MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 987834ddf97f12dbb06e1f6820fd3436f0226dffa78ac6fcec8b31cc52fdb26b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 987834ddf97f12dbb06e1f6820fd3436f0226dffa78ac6fcec8b31cc52fdb26b
SHA3-384 hash: 32dcfb7548393d75ccb4bd6ef479283d141d818b70bf5fe61776d8bf248663e4925de66fcf3ab32c4eb2574e2f9e8d5a
SHA1 hash: d8f8e1b07996ba6d8d3f482c2ab710853ee91f8b
MD5 hash: fcd6f1cc2f300673b3940b9623f4267f
humanhash: fish-lamp-grey-vermont
File name:SecuriteInfo.com.BackDoor.SpyBotNET.25.21875.15886
Download: download sample
Signature Formbook
Create hunting rule
File size:658'944 bytes
First seen:2022-11-28 20:30:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:dec3pbKbflZUMvkEN2KMK+SknwYDZD5BUUEwcfJZSpH+:d1ZbKbUM7MKJYVEEbp
TLSH T118E41243326E1750D36C7BB028E5DB607BB47C3E94B3D46E2988369F4973A009E75B29
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 32c29292b2e88e82 (7 x Formbook, 6 x RemcosRAT, 2 x AgentTesla)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
214
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Confirmation transfer Copy AGS # 22-0035.xls
Verdict:
Malicious activity
Analysis date:
2022-11-28 16:47:00 UTC
Tags:
macros
Link:
https://app.any.run/tasks/d6a6d978-0a2c-4801-83fd-930f49ee96bf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/339542/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.21875.15886.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed phishing
Link:
https://www.filescan.io/uploads/63851a875be128ac718f5f07/reports/05e27529-386f-418f-89e5-51a4246c7188/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9da7eefc-3683-42e6-944c-1594b707e410
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1122870
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 755594 Sample: SecuriteInfo.com.BackDoor.S... Startdate: 28/11/2022 Architecture: WINDOWS Score: 100 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for URL or domain 2->47 49 Sigma detected: Scheduled temp file as task from temp location 2->49 51 6 other signatures 2->51 7 NdTjnguQflTNNq.exe 5 2->7         started        10 SecuriteInfo.com.BackDoor.SpyBotNET.25.21875.15886.exe 7 2->10         started        process3 file4 53 Multi AV Scanner detection for dropped file 7->53 55 Machine Learning detection for dropped file 7->55 57 Injects a PE file into a foreign processes 7->57 13 NdTjnguQflTNNq.exe 7->13         started        16 schtasks.exe 1 7->16         started        37 C:\Users\user\AppData\...37dTjnguQflTNNq.exe, PE32 10->37 dropped 39 C:\...39dTjnguQflTNNq.exe:Zone.Identifier, ASCII 10->39 dropped 41 C:\Users\user\AppData\Local\...\tmp919E.tmp, XML 10->41 dropped 43 SecuriteInfo.com.B...21875.15886.exe.log, ASCII 10->43 dropped 59 Uses schtasks.exe or at.exe to add and modify task schedules 10->59 61 Adds a directory exclusion to Windows Defender 10->61 18 powershell.exe 21 10->18         started        20 schtasks.exe 1 10->20         started        22 SecuriteInfo.com.BackDoor.SpyBotNET.25.21875.15886.exe 10->22         started        24 SecuriteInfo.com.BackDoor.SpyBotNET.25.21875.15886.exe 10->24         started        signatures5 process6 signatures7 65 Modifies the context of a thread in another process (thread injection) 13->65 67 Maps a DLL or memory area into another process 13->67 69 Sample uses process hollowing technique 13->69 71 Queues an APC in another process (thread injection) 13->71 26 systray.exe 13->26         started        29 explorer.exe 13->29 injected 31 conhost.exe 16->31         started        33 conhost.exe 18->33         started        35 conhost.exe 20->35         started        process8 signatures9 63 Maps a DLL or memory area into another process 26->63
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/987834ddf97f12dbb06e1f6820fd3436f0226dffa78ac6fcec8b31cc52fdb26b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-11-28 11:36:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tb4djxpzp4jnxmdod5ucb7jug3yce3p7u6fmn7hmrmy4yux5wjvq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:q4k5 rat spyware stealer trojan
Link:
https://tria.ge/reports/221128-zapgmshh31/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook
Unpacked files
SH256 hash:
dc167c51e5b18a4f3082103c883acd0e2731355790b162fa028c464529c6c8fa
MD5 hash:
59206528ecaad5375d547e8a9c2616f6
SHA1 hash:
69fdb679ed8157c39455350c9012831d5c10f682
Detections:
XLoader
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/721b61b8-2212-47b9-b326-5811c238efdb/
Parent samples :
efe299573660e349b6169b099708c6794d5b593095b9a81ac5000a9b18936252
987834ddf97f12dbb06e1f6820fd3436f0226dffa78ac6fcec8b31cc52fdb26b
b0e5e12bea8386e6e06c82e4e25257b22649a608b2ef2a599332879983a000b0
aa6874a63646474141e2928b094c5dc15a1fc2ea610ece7ca7f95b80ec856be5
fa6c3d318b33c9f659b283d02ed355e6c82988ed44d5f7458f043ed6d7997d9b
f4897a2a260bb6af2c853270b0fe2c5da5f840668a228f607f2ad22a9aa7817e
SH256 hash:
894053c4ccde8e981818530f3890240aac621a745ded33c058496562181a2cb1
MD5 hash:
987b5b7b10457a0685a2b3e64fa3398c
SHA1 hash:
3be6f7b24b17be260e215e3b80a57d59c8d7e4c6
Link:
https://www.unpac.me/results/721b61b8-2212-47b9-b326-5811c238efdb/
SH256 hash:
4cade9541e2d91158113bdefb37c63a3c96922ac13a59080ddcb9d2136ef2ff9
MD5 hash:
5049545148c343aeb40c64f7891ae5b3
SHA1 hash:
f0c3a00b90713942cbc71996d3095136e8058e76
Link:
https://www.unpac.me/results/721b61b8-2212-47b9-b326-5811c238efdb/
SH256 hash:
3624268b1bf67fd3f560f345e5171f3a2f8968a776c23816ea76fc0ef41b0f03
MD5 hash:
1619753b625e58c25b73fbf1f0bff482
SHA1 hash:
c0d7922bdbc10ef0ee1606a40c2dedd22cb180d4
Link:
https://www.unpac.me/results/721b61b8-2212-47b9-b326-5811c238efdb/
SH256 hash:
28834c646df7bfafe0e34ea959dac3e74644c83f27fec8b05ed00a22eecd8946
MD5 hash:
47d470dab0639dff90b43813481f6c77
SHA1 hash:
a6de5f37755827bf07dd2ea864cb68260e029f90
Link:
https://www.unpac.me/results/721b61b8-2212-47b9-b326-5811c238efdb/
SH256 hash:
340ba2312d5cdfc3d89f3f35f627187dcb406e5afea134bc76b04f52f4285df3
MD5 hash:
85f9290aa8900e9fd74b01ee23125706
SHA1 hash:
310eb5e4aea5471b74a6385f1da283b9d8e3d698
Link:
https://www.unpac.me/results/721b61b8-2212-47b9-b326-5811c238efdb/
SH256 hash:
987834ddf97f12dbb06e1f6820fd3436f0226dffa78ac6fcec8b31cc52fdb26b
MD5 hash:
fcd6f1cc2f300673b3940b9623f4267f
SHA1 hash:
d8f8e1b07996ba6d8d3f482c2ab710853ee91f8b
Link:
https://www.unpac.me/results/721b61b8-2212-47b9-b326-5811c238efdb/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/987834ddf97f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/987834ddf97f12dbb06e1f6820fd3436f0226dffa78ac6fcec8b31cc52fdb26b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 987834ddf97f12dbb06e1f6820fd3436f0226dffa78ac6fcec8b31cc52fdb26b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2436024/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2436023/
Cape
Cape
https://www.capesandbox.com/analysis/339542/

Comments