MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80802d7e4597b03c737d2baa9bb2cb2a400f2c0546218cfa505d408ec5d99b15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 80802d7e4597b03c737d2baa9bb2cb2a400f2c0546218cfa505d408ec5d99b15
SHA3-384 hash: b5248d3c353fed12bbd7af7ebbb31c07f02dea8ba7160222696e8d29d3797982e9b1c0def0054259cbfff5d5e179bde0
SHA1 hash: 7eb5cfaa30c6f08b6f5d24f57dd7d7b817f32cd0
MD5 hash: ae692fcbbd8eaba430718ea25e54f96a
humanhash: august-five-lemon-fruit
File name:kpb.hta
Download: download sample
Signature Formbook
Create hunting rule
File size:3'816 bytes
First seen:2023-07-10 11:56:17 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 48:3aVnuuu/7a+fuuu6uDDOEXotnGuuitn5uG:q6
TLSH T1E971883C9990BDD0D3D7F2E844497E6208899F0BA5116E1AB88C14B3A72466E1D3598B
Reporter malwarelabnet
Tags:FormBook hta

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
CA CA
Vendor Threat Intelligence
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/80802d7e4597b03c737d2baa9bb2cb2a400f2c0546218cfa505d408ec5d99b15/results/dashboard
Payload URLs
URL
File name
http://103.131.56.71/R_1022Q
HTA File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/64abf20ff415d4fc6f9ea3d9/reports/4586d07c-7fd1-4c4c-890d-31847418f6cb/overview
Verdict:
Malicious
Labled as:
Trojan.Script.VBS
Link:
https://www.hybrid-analysis.com/sample/80802d7e4597b03c737d2baa9bb2cb2a400f2c0546218cfa505d408ec5d99b15
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Empire PowerShell Request
Detected a base64 encoded Powershell HTTP request that is likely sourced from Empire.
Hidden Powershell
Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
evad.troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1269695
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Powershell drops PE file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1269695 Sample: kpb.hta Startdate: 10/07/2023 Architecture: WINDOWS Score: 100 47 www.uty186.com 2->47 49 www.snazzy.top 2->49 51 17 other IPs or domains 2->51 73 Snort IDS alert for network traffic 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 Antivirus detection for URL or domain 2->77 79 4 other signatures 2->79 14 mshta.exe 19 2->14         started        signatures3 process4 signatures5 99 Encrypted powershell cmdline option found 14->99 101 PowerShell case anomaly found 14->101 17 powershell.exe 7 14->17         started        process6 signatures7 61 Encrypted powershell cmdline option found 17->61 63 Powershell drops PE file 17->63 20 powershell.exe 15 17 17->20         started        24 conhost.exe 17->24         started        process8 dnsIp9 53 103.131.56.71, 50231, 80 VELOCIXLIMITED-AS-APVELOCIXLIMITEDIN Taiwan; Republic of China (ROC) 20->53 45 C:\Users\user\AppData\...\IBM_Centoss.exe, PE32 20->45 dropped 26 IBM_Centoss.exe 3 20->26         started        file10 process11 signatures12 83 Antivirus detection for dropped file 26->83 85 Machine Learning detection for dropped file 26->85 87 Writes to foreign memory regions 26->87 89 2 other signatures 26->89 29 RegAsm.exe 26->29         started        process13 signatures14 91 Modifies the context of a thread in another process (thread injection) 29->91 93 Maps a DLL or memory area into another process 29->93 95 Sample uses process hollowing technique 29->95 97 Queues an APC in another process (thread injection) 29->97 32 RAVCpl64.exe 29->32 injected process15 process16 34 wlanext.exe 13 32->34         started        signatures17 65 Tries to steal Mail credentials (via file / registry access) 34->65 67 Tries to harvest and steal browser information (history, passwords, etc) 34->67 69 Writes to foreign memory regions 34->69 71 3 other signatures 34->71 37 explorer.exe 2 1 34->37 injected 41 firefox.exe 34->41         started        process18 dnsIp19 55 www.snazzy.top 203.161.55.144, 50248, 50249, 50250 VNPT-AS-VNVNPTCorpVN Malaysia 37->55 57 www.blackhawkstickets.com 91.195.240.68, 50289, 50290, 50291 SEDO-ASDE Germany 37->57 59 12 other IPs or domains 37->59 81 System process connects to network (likely due to code injection or exploit) 37->81 43 WerFault.exe 4 41->43         started        signatures20 process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/80802d7e4597b03c737d2baa9bb2cb2a400f2c0546218cfa505d408ec5d99b15/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qcac27sfs6ydy435fovjxmwlfjaa6lafiyqyz6sqlvai5roztmkq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/230710-n4kvrsaa93/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Blocklisted process makes network request
Downloads MZ/PE file
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/80802d7e4597/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/80802d7e4597b03c737d2baa9bb2cb2a400f2c0546218cfa505d408ec5d99b15

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments