MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b8f90243e714bc9f2f2bdd1a70bd0f884b7915aa7d04bb456603ae82e871e8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b8f90243e714bc9f2f2bdd1a70bd0f884b7915aa7d04bb456603ae82e871e8d
SHA3-384 hash: de81b504bf2bfc8404ea4a9889c38dd8e87446021734ace3eb9b6616e3e1a9876e81ab12ed140524606c0ce7b63d3970
SHA1 hash: 3adc47ace5e0638da3a7231be4ebe316b1b4356f
MD5 hash: ff5073e7ca0e1ec86ee0268f040af237
humanhash: louisiana-uranus-kentucky-thirteen
File name:borilpokonta2.1.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:356'821 bytes
First seen:2023-09-29 14:49:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9dda1a1d1f8a1d13ae0297b47046b26e (64 x Formbook, 39 x GuLoader, 22 x RemcosRAT)
ssdeep 6144:GnPdudwDNA/zUz6mvUwSaLHqhcSB6xhyLWshdUDBweVyP2IjksQNFFa8/SLm:GnPdZ8U9UwS6OcKAoTUl6fksG
Threatray 2'097 similar samples on MalwareBazaar
TLSH T1637412A5B6A0C9B7D46A17B02D3AD5FF259B3E01AC966E073BC07F0F7876192AC1D050
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e0aaaa2b0303aad0 (34 x Formbook, 21 x AveMariaRAT, 18 x AgentTesla)
Reporter malwarelabnet
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
295
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
RFQ-E3443.doc
Verdict:
Malicious activity
Analysis date:
2023-09-29 14:57:05 UTC
Tags:
exploit cve-2017-11882 loader formbook xloader
Link:
https://app.any.run/tasks/dd86da83-f7f9-4582-88d8-0ecfcc546320

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/452012/
Detection(s):
SecuriteInfo.com.Trojan.Loader.1550.3958.11986.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
DNS request
Setting browser functions hooks
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Unauthorized injection to a browser process
Gathering data
Verdict:
Likely Malicious
Threat level:
  5/10
Confidence:
100%
Tags:
control lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/6516e41c32ffdb7a7a190b0c/reports/913dca9f-2591-4f12-9f41-05572b33b124/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/8b8f90243e714bc9f2f2bdd1a70bd0f884b7915aa7d04bb456603ae82e871e8d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/25cafede-a06c-4f1a-945f-296b69b390bd
Result
Threat name:
FormBook, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1316676
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1316676 Sample: borilpokonta2.1.exe Startdate: 29/09/2023 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 5 other signatures 2->53 11 borilpokonta2.1.exe 18 2->11         started        process3 file4 31 C:\Users\user\AppData\Local\Temp\tjwcbu.exe, PE32 11->31 dropped 14 tjwcbu.exe 11->14         started        process5 signatures6 63 Antivirus detection for dropped file 14->63 65 Maps a DLL or memory area into another process 14->65 67 Tries to detect virtualization through RDTSC time measurements 14->67 17 tjwcbu.exe 14->17         started        process7 signatures8 39 Modifies the context of a thread in another process (thread injection) 17->39 41 Maps a DLL or memory area into another process 17->41 43 Sample uses process hollowing technique 17->43 45 Queues an APC in another process (thread injection) 17->45 20 explorer.exe 4 1 17->20 injected process9 dnsIp10 33 www.automation-tools-84162.bond 104.247.82.90, 49800, 80 TEAMINTERNET-CA-ASCA Canada 20->33 35 azeemtourism.com 84.32.84.32, 49803, 80 NTT-LT-ASLT Lithuania 20->35 37 12 other IPs or domains 20->37 55 System process connects to network (likely due to code injection or exploit) 20->55 24 cmmon32.exe 20->24         started        signatures11 process12 signatures13 57 Modifies the context of a thread in another process (thread injection) 24->57 59 Maps a DLL or memory area into another process 24->59 61 Tries to detect virtualization through RDTSC time measurements 24->61 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8b8f90243e714bc9f2f2bdd1a70bd0f884b7915aa7d04bb456603ae82e871e8d/
Threat name:
Win32.Trojan.Nsisx
Create hunting rule
Status:
Malicious
First seen:
2023-09-29 14:45:29 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rohzajb6off4t4xsxxi2oc6q7cclpek2u7iexncwma5oqluhd2gq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
152d5ef19fdfabb482918d51148804bd5227e44e3eb5007dccc347b0ee8585d2
Formbook
72ab6b20fff5f1384506c7a3943c3c8f9d3ce2ecc79197f0ad8274ae1a2150fd
Formbook
8ac5dceeed786e06a01cec7ce9d550a0f48c50511ad81db887c69fd5d720ff3e
Formbook
8f61fd5ce3c2fa9186c75e703ce9e38d66538b9fe2214dd78d2df4c2c7cbda1b
Formbook
9405e5517f3a40a2dafc9e86359aa53e211af30c4fe1a7f77b24bd42ccc36354
Formbook
9d6d28627c34f8d225dde0a78d27418d461ea3a35e6bc4afa0f50e9cb8bc1b21
Formbook
a1fc12e0b11dc727c1e4f58da908d512b2ea1fb69cc317e024390440807d62eb
Formbook
a530b6b2224f5b81914f4e439b135a06e761d6587e1ea76eb069c7c51c3ca50d
Formbook
a78e65c599449ae8f781711a5b432c95fd1c7ebbb4bb1c9353087e79b62f6489
Formbook
ebaa46d302bc220922a76189a85e48f24587ccab47f674d37b02cf4e605c4755
Formbook
+ 2'087 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ge06 rat spyware stealer trojan
Link:
https://tria.ge/reports/230929-r7kwqadd66/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Formbook payload
Formbook
Unpacked files
SH256 hash:
0a811094a7380ba633c2f4c2924f9eb44844ab6d9dcaff0b95a1e82a500fb1d6
MD5 hash:
085ca4ea20e5a3caadd139e6f92f6586
SHA1 hash:
16db2b86c5ac4fcd90cfb49712038d1ecf76d4bc
Link:
https://www.unpac.me/results/83653396-b5f4-4af9-b463-378df7d90371/
SH256 hash:
8b8f90243e714bc9f2f2bdd1a70bd0f884b7915aa7d04bb456603ae82e871e8d
MD5 hash:
ff5073e7ca0e1ec86ee0268f040af237
SHA1 hash:
3adc47ace5e0638da3a7231be4ebe316b1b4356f
Link:
https://www.unpac.me/results/83653396-b5f4-4af9-b463-378df7d90371/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8b8f90243e71/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8b8f90243e714bc9f2f2bdd1a70bd0f884b7915aa7d04bb456603ae82e871e8d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/452012/

Comments