MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99f7e07f84e40e362b58d7b84110898eda66ce1e6906b2e27f1e9a9cae90e548. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 99f7e07f84e40e362b58d7b84110898eda66ce1e6906b2e27f1e9a9cae90e548
SHA3-384 hash: 7040b7ea6c7ac44667ed3d7f76356a4b7987f76d289e03e3d21aefa1470880d784a6b23130c83974a8c71fa7ed224a69
SHA1 hash: dbc28aa27dae6704d3344b0fc685cf9afab70067
MD5 hash: b50c8d52a000d981d40fab8469f67e62
humanhash: oven-florida-georgia-white
File name:b50c8d52a000d981d40fab8469f67e62
Download: download sample
Signature Formbook
Create hunting rule
File size:196'408 bytes
First seen:2022-04-27 17:26:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 3072:l1NjcVVnLpPunbVkJqXn8NbIaB3EB/Sg+OtytKReeUyhVkBNJ3UMkpixxkivrtqU:HNeZmV7YbPBUB/Sg+WytgUyrkjJEMxPn
Threatray 15'410 similar samples on MalwareBazaar
TLSH T1EE14022D2BD5C07FE8511732293B226B6EFC652725709B8F27001E4D7E32A85EE5E742
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
306
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/267290/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Searching for synchronization primitives
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe formbook nemesis overlay packed python shell32.dll
Link:
https://www.filescan.io/uploads/62697cf95c1970f8bbdf514b/reports/2f243025-4562-4ddc-bc66-4ed9cf68c682/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e2122c05-fb84-4752-ab44-1a08c5874b1f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/984255
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 616751 Sample: uLvTLIlSHa Startdate: 27/04/2022 Architecture: WINDOWS Score: 100 36 www.ord12route.art 2->36 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 4 other signatures 2->52 12 uLvTLIlSHa.exe 18 2->12         started        signatures3 process4 file5 34 C:\Users\user\AppData\...\whblsmqmse.exe, PE32 12->34 dropped 15 whblsmqmse.exe 12->15         started        process6 signatures7 60 Multi AV Scanner detection for dropped file 15->60 62 Tries to detect virtualization through RDTSC time measurements 15->62 18 whblsmqmse.exe 15->18         started        process8 signatures9 38 Modifies the context of a thread in another process (thread injection) 18->38 40 Maps a DLL or memory area into another process 18->40 42 Sample uses process hollowing technique 18->42 44 Queues an APC in another process (thread injection) 18->44 21 explorer.exe 18->21 injected process10 process11 23 msdt.exe 21->23         started        signatures12 54 Modifies the context of a thread in another process (thread injection) 23->54 56 Maps a DLL or memory area into another process 23->56 58 Tries to detect virtualization through RDTSC time measurements 23->58 26 cmd.exe 1 23->26         started        28 explorer.exe 101 23->28         started        30 explorer.exe 65 23->30         started        process13 process14 32 conhost.exe 26->32         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/99f7e07f84e40e362b58d7b84110898eda66ce1e6906b2e27f1e9a9cae90e548/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-04-26 18:30:16 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=th36a74e4qhdmk2y264eceejr3ngntq6nedlfyt7d2njzluq4vea._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
232a16efaec47e6d4fc8f5318ed9d9d58198daef519f30a5d9147d38f293638c
Formbook
28562d1e97597dbe302d550277e91bd4aa6869bd3d356668bc7c48b2b6eaa3d1
Formbook
2f6a10bdc0e72b2b49bfdb61c307c72c8fe2fc9dd5ede0cfabc63ea5aabf9a4f
Formbook
53685ac5f275b61fc580f2203e7d7e431d2b03b8e4320015b428745d68d5e333
Formbook
6a68426f18f239950d5bb0d82223890b44ea10de5a5fa83294457dd3dcdc5068
Formbook
8085268c9f2053c82abbff7add9efff451f11994a1ae313718cdecf2c693da06
Formbook
84c208a81f0251fddaaafd620cbcbf4e004cf195c1bb3e72a4200669a7f50859
Formbook
f80dd0bf7402bebd03d303c97c8dd3f921d3e923a2521f4a2af2e4bf3c288aa1
Formbook
+ 15'400 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:hsot loader rat suricata
Link:
https://tria.ge/reports/220427-v1d2daagfr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
555ded060868be10653ecf88ab9a8caf892bab5de66ea09933a6215bdd151109
MD5 hash:
6a7593f91560ef0dd1dd209074fd2e55
SHA1 hash:
0b85b5c0544133e18356563d097d5db56d0095ba
Link:
https://www.unpac.me/results/b509b434-850a-40ab-bd8a-8ed92e8c33fa/
SH256 hash:
20c6c6c93a6fa408df601570ccd3ec08ce0a55346ce917cfd51718451e7dc32a
MD5 hash:
c23939ee4a35f10923556385526ad6cb
SHA1 hash:
f8800732bad3fd2b9d4bde1c7854a7c4d1b0a842
Link:
https://www.unpac.me/results/b509b434-850a-40ab-bd8a-8ed92e8c33fa/
SH256 hash:
f72993da75396849b8f58292a3fc1692bd5f9df07fc0526cb3b4e4af427f53e9
MD5 hash:
f681eb16d79cca0fd14a7796d6d8b45d
SHA1 hash:
a90f0607f42b7c1c6fe96c620a21fc6a525e059b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/b509b434-850a-40ab-bd8a-8ed92e8c33fa/
Parent samples :
2f6a10bdc0e72b2b49bfdb61c307c72c8fe2fc9dd5ede0cfabc63ea5aabf9a4f
99f7e07f84e40e362b58d7b84110898eda66ce1e6906b2e27f1e9a9cae90e548
e6151eb0148e2cc0e89eabc995cb5e6620131a8a658d1eb3c78da753066543be
e00c78c89894028be70f0125ab20cc5919d39930fb98d01b367c3f05d69029ce
SH256 hash:
99f7e07f84e40e362b58d7b84110898eda66ce1e6906b2e27f1e9a9cae90e548
MD5 hash:
b50c8d52a000d981d40fab8469f67e62
SHA1 hash:
dbc28aa27dae6704d3344b0fc685cf9afab70067
Link:
https://www.unpac.me/results/b509b434-850a-40ab-bd8a-8ed92e8c33fa/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/99f7e07f84e4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/99f7e07f84e40e362b58d7b84110898eda66ce1e6906b2e27f1e9a9cae90e548

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 99f7e07f84e40e362b58d7b84110898eda66ce1e6906b2e27f1e9a9cae90e548

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2167668/
Cape
Cape
https://www.capesandbox.com/analysis/267290/

Comments


Avatar
zbet commented on 2022-04-27 17:26:27 UTC

url : hxxp://37.0.11.227/files/psmzx.exe