MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 986c2fabf6b43d085dc49c812cb8514d093c53ac4beccadf311fd8e8d34b8c0a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 986c2fabf6b43d085dc49c812cb8514d093c53ac4beccadf311fd8e8d34b8c0a
SHA3-384 hash: 8bb3f92c2223b93ee8bf7be783a1f5e1f2dcea39ee6429664376942907527ed74978df84c590cf976e5cffd494f78ac7
SHA1 hash: 931c0bc5c5ff7fa3f46750f184307db358d28531
MD5 hash: 619530e476b434650606da28cccccc30
humanhash: april-aspen-leopard-ack
File name:БАНКТІҢ ТӨЛЕМІН РАСТАУ.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:688'128 bytes
First seen:2022-11-17 07:14:00 UTC
Last seen:2022-11-17 08:40:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:EjcW0FgsUGcvM8fQGCuHYrX5WjRSNCfs97MR/mMVNP2VztOHkEji:1TB8fQDxrJW2gReMf+Vkji
Threatray 18'512 similar samples on MalwareBazaar
TLSH T11EE401FD7BD65F22C68897F98863272403BAB98B1671F3491CE452D64E407F08A45BCE
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13097/50/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
230
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
БАНКТІҢ ТӨЛЕМІН РАСТАУ.exe
Verdict:
Malicious activity
Analysis date:
2022-11-17 07:17:12 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/d4669148-c76f-4869-a9c2-135cbc754d13

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/335208/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.44597.23382.13421.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6375df3ff75d59fef0b9a696/reports/1f161e88-dadd-4d60-b6eb-a75fc25e0e75/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4d73116d-9a53-44c5-9071-9945eee17529
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1115548
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 748257 Sample: 10#U0423.exe Startdate: 17/11/2022 Architecture: WINDOWS Score: 100 62 Malicious sample detected (through community Yara rule) 2->62 64 Antivirus detection for URL or domain 2->64 66 Sigma detected: Scheduled temp file as task from temp location 2->66 68 8 other signatures 2->68 10 10#U0423.exe 7 2->10         started        14 zmOfCnDnccnyZ.exe 5 2->14         started        process3 file4 46 C:\Users\user\AppData\...\zmOfCnDnccnyZ.exe, PE32 10->46 dropped 48 C:\...\zmOfCnDnccnyZ.exe:Zone.Identifier, ASCII 10->48 dropped 50 C:\Users\user\AppData\Local\...\tmpE4FA.tmp, XML 10->50 dropped 52 C:\Users\user\AppData\...\10#U0423.exe.log, ASCII 10->52 dropped 76 Uses schtasks.exe or at.exe to add and modify task schedules 10->76 78 Writes to foreign memory regions 10->78 80 Adds a directory exclusion to Windows Defender 10->80 16 RegSvcs.exe 10->16         started        19 powershell.exe 21 10->19         started        21 schtasks.exe 1 10->21         started        82 Multi AV Scanner detection for dropped file 14->82 84 Machine Learning detection for dropped file 14->84 86 Injects a PE file into a foreign processes 14->86 23 RegSvcs.exe 14->23         started        25 schtasks.exe 1 14->25         started        27 RegSvcs.exe 14->27         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 16->54 56 Maps a DLL or memory area into another process 16->56 58 Sample uses process hollowing technique 16->58 60 2 other signatures 16->60 29 explorer.exe 16->29 injected 31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        35 explorer.exe 23->35         started        37 conhost.exe 25->37         started        process8 process9 39 wlanext.exe 29->39         started        signatures10 70 Modifies the context of a thread in another process (thread injection) 39->70 72 Maps a DLL or memory area into another process 39->72 74 Tries to detect virtualization through RDTSC time measurements 39->74 42 cmd.exe 1 39->42         started        process11 process12 44 conhost.exe 42->44         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/986c2fabf6b43d085dc49c812cb8514d093c53ac4beccadf311fd8e8d34b8c0a/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-11-17 03:35:46 UTC
File Type:
PE (.Net Exe)
AV detection:
22 of 39 (56.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tbwc7k7wwq6qqxoetsaszocrjuetyu5mjpwmvxzrd7moru2lrqfa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3a22fb14f837309023971bf41b88cfc9b3ae7d9db44da63257d36d73dbd716ad
Formbook
78c83e6e7ce1c4708302ea7cd0a51b142b49f1e58e5fdefa07d9891b019683a4
Formbook
82af565b7d2f28f00825f68db5bb45a783d1a89f1119f0d479e8b60e721c141e
Formbook
8848260baf85d9da96dcabdb756b5ac0fd6449361ad497d6e68a81cfe8565aad
Formbook
8ce37af1383c79989d2d67cd434c4cd652e2c9fa7d69b271c32f313fc2f884c4
Formbook
9b4df9f66fdc83879d2ce5c5077f51e0ca02af50050fdeaccaca982bc0c59b52
Formbook
a72d23291c793083519a7095c31a259f88b62f15759f7988894bf6b99903cc23
Formbook
d6542847f6e753bcb676e6d891d85d88ff5a38fe7150975f53ac5863922a7667
Formbook
d93ce6e65ad61e6e424cc6bb2e48eebb312ffe7ff11585bba086c16550a466e6
Formbook
+ 18'502 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:d0a7 rat spyware stealer trojan
Link:
https://tria.ge/reports/221117-h2nwrahh51/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook payload
Formbook
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/57c05b95-a70b-4e62-9a33-2ede553a3dfe
Unpacked files
SH256 hash:
8892eba2280a5329f01601f05660f2cf6378b26079c711918122e6254f56053e
MD5 hash:
95b0147ddcfb4c39c926719904d486b8
SHA1 hash:
8b29c6db7eefc6fc2bff55348d17c1ce98582c49
Detections:
FormBook
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/665e62b9-2aed-4f56-9a77-a6f45b8596ba/
Parent samples :
986c2fabf6b43d085dc49c812cb8514d093c53ac4beccadf311fd8e8d34b8c0a
43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9
4d6aed04de942b7577c3accd91e7b2e822f3e9ae3f44bb2c62d3f8332e7bb9bf
a16f1b224236623703e2d71d4abc9e6228c90b96776c6663892387325c8e6e90
SH256 hash:
a365d008649579374653afafb134f7e233fa1c4ada1c972613fd3562db05be16
MD5 hash:
4e38e24d6d5efa2f58f5936717af7bea
SHA1 hash:
d49f1277f004322a05d29744af5f08e55ecb7724
Link:
https://www.unpac.me/results/665e62b9-2aed-4f56-9a77-a6f45b8596ba/
SH256 hash:
414fae2243b81f71b170b1240b69dd4b9ea6b367fb92adb4c9c7bb6ee23c26f0
MD5 hash:
3f682817f973cdf37ad16137e091f976
SHA1 hash:
d21dd36f62023aa3ffbb9bd73d59322adce209c1
Link:
https://www.unpac.me/results/665e62b9-2aed-4f56-9a77-a6f45b8596ba/
SH256 hash:
409feacd92f6937dc6ffb0733c63e1342a661497e72dd379ff4d049bfb957203
MD5 hash:
d932dea47abd66628c3331dce96efc5c
SHA1 hash:
a1e42c69a53b4bd6dd348b99849a2ad9dbda07b7
Link:
https://www.unpac.me/results/665e62b9-2aed-4f56-9a77-a6f45b8596ba/
SH256 hash:
cfc16a2dbb933b1b85807d48966e9301b9fc34f4c44e7357713ca88b54bf4ab4
MD5 hash:
aabd0bdc81026ade6c57383f21d5c227
SHA1 hash:
4b26936bb8c03be6d7963184215a5ab594ecb765
Link:
https://www.unpac.me/results/665e62b9-2aed-4f56-9a77-a6f45b8596ba/
SH256 hash:
ab19f28c700d64814b0c55df868c30dfb94e0a1f9fb6f7bca05bac6eb78a4e52
MD5 hash:
1f2a6c02dcf9aa00a28a5039fb5b8ce0
SHA1 hash:
1ef480867d39b98368af7586a8e6ba38c0c3893a
Link:
https://www.unpac.me/results/665e62b9-2aed-4f56-9a77-a6f45b8596ba/
SH256 hash:
986c2fabf6b43d085dc49c812cb8514d093c53ac4beccadf311fd8e8d34b8c0a
MD5 hash:
619530e476b434650606da28cccccc30
SHA1 hash:
931c0bc5c5ff7fa3f46750f184307db358d28531
Link:
https://www.unpac.me/results/665e62b9-2aed-4f56-9a77-a6f45b8596ba/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/986c2fabf6b4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/986c2fabf6b43d085dc49c812cb8514d093c53ac4beccadf311fd8e8d34b8c0a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip fde95387b5fb0029a898096b7b74f9f7111630322cddbe0384012c21917fd90c

Formbook

Executable exe 986c2fabf6b43d085dc49c812cb8514d093c53ac4beccadf311fd8e8d34b8c0a

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 fde95387b5fb0029a898096b7b74f9f7111630322cddbe0384012c21917fd90c
Cape
Cape
https://www.capesandbox.com/analysis/335208/
  
Dropped by
MD5 e65a9ed62ed1f1398bd3a95fc51aadba

Comments