MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8753275f0bd22cca6a047c6cd870f3b88aaf9f19b49fa9f2719794a6226e9e35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8753275f0bd22cca6a047c6cd870f3b88aaf9f19b49fa9f2719794a6226e9e35
SHA3-384 hash: 56c3deae728034c7a970458570aa2770f97bfec6271af5bf22d1dcd830c5fa7e5e120138adc70d666f88594f0ce08863
SHA1 hash: e4742630d990a76f3d9ede7250f80987af61370c
MD5 hash: 9f83ab83650bdf3c09917f05cd1e762e
humanhash: moon-nitrogen-stairway-diet
File name:0366c2ad2886b21139af3d2259bc7721ba9d7c4745491301cf5cd6f852ae436a
Download: download sample
Signature FormBook
Create hunting rule
File size:877'056 bytes
First seen:2022-05-30 02:02:04 UTC
Last seen:2022-05-30 02:40:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4705e9c8be1c8d0762b867960a96fbeb (4 x FormBook, 1 x AZORult)
ssdeep 12288:e5x0pVvPpqVZcata+xE7CAjpdQMO5CYtEOhDt/pty/Y7mG4B+dxAWMeM7jEOd/i:e5Sykat5VedQN9eQhdxD/MMOd/i
TLSH T172159F13B2A19433D7B325788D2BDB985E39BD30792468462BF43E4C8F3A7917D25293
TrID 68.5% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
27.0% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.3% (.SCR) Windows screen saver (13101/52/3)
0.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c8c982848998ac94 (10 x Formbook, 6 x DBatLoader, 4 x RemcosRAT)
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
4
# of downloads :
275
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0366c2ad2886b21139af3d2259bc7721ba9d7c4745491301cf5cd6f852ae436a
Verdict:
Malicious activity
Analysis date:
2022-05-30 02:04:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/683b9f41-39a9-40be-9d75-4465f78a7187

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/275282/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.18813.23453.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching the process to interact with network services
Launching a process
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe fareit keylogger remote.exe
Link:
https://www.filescan.io/uploads/629425deafb61a386666ea6f/reports/63fdba06-0428-49eb-9e2a-c8eae8b01132/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ef791124-1ec5-410a-bd88-fe562b2d9338
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1003344
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected FormBook malware
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 635840 Sample: 0366c2ad2886b21139af3d2259b... Startdate: 30/05/2022 Architecture: WINDOWS Score: 100 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 Antivirus detection for URL or domain 2->68 70 6 other signatures 2->70 9 Jlrqmmqlpq.exe 14 2->9         started        13 Jlrqmmqlpq.exe 17 2->13         started        15 0366c2ad2886b21139af3d2259bc7721ba9d7c4745491301cf5cd6f852ae436a.exe 1 22 2->15         started        process3 dnsIp4 48 onedrive.live.com 9->48 56 2 other IPs or domains 9->56 74 Multi AV Scanner detection for dropped file 9->74 76 Machine Learning detection for dropped file 9->76 78 Modifies the context of a thread in another process (thread injection) 9->78 80 Queues an APC in another process (thread injection) 9->80 18 explorer.exe 9->18 injected 20 wlanext.exe 9->20         started        50 onedrive.live.com 13->50 58 2 other IPs or domains 13->58 82 Maps a DLL or memory area into another process 13->82 84 Sample uses process hollowing technique 13->84 52 192.168.2.1 unknown unknown 15->52 54 onedrive.live.com 15->54 60 2 other IPs or domains 15->60 44 C:\Users\Public\Libraries\Jlrqmmqlpq.exe, PE32 15->44 dropped 46 C:\Users\...\Jlrqmmqlpq.exe:Zone.Identifier, ASCII 15->46 dropped 86 Tries to detect virtualization through RDTSC time measurements 15->86 23 cmd.exe 1 15->23         started        file5 signatures6 process7 signatures8 25 help.exe 18 18->25         started        72 Tries to detect virtualization through RDTSC time measurements 20->72 29 cmd.exe 1 23->29         started        31 conhost.exe 23->31         started        process9 file10 40 C:\Users\user\AppData\...\55Alogrv.ini, data 25->40 dropped 42 C:\Users\user\AppData\...\55Alogri.ini, data 25->42 dropped 88 Detected FormBook malware 25->88 90 Tries to steal Mail credentials (via file / registry access) 25->90 92 Tries to harvest and steal browser information (history, passwords, etc) 25->92 94 3 other signatures 25->94 33 cmd.exe 2 25->33         started        36 conhost.exe 29->36         started        signatures11 process12 signatures13 62 Tries to harvest and steal browser information (history, passwords, etc) 33->62 38 conhost.exe 33->38         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8753275f0bd22cca6a047c6cd870f3b88aaf9f19b49fa9f2719794a6226e9e35/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-05-30 01:07:32 UTC
File Type:
PE (Exe)
Extracted files:
74
AV detection:
16 of 26 (61.54%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=q5jsoxyl2iwmu2qeprwnq4htxcfk7hyzwsp2t4trs6kkmitoty2q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader campaign:p3ss persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220530-cgn35aaba2/
Behaviour
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Formbook Payload
ModiLoader Second Stage
Formbook
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
0b4b7d7628499c9d0c62562dc64f22baf5390cd32f71e0317c259511ae85b5b6
MD5 hash:
d6e8fb9c9383709a7475144fbc74cb44
SHA1 hash:
3dc32f98eb13d725511b64924730132883ad3591
Link:
https://www.unpac.me/results/ee8f3f94-f109-4d7a-b684-3fa871c188aa/
SH256 hash:
8753275f0bd22cca6a047c6cd870f3b88aaf9f19b49fa9f2719794a6226e9e35
MD5 hash:
9f83ab83650bdf3c09917f05cd1e762e
SHA1 hash:
e4742630d990a76f3d9ede7250f80987af61370c
Link:
https://www.unpac.me/results/ee8f3f94-f109-4d7a-b684-3fa871c188aa/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8753275f0bd2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8753275f0bd22cca6a047c6cd870f3b88aaf9f19b49fa9f2719794a6226e9e35

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/275282/

Comments