MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85dca30464e5d239a82140c6611e7d9d2e4e8a7400c869c36c3c4999a0b221dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85dca30464e5d239a82140c6611e7d9d2e4e8a7400c869c36c3c4999a0b221dc
SHA3-384 hash: 42657fbcae2798345f6a3ca03cb463c32925eb0dde011849d668c8c584b324b2c7ed48518d8c13618d932ecbad90e3f4
SHA1 hash: dc4b11ceeb0c04d0528c7074cc181714b8176050
MD5 hash: 6dac7fe3d5c2d600fe6650d571bfb44d
humanhash: mountain-mockingbird-yankee-kansas
File name:Copia de pago bancario.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:944'640 bytes
First seen:2021-12-10 12:27:27 UTC
Last seen:2021-12-14 07:37:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 939d8f743f99c748d946de3c81bddd31 (3 x RemcosRAT, 2 x DBatLoader, 2 x Formbook)
ssdeep 24576:suRQsAJcBdZF0bE25gAUQI+3c13TOqamxypnUXAGe:sL9JO0jUn
Threatray 11'743 similar samples on MalwareBazaar
TLSH T148159EA2E2F05C32C07F16B99D4BAAE4653B7D103D199C465FF82D8C9F367A034185AB
File icon (PE):PE icon
dhash icon 88c7ce3cbddc2f31 (24 x RemcosRAT, 12 x Formbook, 8 x Loki)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
4
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Copia de pago bancario.exe
Verdict:
Malicious activity
Analysis date:
2021-12-10 12:32:52 UTC
Tags:
installer trojan formbook stealer
Link:
https://app.any.run/tasks/86ae22fa-e967-444e-b11d-c432d49ed8f1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/213156/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.14043.29714.27623.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Launching cmd.exe command interpreter
Searching for synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/1545/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger
Link:
https://www.filescan.io/uploads/61b347d8fa72c81b5b167151/reports/1aa8d7f7-c2e6-42e1-aea5-00814a596a1f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/89df70c3-a198-49d2-ad70-70b25ac01e0d
Result
Threat name:
DBatLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/905314
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses cmd line tools excessively to alter registry or file data
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 537798 Sample: Copia de pago bancario.exe Startdate: 10/12/2021 Architecture: WINDOWS Score: 100 46 www.launchclik.com 2->46 48 www.gongwenbo.com 2->48 82 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 Multi AV Scanner detection for submitted file 2->86 88 3 other signatures 2->88 11 Copia de pago bancario.exe 1 18 2->11         started        signatures3 process4 dnsIp5 66 cdn.discordapp.com 162.159.134.233, 443, 49753, 49754 CLOUDFLARENETUS United States 11->66 42 C:\Users\user\Oaniereg.exe, PE32 11->42 dropped 44 C:\Users\user\Oaniereg.exe:Zone.Identifier, ASCII 11->44 dropped 112 Writes to foreign memory regions 11->112 114 Allocates memory in foreign processes 11->114 116 Creates a thread in another existing process (thread injection) 11->116 118 Injects a PE file into a foreign processes 11->118 16 DpiScaling.exe 11->16         started        file6 signatures7 process8 signatures9 68 Modifies the context of a thread in another process (thread injection) 16->68 70 Maps a DLL or memory area into another process 16->70 72 Sample uses process hollowing technique 16->72 74 2 other signatures 16->74 19 explorer.exe 2 16->19 injected process10 dnsIp11 50 dns.zhanh.com 119.28.141.142, 49820, 80 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 19->50 52 www.kuechenpruefer.com 217.160.0.95, 49819, 80 ONEANDONE-ASBrauerstrasse48DE Germany 19->52 54 11 other IPs or domains 19->54 90 System process connects to network (likely due to code injection or exploit) 19->90 92 Uses cmd line tools excessively to alter registry or file data 19->92 94 Uses ipconfig to lookup or modify the Windows network settings 19->94 23 Oaniereg.exe 13 19->23         started        27 Oaniereg.exe 14 19->27         started        29 systray.exe 19->29         started        31 2 other processes 19->31 signatures12 process13 dnsIp14 56 162.159.129.233, 443, 49759 CLOUDFLARENETUS United States 23->56 58 cdn.discordapp.com 23->58 96 Multi AV Scanner detection for dropped file 23->96 98 Writes to foreign memory regions 23->98 100 Allocates memory in foreign processes 23->100 33 DpiScaling.exe 23->33         started        60 162.159.133.233, 443, 49762 CLOUDFLARENETUS United States 27->60 62 192.168.2.1 unknown unknown 27->62 64 cdn.discordapp.com 27->64 102 Creates a thread in another existing process (thread injection) 27->102 104 Injects a PE file into a foreign processes 27->104 36 DpiScaling.exe 27->36         started        106 Modifies the context of a thread in another process (thread injection) 29->106 108 Maps a DLL or memory area into another process 29->108 110 Tries to detect virtualization through RDTSC time measurements 29->110 38 cmd.exe 1 29->38         started        signatures15 process16 signatures17 76 Modifies the context of a thread in another process (thread injection) 36->76 78 Maps a DLL or memory area into another process 36->78 80 Sample uses process hollowing technique 36->80 40 conhost.exe 38->40         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/85dca30464e5d239a82140c6611e7d9d2e4e8a7400c869c36c3c4999a0b221dc/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-12-10 08:06:28 UTC
File Type:
PE (Exe)
Extracted files:
109
AV detection:
23 of 45 (51.11%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qxokgbde4xjdtkbbiddgcht5tuxe5ctuadegtq3mhreztifsehoa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2863a8690acd578ea41d8ef458f493c7bab50c34d8d6fd668f8ef56d429094de
Formbook
46e51f41840a1a08e695f8b5dbd03efd3b3f7071edc00d9e916a73a02d8176a1
Formbook
5711679832ca14467c62d275e991128c25ffc174f3a1539a46d51b724e1c9078
Formbook
6967bdb48b95df3cf797ec06e2f38f20932cca68f2ce8a6cb5b2ee3071826d09
Formbook
7195589ba87f4b77bc10af665070180cf807ff7d2f8198743248edda2e85b6a5
Formbook
897d218b958ece913adb5670a36e54f96f7d5279174c21f11cef92e31876a772
Formbook
b8dc1db94b5752524bd51980516ac00c095ef291ca89d8096db6cb4b4dab91b6
Formbook
bc42c1e528e70d0f4152e78278ed1a0e4bacf4cab8bb21da9ea8f99a48676355
Formbook
ff577215d4aaa29ae63860167282ceeb0a703daadfdaef2155102500c269caa2
Formbook
+ 11'733 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:euv4 loader persistence rat
Link:
https://tria.ge/reports/211210-pnb4csgdc7/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.rematedeldia.com/euv4/
Unpacked files
SH256 hash:
1b7543f01e0905aad968e37baccbf702cac518496b11deecc3512c205df0dbe6
MD5 hash:
355d5d8a066c9b9296e54b6bbfa25412
SHA1 hash:
839eb5cc659aec1f09779ae374aa941bcb622b66
Detections:
win_temple_loader_w0
Create hunting rule
Link:
https://www.unpac.me/results/bcc83dad-9386-4747-a856-d21edc99b43e/
Parent samples :
ed1d279d93f8882f951b4e4a072ca919b5d9b42b8f83da74c8ad2ceb4cf0f634
c7a89255767729cc8f5dbd610779baac706af799ccbb1a4945c55a77632e671c
af2a8024939f13bee37b6d3a35aa5df93e2a6b11cede4bea19493c4d704b050f
78900ed7307ae31ad9b74204fd8e4798b01a6b7bc593e70d4a7aaab7ab1b2b95
9936a6bda8c332e2aec071444db5f68e1b34745412158cad8394ceb3c80d36ee
016995a4b65533b314b70ebab42fb3c6dee830dff7a7261080f6e743da562b9a
34c093aa616e9e574f2ae88bc1fe3dd818200b0586ed20945147a7fb6848dfd8
8c9f7973d30b69a406f5169bf847212c11d275a96b348137c447cea3089a58a9
f6d0fdcf620ebd3b483c6dd7e9bc7bea2f9acca8d34eb7b84ebaf457671fd758
9e1f83813953f38ebc2e39ec795b85cc808e6f5cb36ea8b3a25e7eddb3cf429b
db5b52f3949ca7cb29e009535f1d2021b0f24b4e114717a20e86869abae48850
9a63e8c9e7bfb45eb903482e3ba9ed3f3d64db90b62f13355dff1a5ed5d2376d
c3e06052cbfbbf225d9d3052bb3478e1c72111d4cb18240806f32f517be86b3f
baccd3d2cd02286e08b6739dfc786f67bd64b5da6bfca6ba93ddf21f8e9d8359
9685ed86f91fd0a3c20c5badbf361475fa0316f365a35d352e8e1caff333890f
309ca816bed485731d7702c80339e6b5d209618888ea92a972a7189ed1102518
34fcac5d4cf2062249f369fda6ae1932ac41655890da91f02bc304afe3706e86
a78e89ef2769dd705ce27a6b5876ca2fdc5a5aa078ff9a4d86f186d4bb6edce8
85dca30464e5d239a82140c6611e7d9d2e4e8a7400c869c36c3c4999a0b221dc
2cbccb76adf567a82d9d6fcbf7a6c02bce157e1870df149af7391b20b9fdc672
1fc74504d626223335f39e10435bd3366bc5533619e8e7713e2a48eadd4dc26a
7cf3410e13c13eb9cdfb1fa3df95f643bfbf7b55f5de595353205b4c44b84c5d
4afefb73e99678c987858f79095a203a3df18eeeb0fe7b59571325613f4a3dd1
10f5584682c3f5d54ba1e3afd68822c81e8234531c8b1a41e11774b980915c72
b59a94fa3d43aaa64ce137a035dc166ff2226e9113decc5b24b120f0309a6c7d
b7a6d7f4d15e42eb71836dc7372f48654462c7752d015513232346f0af92f81e
1bc95ae62d31b8b9c4a34c80049f693cb31199e768af6ac4a33fe082b34209a7
8b94dbe71305cc3e5a3963757e03e6344402b9f7babb373df3d80a90e0e4d1e2
9e303489b6a886ee967ace328a26749db9664604ab638e544e260918044b21de
47576aba2a25e4b969ccd69eec27646901c41aa4d9efd6127aac9c5016568048
640fee8437e46c9ccd7ffa3b170e2bde1b5f1bcf4b13fdb5a7c67098814ff0cb
e3c4caeafd8e19662239571bd3eee795d2ffb003953ce5eb06026a1be72b32e0
be518dfc7bbd3b6b298897a86dde6242a186f613e9930f2c49f6704de37ac4a3
a90bba267082093022d3ed1685f7a9e91a2f1d384f85dc2883caecd4fd3eb505
ed063e69d7a5b6e0d14d81df38a1ec039788191dea6bd072aa573bfa90594899
764b532b622894b7ec4590c2868e0a3e0b9e58eca72251b012c6ae4c5639971f
3a7a42d1cb828cdb0f1ea382a8859052b7862414cdb3a5e2d623e922d4d00485
0fc54d55d3cb27bf5ec3c09325478deeebc49ff858fd7f413a62fb949b7a9666
2240e1501c44abd572464704dbeab4984f8d9d6811a2401b831a6255f03e6587
ef50c5943a01eb155acc81b7a4de6749ec5e438666bedc6be95f42ad92bb7c36
a3c386096f6c478045ba6190d68a6591322ec9d4e480b900d3e7ef88e1622751
SH256 hash:
85dca30464e5d239a82140c6611e7d9d2e4e8a7400c869c36c3c4999a0b221dc
MD5 hash:
6dac7fe3d5c2d600fe6650d571bfb44d
SHA1 hash:
dc4b11ceeb0c04d0528c7074cc181714b8176050
Link:
https://www.unpac.me/results/bcc83dad-9386-4747-a856-d21edc99b43e/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/85dca30464e5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/85dca30464e5d239a82140c6611e7d9d2e4e8a7400c869c36c3c4999a0b221dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 85dca30464e5d239a82140c6611e7d9d2e4e8a7400c869c36c3c4999a0b221dc

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/213156/

Comments