MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 86badcc31e244c64134acf60235f8dd10dc19ea3e30cccf8dc4760dc9f308733. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 86badcc31e244c64134acf60235f8dd10dc19ea3e30cccf8dc4760dc9f308733
SHA3-384 hash: c903229da32ae58be00f656b7a856ac220cbf58dbc8f0f7affcccc22c0f8145cd7ecdafdd1013810221e74a1ca1cdd8d
SHA1 hash: f2458590e766f7bba6766809ebbb2aa0ba95bee3
MD5 hash: 75379f0cd57daa69537ea86c76fd00d4
humanhash: delaware-summer-colorado-eighteen
File name:098754345678.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:580'800 bytes
First seen:2024-05-13 13:20:41 UTC
Last seen:2024-05-13 14:26:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b78ecf47c0a3e24a6f4af114e2d1f5de (295 x GuLoader, 23 x Formbook, 21 x RemcosRAT)
ssdeep 12288:Wa+TesAUQHJ/8sEPqQNbtii4YVmt9as12P+pFE:h8esAfpePqYi9sP+rE
Threatray 1'258 similar samples on MalwareBazaar
TLSH T1A6C402E9AB54E926CBD44B714877CA3946329C456F30070F3BE4B93A3BB11F78807A65
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter James_inthe_box
Tags:exe FormBook signed

Code Signing Certificate

Organisation:Puss
Issuer:Puss
Algorithm:sha256WithRSAEncryption
Valid from:2024-05-07T09:51:52Z
Valid to:2027-05-07T09:51:52Z
Serial number: 1dbcd03cc537293f7abb5f4d6ae4c6afdd0f1add
Thumbprint Algorithm:SHA256
Thumbprint: 865c27ed044c9753df66619f83623fd38a682e8de833cb3fe379eba0f25b005a
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
316
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
86badcc31e244c64134acf60235f8dd10dc19ea3e30cccf8dc4760dc9f308733.exe
Verdict:
Malicious activity
Analysis date:
2024-05-13 13:25:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d32a1cdf-e8ef-40c3-92ee-3d9c47d32128

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.DownLoad4.12041.10.UNOFFICIAL
Create hunting rule

Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Searching for the window
Launching a process
Running batch commands
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/664213c654aa07c307f93d55/reports/18e1dc15-b7ce-4dfb-8c39-41a583456118/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/86badcc31e244c64134acf60235f8dd10dc19ea3e30cccf8dc4760dc9f308733
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/85c8d7cf-18dd-4776-8fbb-ceca1c998e53
Result
Threat name:
GuLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1440542
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Obfuscated command line found
Performs DNS queries to domains with low reputation
Powershell drops PE file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Suspicious powershell command line found
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1440542 Sample: 098754345678.exe Startdate: 13/05/2024 Architecture: WINDOWS Score: 100 49 www.falstru.xyz 2->49 51 www.vicenc39-ns.store 2->51 53 34 other IPs or domains 2->53 79 Malicious sample detected (through community Yara rule) 2->79 81 Antivirus detection for URL or domain 2->81 83 Antivirus / Scanner detection for submitted sample 2->83 87 2 other signatures 2->87 11 098754345678.exe 3 19 2->11         started        signatures3 85 Performs DNS queries to domains with low reputation 49->85 process4 file5 45 C:\Users\user\AppData\Local\...\Poorly.Neu, ASCII 11->45 dropped 99 Suspicious powershell command line found 11->99 15 powershell.exe 20 11->15         started        signatures6 process7 file8 47 C:\Users\user\AppData\...\Deciliteren.exe, PE32 15->47 dropped 63 Obfuscated command line found 15->63 65 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->65 67 Writes to foreign memory regions 15->67 69 4 other signatures 15->69 19 Deciliteren.exe 2 7 15->19         started        23 conhost.exe 15->23         started        25 cmd.exe 1 15->25         started        signatures9 process10 dnsIp11 55 vibrantbhutan.com 148.72.213.232, 443, 53278 AS-26496-GO-DADDY-COM-LLCUS United States 19->55 89 Antivirus detection for dropped file 19->89 91 Tries to detect Any.run 19->91 93 Maps a DLL or memory area into another process 19->93 27 PSkbppyKElhoiHn.exe 19->27 injected 30 cmd.exe 1 19->30         started        signatures12 process13 signatures14 97 Found direct / indirect Syscall (likely to bypass EDR) 27->97 32 recover.exe 13 27->32         started        35 conhost.exe 30->35         started        37 reg.exe 1 1 30->37         started        process15 signatures16 71 Tries to steal Mail credentials (via file / registry access) 32->71 73 Tries to harvest and steal browser information (history, passwords, etc) 32->73 75 Modifies the context of a thread in another process (thread injection) 32->75 77 2 other signatures 32->77 39 PSkbppyKElhoiHn.exe 32->39 injected 43 firefox.exe 32->43         started        process17 dnsIp18 57 www.falstru.xyz 162.0.237.22, 53293, 53294, 53295 NAMECHEAP-NETUS Canada 39->57 59 parkingpage.namecheap.com 91.195.240.19, 53297, 53298, 53299 SEDO-ASDE Germany 39->59 61 9 other IPs or domains 39->61 95 Found direct / indirect Syscall (likely to bypass EDR) 39->95 signatures19
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/86badcc31e244c64134acf60235f8dd10dc19ea3e30cccf8dc4760dc9f308733
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/86badcc31e244c64134acf60235f8dd10dc19ea3e30cccf8dc4760dc9f308733/
Threat name:
Win32.Trojan.Sonbokli
Create hunting rule
Status:
Malicious
First seen:
2024-05-13 12:01:03 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q25nzqy6erggie2kz5qcgx4n2eg4dhvd4mgmz6g4i5qnzhzqq4zq._file
Verdict:
unknown
Similar samples:
22028442e5ae09f1e7deee991d512fc21fb424d7f7d8a25b1e482dc442f070ad
Formbook
5ed5d59a7c41e1f8a8e5b0926189ae54610558297b6b6edf04449c06771fbaef
Formbook
86badcc31e244c64134acf60235f8dd10dc19ea3e30cccf8dc4760dc9f308733
Formbook
aa69a4dd3203b34b4a1dfdf334ba8b655768f6e6c46165a095497b45222580b5
Formbook
c2c6dbfb6b0c03a22473c7f2f6cbfe0bbf500c795b920ddeb37c27af7de76d93
Formbook
d4a04769d4bd4b35a1e14846840667c4f949833d66a19791cde5f0024c33eed3
Formbook
+ 1'248 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/240513-qlm9aaha55/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Command and Scripting Interpreter: PowerShell
Unpacked files
SH256 hash:
86badcc31e244c64134acf60235f8dd10dc19ea3e30cccf8dc4760dc9f308733
MD5 hash:
75379f0cd57daa69537ea86c76fd00d4
SHA1 hash:
f2458590e766f7bba6766809ebbb2aa0ba95bee3
Link:
https://www.unpac.me/results/7e3dc5b9-4435-4ae2-baa2-29c93bb30437/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/86badcc31e24/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/86badcc31e244c64134acf60235f8dd10dc19ea3e30cccf8dc4760dc9f308733

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_SliverFox_String
Create hunting rule
Author:huoji
Description:Detect files is `SliverFox` malware
Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:NSIS_April_2024
Create hunting rule
Author:NDA0N
Description:Detects NSIS installers
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::SetFileSecurityA
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
SHELL32.dll::SHFileOperationA
SHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDiskFreeSpaceA
KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileExA
KERNEL32.dll::MoveFileA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExA
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments