MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7de9f7a81557d4a2a6818b50b8f8ab8948ce6329bf1c696d038e1231237a07d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7de9f7a81557d4a2a6818b50b8f8ab8948ce6329bf1c696d038e1231237a07d0
SHA3-384 hash: c7dd722a37aca046f40547399ad8a6d47514dd223a3d9f710c6d77a4b74e5f7a83b1955de9411d1d7f4ee3e8d0c8a743
SHA1 hash: ddb2e6c5412027261ca3f339e73a309451aa88b0
MD5 hash: 5978c05476263bda7d960999d199231b
humanhash: zulu-north-johnny-cardinal
File name:Boat Payment Copy.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:308'927 bytes
First seen:2022-03-21 12:44:40 UTC
Last seen:2022-03-21 15:04:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:rGiuJdWYNKtZP6HQiQA7TnwxMxsnE6SejO+01N3YneWh3159LMVJ0iCe:iCY60HqA7TwKxgE6MD1lSph3159LMV2I
TLSH T10564234743C0A9FBCDA2593A2D32AB7CE7B3539013AB344B0BD82E7E51B63A64155607
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
231
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/253574/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.27035.20717.684.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Searching for synchronization primitives
DNS request
Sending an HTTP GET request
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6238735e0cd58dbd92ce9d52/reports/4734524d-b211-4eab-af07-1b23ccb7cd2b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9f533207-65c0-4094-8a46-dbc734e938a9
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/960816
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 593296 Sample: Boat Payment Copy.exe Startdate: 21/03/2022 Architecture: WINDOWS Score: 100 45 Multi AV Scanner detection for domain / URL 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 6 other signatures 2->51 11 Boat Payment Copy.exe 18 2->11         started        process3 file4 35 C:\Users\user\AppData\Local\...\xabehid.exe, PE32 11->35 dropped 14 xabehid.exe 11->14         started        process5 signatures6 59 Antivirus detection for dropped file 14->59 61 Multi AV Scanner detection for dropped file 14->61 63 Machine Learning detection for dropped file 14->63 65 Tries to detect virtualization through RDTSC time measurements 14->65 17 xabehid.exe 14->17         started        process7 signatures8 37 Modifies the context of a thread in another process (thread injection) 17->37 39 Maps a DLL or memory area into another process 17->39 41 Sample uses process hollowing technique 17->41 43 Queues an APC in another process (thread injection) 17->43 20 explorer.exe 17->20 injected process9 process10 22 raserver.exe 20->22         started        25 autofmt.exe 20->25         started        signatures11 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 27 cmd.exe 1 22->27         started        29 explorer.exe 148 22->29         started        31 explorer.exe 94 22->31         started        process12 process13 33 conhost.exe 27->33         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7de9f7a81557d4a2a6818b50b8f8ab8948ce6329bf1c696d038e1231237a07d0/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-03-18 04:03:33 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
24 of 42 (57.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pxu7pkavk7kkfjubrnilr6flrfem4yzjx4ogs3idryjdci32a7ia._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ubqk loader rat
Link:
https://tria.ge/reports/220321-py4alaccc4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Xloader Payload
Xloader
Unpacked files
SH256 hash:
d54e92129fe9926d2e995df71ecca40ba78e783dd22ba55d0f442a010b2f93da
MD5 hash:
5661ec0746d93b6ee0a2693f2e8a197e
SHA1 hash:
70cc5757db8ce3bcea5f830ca5b6e7ff72e62c31
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/3f902422-d4f4-4c47-bccc-7f6f3e0ec562/
Parent samples :
0e39ef64479fdca265d7a41809af208aa2720d8d3895187b5f8f7ea5370018bc
7de9f7a81557d4a2a6818b50b8f8ab8948ce6329bf1c696d038e1231237a07d0
041760471bc27a43bf84ff6bee7edce055983316c01cd984ade1872239c1a35c
b10824c56d2ef6aa6af1474f898e5578bb6f6155eb4f9cd63ef3e7fd36c2a827
SH256 hash:
7d7fa43fd07b5fd25e24a10abcea1468ed2a1827d5f2d95289e899bef5b92b20
MD5 hash:
0efe6f9c73227f6a2e93b41d66846185
SHA1 hash:
87619b57a5ef7b75ea60e21f9756833c681167b0
Link:
https://www.unpac.me/results/3f902422-d4f4-4c47-bccc-7f6f3e0ec562/
SH256 hash:
7de9f7a81557d4a2a6818b50b8f8ab8948ce6329bf1c696d038e1231237a07d0
MD5 hash:
5978c05476263bda7d960999d199231b
SHA1 hash:
ddb2e6c5412027261ca3f339e73a309451aa88b0
Link:
https://www.unpac.me/results/3f902422-d4f4-4c47-bccc-7f6f3e0ec562/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.18
Link:
https://yomi.yoroi.company/submissions/7de9f7a81557d4a2a6818b50b8f8ab8948ce6329bf1c696d038e1231237a07d0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 7de9f7a81557d4a2a6818b50b8f8ab8948ce6329bf1c696d038e1231237a07d0

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/253574/

Comments