MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96e14fedf020cef802a005cf9289d7c8f8a0f2bd516fee5f4096cf36a2f2c1e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	96e14fedf020cef802a005cf9289d7c8f8a0f2bd516fee5f4096cf36a2f2c1e3
SHA3-384 hash:	3463490a1876b4122fe1a17141543258f3cd0e7198728d2f5a83976a12423de09ae09b6c23ee21faf6cbf325bc8cdb70
SHA1 hash:	573d6fecd46c30dac8c337ea8ed9ee218980f0ae
MD5 hash:	51c6709cd33cc68226450140b2d2d02b
humanhash:	diet-juliet-neptune-high
File name:	Lista de orden.PO9876543354.PDF.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	819'200 bytes
First seen:	2021-10-18 14:03:39 UTC
Last seen:	2021-10-18 15:08:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c27a46121fdf0c7d592b2676dec19736 (5 x Formbook)
ssdeep	12288:vg7gE4RdCLZ3nWmAaIfGmLgdNHuApk2CDTMZEsxH2zar1BYdQarCv:vPE1LZ36/lL2Lk2CDEEsJHJ+QarC
TLSH	T132059E75F1E087BAE1721A38094F6BCD95397C907988594B9FE93C9D4FEE58130328A3
File icon (PE):
dhash icon	903134f0e8aa55a8 (8 x Formbook, 2 x Dbatloader, 1 x BitRAT)
Reporter	GovCERT_CH
Tags:	exe FormBook xloader

Intelligence

File Origin

# of uploads :

# of downloads :

214

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/198232/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader43.46814.15834.23245.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

keylogger packed

Link:

https://www.filescan.io/uploads/616d7ed4a9d585e6d52c063d/reports/c88c1fe6-cfa5-400c-9bd4-19590f619517/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Dbatloader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/020cd274-ebd1-4247-a815-6a1d3ef245ef

Result

Threat name:

DBatLoader FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/872341

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected DBatLoader

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/96e14fedf020cef802a005cf9289d7c8f8a0f2bd516fee5f4096cf36a2f2c1e3/

Threat name:

Win32.Trojan.Zusy

Status:

Malicious

First seen:

2021-10-18 03:30:26 UTC

AV detection:

23 of 45 (51.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=s3qu73pqedhpqavaaxhzfcoxzd4kb4v5kfx64x2as3htnixsyhrq._file

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:pvxz loader persistence rat spyware stealer

Link:

https://tria.ge/reports/211018-rc9xcsdff8/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Reads user/profile data of web browsers

Adds policy Run key to start application

Executes dropped EXE

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.finetipster.com/pvxz/

Unpacked files

SH256 hash:

2c445b887ee8e82dc1256c5042b465cf9294df5df96c3043f9927f21a9225b16

MD5 hash:

ee4f84d3e9caefcf462f319104860abd

SHA1 hash:

649465bbd208cbdc3e2b474ae35e17aca306d465

Detections:

win_temple_loader_w0

Link:

https://www.unpac.me/results/9508b386-f3da-467c-821a-863f88229a8c/

Parent samples :

ca74d0e5b26cf6d8d5e3b04c607f4dacaf6fabc78d369dcb8d3637d6ce72e6bb
1cb6deac4e20e2a13002d118fc863a0757409bab2f45a9390529f1e6ad5217fc
eaeb4a70b5df25c40d3e443b2f4b3adbd193b0ed7ffcaf4c5ca3d5e9955134ef
96e14fedf020cef802a005cf9289d7c8f8a0f2bd516fee5f4096cf36a2f2c1e3
2a9bac8b5d947ef5f72c65bff3fe97d7ffd3602ec49915693987cd9909512187
22dd73a06a3bff8a7866c95b5191aa6a7b57d67d632b2373235e7b2ba4fd46fa
1a261ffbe76d224c7d9f9136723f1cdf35f661d0e5a38f43a7ee2cb31606f359
1e5bb5e00fddfcc62c8bfe71b46a4c8c6c22986c7a51931d16b8ddc465170d72
c11992880daecda35958fd14fcf3b6e5d32a6bda8c904a888ede0dcbb1f91aa6
42e09f0e4d7ab0448e04d5d31fbc63cfb2df988f848853a5a149ff5454040184
ff27831341c8b2477f8f59094764e8c4341be79c3f678f27cc425aef3b1ab21b
6814190b4099c532caabe663df73d8ee0c7d70b55db3c69c56eefc1dc1d162f5
c14cd408876aab6eecaf7354dade35554e21c7a3a784fda79ae5f6d6349f15ff

SH256 hash:

96e14fedf020cef802a005cf9289d7c8f8a0f2bd516fee5f4096cf36a2f2c1e3

MD5 hash:

51c6709cd33cc68226450140b2d2d02b

SHA1 hash:

573d6fecd46c30dac8c337ea8ed9ee218980f0ae

Link:

https://www.unpac.me/results/9508b386-f3da-467c-821a-863f88229a8c/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/96e14fedf020/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/96e14fedf020cef802a005cf9289d7c8f8a0f2bd516fee5f4096cf36a2f2c1e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Typical_Malware_String_Transforms Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

Rule name:	Typical_Malware_String_Transforms_RID3473 Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 96e14fedf020cef802a005cf9289d7c8f8a0f2bd516fee5f4096cf36a2f2c1e3

(this sample)

Dropped by

xloader

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/198232/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample