MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97acc5c52513ead4ba018af7dd726edd3179f993099640681cd706db4d263f38. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Maldoc score: 2


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 97acc5c52513ead4ba018af7dd726edd3179f993099640681cd706db4d263f38
SHA3-384 hash: b2d46052d3d3ea21adfc0cb28f8a1e9011bfc008150f2b9af5aa3c9536a098c95d29339c75477801bef1c2a936452669
SHA1 hash: c7bfa21c965c21fede51d40ed99a266c66ad3bfd
MD5 hash: dce0701e59bc317e4e152268c58c8322
humanhash: diet-ten-muppet-lion
File name:RMW-2422.xls
Download: download sample
Signature Formbook
Create hunting rule
File size:1'290'752 bytes
First seen:2023-11-01 16:03:22 UTC
Last seen:2023-11-06 13:51:48 UTC
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 24576:FsBFw6/LZyM3bVMw6/UZyw3bVbcITQpIshHJfOmN8yv06LBddawCx:F6/N13bV/6/GX3bVbDTZ+pfOmP86dad
TLSH T14455D003ED40CB83D41C83F46EA34EE90B16AF14EA965ACF115ABF4F3E706621D5B51A
TrID 46.5% (.XLS) Microsoft Excel sheet (alternate) (56500/1/4)
26.7% (.XLS) Microsoft Excel sheet (32500/1/3)
20.1% (.XLS) Microsoft Excel sheet (alternate) (24500/1/2)
6.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter abuse_ch
Tags:CVE-2017-11882 CVE-2018-0802 FormBook xls

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 2
OLE dump

MalwareBazaar was able to identify 44 sections in this file using oledump:

Section IDSection sizeSection name
1114 bytesCompObj
2244 bytesDocumentSummaryInformation
3120200 bytesSummaryInformation
494 bytesMBD0015F5C2/CompObj
562 bytesMBD0015F5C2/Ole
620409 bytesMBD0015F5C2/CONTENTS
794 bytesMBD0015F5C3/CompObj
862 bytesMBD0015F5C3/Ole
912169 bytesMBD0015F5C3/CONTENTS
1094 bytesMBD0015F5C4/CompObj
1162 bytesMBD0015F5C4/Ole
127284 bytesMBD0015F5C4/CONTENTS
1394 bytesMBD0015F5C5/CompObj
1462 bytesMBD0015F5C5/Ole
1564830 bytesMBD0015F5C5/CONTENTS
1693 bytesMBD0015F5C6/CompObj
1764 bytesMBD0015F5C6/Ole
18124841 bytesMBD0015F5C6/CONTENTS
19114 bytesMBD0015F5C7/CompObj
20708 bytesMBD0015F5C7/DocumentSummaryInformation
2123248 bytesMBD0015F5C7/SummaryInformation
2297872 bytesMBD0015F5C7/Workbook
23418 bytesMBD0015F5C7/_VBA_PROJECT_CUR/PROJECT
2462 bytesMBD0015F5C7/_VBA_PROJECT_CUR/PROJECTwm
25977 bytesMBD0015F5C7/_VBA_PROJECT_CUR/VBA/Sheet1
26985 bytesMBD0015F5C7/_VBA_PROJECT_CUR/VBA/ThisWorkbook
272329 bytesMBD0015F5C7/_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
28517 bytesMBD0015F5C7/_VBA_PROJECT_CUR/VBA/dir
2994 bytesMBD0015F5C8/CompObj
3062 bytesMBD0015F5C8/Ole
3164830 bytesMBD0015F5C8/CONTENTS
3293 bytesMBD0015F5C9/CompObj
3364 bytesMBD0015F5C9/Ole
34124841 bytesMBD0015F5C9/CONTENTS
35114 bytesMBD0015F5CA/CompObj
36708 bytesMBD0015F5CA/DocumentSummaryInformation
3723248 bytesMBD0015F5CA/SummaryInformation
3897808 bytesMBD0015F5CA/Workbook
390 bytesMBD0015F5CA/_VBA_PROJECT_CUR/VBA/Sheet1
400 bytesMBD0015F5CA/_VBA_PROJECT_CUR/VBA/ThisWorkbook
410 bytesMBD0015F5CA/_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
421579 bytesMBD0015F5CB/OlE10nAtIvE
4320 bytesMBD0015F5CB/Ole
44475759 bytesWorkbook
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
3
# of downloads :
372
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/457649/
Detection(s):
SecuriteInfo.com.Heur.1282.16692.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Other.Malware-gen.12790.22077.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Other.Malware-gen.19728.9505.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Other.Malware-gen.25106.3990.UNOFFICIAL
Create hunting rule

Sanesecurity.Shelter.Malware.BadMacro.BadOleNatEquat.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.EQAndMisCasedOleNativeWasTheCaseThatTheyGaveMe.20200215.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for synchronization primitives
Launching a process
Creating a file in the %AppData% directory
Сreating synchronization primitives
Creating a file in the %temp% directory
Launching cmd.exe command interpreter
Sending an HTTP GET request
Unauthorized injection to a recently created process by context flags manipulation
Creating a process from a recently created file
Unauthorized injection to a system process
Result
Verdict:
Malicious
File Type:
Legacy Excel File
Link:
https://app.docguard.net/97acc5c52513ead4ba018af7dd726edd3179f993099640681cd706db4d263f38/results/dashboard
Behaviour
BlacklistAPI detected
Document image
Image:
Download PNG
Document image
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control embedequation exploit exploit lolbin macros shell32 shellcode sload
Link:
https://www.filescan.io/uploads/654276fa4ebf05ac3f41367e/reports/777002d3-d581-483f-b556-62ca20a6746e/overview
Verdict:
Malicious
Labled as:
CVE-2018-0802
Link:
https://www.hybrid-analysis.com/sample/97acc5c52513ead4ba018af7dd726edd3179f993099640681cd706db4d263f38
Label:
Benign
Suspicious Score:
2.1/10
Score Malicious:
22%
Score Benign:
78%
Link:
https://www.malware.ai/gui/files/?id=322b3edc-19b1-4a36-ab5a-6f82b169cdd8
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/97acc5c52513ead4ba018af7dd726edd3179f993099640681cd706db4d263f38
Details
Document With Few Pages
Document contains between one and three pages of content. Most malicious documents are sparse in page count.
Result
Threat name:
FormBook, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1335552
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Shellcode detected
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1335552 Sample: RMW-2422.xls Startdate: 01/11/2023 Architecture: WINDOWS Score: 100 57 www.b2b-scaling.com 2->57 59 b2b-scaling.com 2->59 73 Snort IDS alert for network traffic 2->73 75 Found malware configuration 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 16 other signatures 2->79 12 EQNEDT32.EXE 12 2->12         started        17 EQNEDT32.EXE 10 2->17         started        19 AcroRd32.exe 22 2->19         started        21 EXCEL.EXE 58 68 2->21         started        signatures3 process4 dnsIp5 67 141.98.10.123, 49162, 80 HOSTBALTICLT Lithuania 12->67 53 C:\Users\user\AppData\Roaming\IGCC.exe, PE32 12->53 dropped 55 C:\Users\user\AppData\Local\...\IGCC[1].exe, PE32 12->55 dropped 97 Office equation editor establishes network connection 12->97 99 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 12->99 23 IGCC.exe 17 12->23         started        27 IGCC.exe 17->27         started        29 RdrCEF.exe 19->29         started        file6 signatures7 process8 file9 51 C:\Users\user\AppData\Local\...\dulzbez.exe, PE32 23->51 dropped 89 Antivirus detection for dropped file 23->89 91 Multi AV Scanner detection for dropped file 23->91 93 Machine Learning detection for dropped file 23->93 31 dulzbez.exe 23->31         started        34 dulzbez.exe 27->34         started        signatures10 process11 signatures12 109 Multi AV Scanner detection for dropped file 31->109 111 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 31->111 113 Maps a DLL or memory area into another process 31->113 115 Tries to detect virtualization through RDTSC time measurements 31->115 36 dulzbez.exe 31->36         started        39 dulzbez.exe 34->39         started        process13 signatures14 81 Modifies the context of a thread in another process (thread injection) 36->81 83 Maps a DLL or memory area into another process 36->83 85 Sample uses process hollowing technique 36->85 87 Queues an APC in another process (thread injection) 36->87 41 explorer.exe 5 3 36->41 injected process15 dnsIp16 61 www.91967.net 20.205.142.141, 49166, 80 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 41->61 63 td-ccm-neg-87-45.wixdns.net 34.149.87.45, 49167, 80 ATGS-MMD-ASUS United States 41->63 65 6 other IPs or domains 41->65 95 System process connects to network (likely due to code injection or exploit) 41->95 45 wscript.exe 9 41->45         started        signatures17 process18 dnsIp19 69 www.ourrajasthan.com 45->69 71 ourrajasthan.com 45->71 101 System process connects to network (likely due to code injection or exploit) 45->101 103 Modifies the context of a thread in another process (thread injection) 45->103 105 Maps a DLL or memory area into another process 45->105 107 Tries to detect virtualization through RDTSC time measurements 45->107 49 cmd.exe 45->49         started        signatures20 process21
Detection:
cve-2017-11882-shellcode
Create hunting rule
Link:
https://mwdb.cert.pl/sample/97acc5c52513ead4ba018af7dd726edd3179f993099640681cd706db4d263f38/
Threat name:
Document-Office.Exploit.CVE-2017-11882
Create hunting rule
Status:
Malicious
First seen:
2023-11-01 16:04:07 UTC
File Type:
Document
Extracted files:
99
AV detection:
10 of 22 (45.45%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s6wmlrjfcpvnjoqbrl3524to3uyxt6mtbglea2a424dnwtjgh44a._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:sy22 rat spyware stealer trojan
Link:
https://tria.ge/reports/231101-thxv4aca22/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Launches Equation Editor
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
NSIS installer
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Formbook payload
Formbook
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/97acc5c52513/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/97acc5c52513ead4ba018af7dd726edd3179f993099640681cd706db4d263f38

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_OLE_EXPLOIT_CVE_2017_11882_1
Create hunting rule
Author:ditekSHen
Description:detects OLE documents potentially exploiting CVE-2017-11882
Rule name:informational_win_ole_protected
Create hunting rule
Author:Jeff White (karttoon@gmail.com) @noottrak
Description:Identify OLE Project protection within documents.
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:office_document_vba
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:Office document with embedded VBA
Reference:https://github.com/jipegit/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Excel file xls 97acc5c52513ead4ba018af7dd726edd3179f993099640681cd706db4d263f38

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/457649/

Comments