MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83bfb1bf3d445b86e4aa3c753c9f3f80cd00dabcd51993f67aa4ba36df71eb16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 83bfb1bf3d445b86e4aa3c753c9f3f80cd00dabcd51993f67aa4ba36df71eb16
SHA3-384 hash: ef551d96cf5f06609b2924398ff68cbd71702cc5f0a391a619b33db8d13af2dcf4c6e323de6077f0166d969628329d4d
SHA1 hash: 295427c1b0d6bb135083db87119b2b8195a579fc
MD5 hash: f81330ee5847784f90651d57d0e2e916
humanhash: music-bulldog-alanine-alabama
File name:Order Details_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:438'173 bytes
First seen:2022-03-21 16:01:53 UTC
Last seen:2022-03-21 18:14:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 12288:xd96dzKzAVZAxr59e6yr/7XXKc2eNjT/4rF6SOsXzV8i/psDjmD7CfLaGsi7qZ8s:xd96dzKzAVZAxr59e6yr/7XXKc2eNjTY
Threatray 14'273 similar samples on MalwareBazaar
TLSH T1469407AF22DC6F6DEE94DDB370440C6D62E7A350D2BC3919EC092E534BDC82E6562B44
File icon (PE):PE icon
dhash icon 4d534d6d59456941 (1 x Formbook)
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/253680/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.23417.29957.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Searching for synchronization primitives
Setting browser functions hooks
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6238a1820cd58dbd92cfb860/reports/0c4178be-f5d4-4efb-a19d-9b4e02aca4d3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7944375e-78c9-4f1b-b1af-d4338fded66f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/960951
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 593439 Sample: Order Details_pdf.exe Startdate: 21/03/2022 Architecture: WINDOWS Score: 100 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for URL or domain 2->51 53 5 other signatures 2->53 11 Order Details_pdf.exe 18 2->11         started        process3 file4 31 C:\Users\user\AppData\Local\Temp\ajlnkd.exe, PE32 11->31 dropped 14 ajlnkd.exe 11->14         started        process5 signatures6 63 Antivirus detection for dropped file 14->63 65 Multi AV Scanner detection for dropped file 14->65 67 Tries to detect virtualization through RDTSC time measurements 14->67 17 ajlnkd.exe 14->17         started        process7 signatures8 39 Modifies the context of a thread in another process (thread injection) 17->39 41 Maps a DLL or memory area into another process 17->41 43 Sample uses process hollowing technique 17->43 45 Queues an APC in another process (thread injection) 17->45 20 explorer.exe 17->20 injected process9 dnsIp10 33 metaversogrowth.com 2.57.90.16, 49782, 80 AS-HOSTINGERLT Lithuania 20->33 35 www.metaversogrowth.com 20->35 37 www.crowd-bonus.online 20->37 55 System process connects to network (likely due to code injection or exploit) 20->55 24 cmd.exe 20->24         started        signatures11 process12 signatures13 57 Modifies the context of a thread in another process (thread injection) 24->57 59 Maps a DLL or memory area into another process 24->59 61 Tries to detect virtualization through RDTSC time measurements 24->61 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/83bfb1bf3d445b86e4aa3c753c9f3f80cd00dabcd51993f67aa4ba36df71eb16/
Threat name:
Win32.Trojan.Nsisx
Create hunting rule
Status:
Malicious
First seen:
2022-03-21 15:35:55 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
14 of 27 (51.85%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qo73dpz5irnynzfkhr2tzhz7qdgqbwv42umzh5t2us5dnx3r5mla._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2ed8aeaf73ee1a3caf7eb0be7814868c4100efbe1b021e2d964db3b638dc7f3c
Formbook
5091b0812652b76aa775615c4887c2f01934763ebd857bb0cbd40f3debc36770
Formbook
6bd24ce0a16599d97686146c6a822023f0f4896fcee914eed9a4e45a7e46b864
Formbook
6d1ae3278059d592ae7c4426df9456553b8abfbc3bd90ce0f8d1792e94ae95c2
Formbook
6ecfdff224175dade2cbf63719974b5335c1a81cf787142681163ddf882ce00e
Formbook
75a17cb26bd616c7d7b48b0b3add3033b6cd8656d8d20a0618734a3850072632
Formbook
8c7c6966c40ca10cdb43c9520c24ae932e63429fbc858b2c05f94f1bedbe0efa
Formbook
945f67ae677681e14db036f753f47333556fea6f3837bef7399e440e6bc167d5
Formbook
bc09ecf5cb6364f4d053ec0420282fa6e7a1649a8a5ca2af2ca933aa27f8b90c
Formbook
ec575e5cdf3da323c27e65f3042586173ca50ba0682b733a61f0b47f80c3004e
Formbook
+ 14'263 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:s09m rat spyware stealer trojan
Link:
https://tria.ge/reports/220321-tgsjzsdfc3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
Unpacked files
SH256 hash:
63babb250653c967089ff446fe153ade6ea4c6b893d1ef22733b25122d00b1e9
MD5 hash:
5b42595445d092db8cbdb88fb7ba02ae
SHA1 hash:
cdaf8cfb0a0edf56f7e689610e268873ca1fcb65
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/f64001ff-cdda-426d-8573-c1339999de7e/
Parent samples :
83bfb1bf3d445b86e4aa3c753c9f3f80cd00dabcd51993f67aa4ba36df71eb16
682eeaccd2f75abe35a1f7163b8c7d00138a7882b0fbf3ec7e5c39846802f37e
ddfdab103d34dfc6ddd6518745c101342e9953e6c2e049576e15ea570fb16e3a
ec6cb0a51fe3d020e3989762f1b449f45413695c9ea7db67d3a2cf31c9e26ef1
SH256 hash:
61870383c954b4145defb8e5c072cd1b831aea50f727da1e18ca5522048042e2
MD5 hash:
a094d45c2214c0bd5dc82f0011b2bbfa
SHA1 hash:
fee2fce19626aea8f4b25e74421992af4fe85296
Link:
https://www.unpac.me/results/f64001ff-cdda-426d-8573-c1339999de7e/
SH256 hash:
83bfb1bf3d445b86e4aa3c753c9f3f80cd00dabcd51993f67aa4ba36df71eb16
MD5 hash:
f81330ee5847784f90651d57d0e2e916
SHA1 hash:
295427c1b0d6bb135083db87119b2b8195a579fc
Link:
https://www.unpac.me/results/f64001ff-cdda-426d-8573-c1339999de7e/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/83bfb1bf3d44/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.18
Link:
https://yomi.yoroi.company/submissions/83bfb1bf3d445b86e4aa3c753c9f3f80cd00dabcd51993f67aa4ba36df71eb16

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 372aa193e388209de027e3c63d898f3df4c4abf76023feaee4c99cca2d2daa0a

Formbook

Executable exe 83bfb1bf3d445b86e4aa3c753c9f3f80cd00dabcd51993f67aa4ba36df71eb16

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 372aa193e388209de027e3c63d898f3df4c4abf76023feaee4c99cca2d2daa0a
Cape
Cape
https://www.capesandbox.com/analysis/253680/

Comments