MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d08bbacab44a273fd8b281833abce7549708199dee895246185c13acbb40c3b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d08bbacab44a273fd8b281833abce7549708199dee895246185c13acbb40c3b
SHA3-384 hash: 3e52f5b90ce6e7f679d2c83adb1fd95413be4c22b889f60faeef9a842acf13260ba592ae5cd022a195ed75df9b6e73ca
SHA1 hash: 67a74d9f8af593adb085625a5e251cfd2faecfb4
MD5 hash: f3c36bf43617d533f5657526e1c3ed74
humanhash: paris-ink-oranges-grey
File name:NETES Sipariş 6210 FFFP2 % NR DNo2561 PB 34870 (2).exe
Download: download sample
Signature Formbook
Create hunting rule
File size:814'080 bytes
First seen:2024-06-11 19:20:22 UTC
Last seen:2024-06-11 20:32:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:pkqljH3DIiky8jTeTpFwePDTxkTZv/9N53:pzPJky83eT4eHGv/b53
Threatray 9 similar samples on MalwareBazaar
TLSH T152052352B369D375D13F0A3EB1F1F8A252B0BC871E0AE9DC584D709D5663398D2A23D2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe FormBook geo TUR

Intelligence

File Origin
# of uploads :
2
# of downloads :
329
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8d08bbacab44a273fd8b281833abce7549708199dee895246185c13acbb40c3b.exe
Verdict:
Malicious activity
Analysis date:
2024-06-11 19:54:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6839496f-4f95-4456-ad3f-b995179a7882

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Packed2.46943.12878.26695.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6668a75e5c0e232c1ff0524cwin7simulatehigh_evasion
Tags:
Banker Encryption Execution Static Heur Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/8d08bbacab44a273fd8b281833abce7549708199dee895246185c13acbb40c3b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4eaea5cb-4753-479f-bb84-21ccbc416a3f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1455527
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Snort IDS alert for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses shutdown.exe to shutdown or reboot the system
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1455527 Sample: NETES Sipari#U015f 6210 FFF... Startdate: 11/06/2024 Architecture: WINDOWS Score: 100 35 www.fungusbus.com 2->35 37 www.deviexp.com 2->37 39 2 other IPs or domains 2->39 43 Snort IDS alert for network traffic 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 8 other signatures 2->49 10 NETES Sipari#U015f 6210 FFFP2 % NR DNo2561 PB 34870 (2).exe 4 2->10         started        signatures3 process4 file5 33 NETES Sipari#U015f...B 34870 (2).exe.log, ASCII 10->33 dropped 61 Adds a directory exclusion to Windows Defender 10->61 14 NETES Sipari#U015f 6210 FFFP2 % NR DNo2561 PB 34870 (2).exe 10->14         started        17 powershell.exe 23 10->17         started        signatures6 process7 signatures8 65 Maps a DLL or memory area into another process 14->65 19 eWkwDtiqFzDSTmdodMukMIkzZO.exe 14->19 injected 67 Loading BitLocker PowerShell Module 17->67 22 conhost.exe 17->22         started        process9 signatures10 51 Found direct / indirect Syscall (likely to bypass EDR) 19->51 24 shutdown.exe 13 19->24         started        process11 signatures12 53 Tries to steal Mail credentials (via file / registry access) 24->53 55 Tries to harvest and steal browser information (history, passwords, etc) 24->55 57 Modifies the context of a thread in another process (thread injection) 24->57 59 3 other signatures 24->59 27 eWkwDtiqFzDSTmdodMukMIkzZO.exe 24->27 injected 31 firefox.exe 24->31         started        process13 dnsIp14 41 parkingpage.namecheap.com 91.195.240.19, 49718, 80 SEDO-ASDE Germany 27->41 63 Found direct / indirect Syscall (likely to bypass EDR) 27->63 signatures15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8d08bbacab44a273fd8b281833abce7549708199dee895246185c13acbb40c3b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8d08bbacab44a273fd8b281833abce7549708199dee895246185c13acbb40c3b/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2024-06-11 08:39:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
28 of 37 (75.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ruelxlflisrhh7mlfamdhk6oovexbamz33ujkjdbqxatvs5ubq5q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2ad14bdb7164ff738c6d2e78ab2ee12ab5322471c2fdb656afaa24a765aa0d62
Formbook
327db1c1b7fded33f7b8b9e54c591fc4e023a79ecdf59387803c05124a77cd90
Formbook
3eebc98964a6d4a81fd0371df1a6207100e7bea4eb78a000bc2accb0f10e6e7c
Formbook
461dc2509572b54f85ba0aed30d4a9969b0fcbf156da5f177270f741398e5b8e
Formbook
955f2a6426664a728fde4871d6309cf821c17187b4671e3917d83dc968d36e96
Formbook
9d104a1c57250458263ee33927332afc8f052457ba1ac4a7318bcafd148e68fb
Formbook
b64f36a2219ecf76454ceb92b2e56bc14143cf0cc9d9f2c356b2b982cb66ec98
Formbook
d0b94b855d2f24add1edf6b3a6ecae24e4366f181a1ccd0bcd3b27e94de95bc0
Formbook
fdf6769af86db361b56a4bc21862caa4c4f3c68f6b2fc1503735219db3727125
Formbook
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/240611-x2wnxsybkc/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Unpacked files
SH256 hash:
de7d5309431098a37416563240c9849df1a19072f2eafff5f03cfffc5e159fe8
MD5 hash:
06ec07e6e3650dd1ee9896f9c9354876
SHA1 hash:
e20a62931432a2691b629ffae52259713fb258e6
Link:
https://www.unpac.me/results/a7b4cfc5-b5e7-4e7a-b1d3-dd9c61f18d77/
SH256 hash:
6c930aafb95d521a2f65142afb27527cb07492258b8e520b81388758b4ad066d
MD5 hash:
d50c22df5bc525ae86fbe034324165d1
SHA1 hash:
1427f5d6976f909e69e7655dd12bcf47e2711648
Link:
https://www.unpac.me/results/a7b4cfc5-b5e7-4e7a-b1d3-dd9c61f18d77/
SH256 hash:
d67867ef93204c27c126a41fa778fcdbf89e34a3750014d8cc4a9394a1300d96
MD5 hash:
cfddc0c2c035e91ecc76782ff513e30a
SHA1 hash:
efd2f376cd2a3574240be6b03c563f42630a6ef7
Link:
https://www.unpac.me/results/a7b4cfc5-b5e7-4e7a-b1d3-dd9c61f18d77/
Parent samples :
82cbe9fc57abd337a5bf0d0d478ae7fb9158987c1d7c5006b20e309c06329ae8
804aee8eba800043c912038c55c36edeb8dd761913047e99b4a5e8d8cb8ef6c4
SH256 hash:
1a1de9f3fe4c3a7ea7cd547cdd9d78b3873d6e243e544e5bb647452d6d9f6cfe
MD5 hash:
ceb52a5c98659e8905ea76737fe00c01
SHA1 hash:
bb7b30ff84d6aa26eaa0021c9fa3cd2c5a08e694
Link:
https://www.unpac.me/results/a7b4cfc5-b5e7-4e7a-b1d3-dd9c61f18d77/
SH256 hash:
22b51cd8a45ff77ca67246f71a6d0d2b79f484b8b5f28162fd5ee2f753635eb2
MD5 hash:
b57e99300d083738059f1f5403a5e521
SHA1 hash:
b12e78f16cad7aad68bb24e357777033edc154d1
Link:
https://www.unpac.me/results/a7b4cfc5-b5e7-4e7a-b1d3-dd9c61f18d77/
SH256 hash:
8d08bbacab44a273fd8b281833abce7549708199dee895246185c13acbb40c3b
MD5 hash:
f3c36bf43617d533f5657526e1c3ed74
SHA1 hash:
67a74d9f8af593adb085625a5e251cfd2faecfb4
Link:
https://www.unpac.me/results/a7b4cfc5-b5e7-4e7a-b1d3-dd9c61f18d77/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8d08bbacab44/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.77
Link:
https://yomi.yoroi.company/submissions/8d08bbacab44a273fd8b281833abce7549708199dee895246185c13acbb40c3b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments