result
Threat name:
FormBook, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1441713
Signature
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1441713 Sample: rCheq0004783.bat Startdate: 15/05/2024 Architecture: WINDOWS Score: 100 53 xiaoyue.zhuangkou.com 2->53 55 www.plainxplain.shop 2->55 57 5 other IPs or domains 2->57 71 Snort IDS alert for network traffic 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 Antivirus detection for URL or domain 2->75 77 4 other signatures 2->77 12 cmd.exe 1 2->12         started        15 wab.exe 3 1 2->15         started        17 wab.exe 1 2->17         started        19 rundll32.exe 2->19         started        signatures3 process4 signatures5 91 Suspicious powershell command line found 12->91 93 Very long command line found 12->93 21 powershell.exe 14 23 12->21         started        25 conhost.exe 12->25         started        process6 dnsIp7 59 alor-divers.com 108.167.183.29, 443, 49704, 49713 UNIFIEDLAYER-AS-1US United States 21->59 79 Suspicious powershell command line found 21->79 81 Very long command line found 21->81 83 Found suspicious powershell code related to unpacking or dynamic code loading 21->83 27 powershell.exe 17 21->27         started        30 conhost.exe 21->30         started        32 cmd.exe 1 21->32         started        signatures8 process9 signatures10 87 Writes to foreign memory regions 27->87 89 Found suspicious powershell code related to unpacking or dynamic code loading 27->89 34 wab.exe 6 27->34         started        37 cmd.exe 1 27->37         started        39 wab.exe 27->39         started        process11 signatures12 69 Maps a DLL or memory area into another process 34->69 41 cxozOpJdwEcIsbNVYoIETwrlYOCfOk.exe 34->41 injected process13 signatures14 85 Found direct / indirect Syscall (likely to bypass EDR) 41->85 44 RmClient.exe 1 13 41->44         started        process15 signatures16 95 Tries to steal Mail credentials (via file / registry access) 44->95 97 Tries to harvest and steal browser information (history, passwords, etc) 44->97 99 Modifies the context of a thread in another process (thread injection) 44->99 101 2 other signatures 44->101 47 cxozOpJdwEcIsbNVYoIETwrlYOCfOk.exe 44->47 injected 51 firefox.exe 44->51         started        process17 dnsIp18 61 www.plainxplain.shop 46.30.211.38, 49715, 80 ONECOMDK Denmark 47->61 63 caik.168213.net 8.212.45.222, 49720, 49721, 49722 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 47->63 65 2 other IPs or domains 47->65 67 Found direct / indirect Syscall (likely to bypass EDR) 47->67 signatures19
Score:
51%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/7d7d6f46787e230d59ce6b73c39f7b63510c7a6d13a886959a27bad0f8477162
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7d7d6f46787e230d59ce6b73c39f7b63510c7a6d13a886959a27bad0f8477162/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pv6w6rtypyrq2woonnz4hh33mniqy6tncouinfm2e65nb6chofra._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution persistence
Link:
https://tria.ge/reports/240515-bcnfcshf58/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds policy Run key to start application
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7d7d6f46787e230d59ce6b73c39f7b63510c7a6d13a886959a27bad0f8477162

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Batch (bat) bat 7d7d6f46787e230d59ce6b73c39f7b63510c7a6d13a886959a27bad0f8477162

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments