MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9bd4004d7b777b2b3e5228419c24ded2b93b128b1a9becd9d8914c008a04d2a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9bd4004d7b777b2b3e5228419c24ded2b93b128b1a9becd9d8914c008a04d2a0
SHA3-384 hash: 5e2f5880dd4de1f7f15ee03049807e97b8ca5028adafba11d0ad26dd2587fcb37917a9e2d4b3852163d5c69c12d11d17
SHA1 hash: 66a168a23b0a6947e6c1145f5836dc55da21c82e
MD5 hash: b42515e2f9cb5a3ee7ad6bc34a295677
humanhash: hot-pluto-pip-wolfram
File name:b42515e2f9cb5a3ee7ad6bc34a295677
Download: download sample
Signature Formbook
Create hunting rule
File size:330'512 bytes
First seen:2022-10-10 08:40:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 6144:HNeZmbgeYN1+l4CuaQXZkvau9xXuJXn+ddQuGuf4khB8c+ncN5PMeqgLQCl:HNlbgBvM6ZkvP9xXuZ+bVfr8c+ePM1gT
Threatray 611 similar samples on MalwareBazaar
TLSH T1FD641298B521C057E4B2873A1D7C5B626BBF95020498231F87546BAEBD33AC6CF0E3C4
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
238
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/318273/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Creating a file
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
Running batch commands
Searching for the window
Setting a keyboard event handler
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Reading critical registry keys
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Stealing user critical data
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/42182/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6343daa11ddf36bcc3f43374/reports/d64a9851-caef-418e-b597-631b32d995f1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/46b1948a-2be5-477d-a053-8e16fd00f920
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1087449
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found hidden mapped module (file has been removed from disk)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 720026 Sample: DMYum4g6jE.exe Startdate: 11/10/2022 Architecture: WINDOWS Score: 100 93 Multi AV Scanner detection for domain / URL 2->93 95 Malicious sample detected (through community Yara rule) 2->95 97 Antivirus detection for URL or domain 2->97 99 7 other signatures 2->99 11 DMYum4g6jE.exe 18 2->11         started        14 remcos.exe 2->14         started        17 remcos.exe 1 2->17         started        19 remcos.exe 2->19         started        process3 file4 77 C:\Users\user\AppData\Local\...\voqfrwvp.exe, PE32 11->77 dropped 21 voqfrwvp.exe 2 11->21         started        79 C:\Users\user\AppData\Local\Temp\739A.tmp, PE32 14->79 dropped 81 C:\Users\user\AppData\Local\Temp\6B3D.tmp, PE32 14->81 dropped 119 Maps a DLL or memory area into another process 14->119 25 remcos.exe 14->25         started        27 remcos.exe 14->27         started        29 WerFault.exe 14->29         started        83 C:\Users\user\AppData\Local\Temp\20A7.tmp, PE32 17->83 dropped 31 WerFault.exe 10 17->31         started        34 remcos.exe 17->34         started        85 C:\Users\user\AppData\Local\Temp\41DB.tmp, PE32 19->85 dropped 36 remcos.exe 19->36         started        38 WerFault.exe 19->38         started        signatures5 process6 dnsIp7 69 C:\Users\user\AppData\Local\Temp\DC2D.tmp, PE32 21->69 dropped 71 C:\Users\user\AppData\Local\Temp\D71B.tmp, PE32 21->71 dropped 109 Multi AV Scanner detection for dropped file 21->109 111 Machine Learning detection for dropped file 21->111 113 Found hidden mapped module (file has been removed from disk) 21->113 115 Maps a DLL or memory area into another process 21->115 40 voqfrwvp.exe 5 4 21->40         started        43 WerFault.exe 23 9 21->43         started        45 voqfrwvp.exe 21->45         started        91 192.168.2.1 unknown unknown 31->91 file8 signatures9 process10 file11 73 C:\ProgramData\Remcos\remcos.exe, PE32 40->73 dropped 75 C:\Users\user\AppData\Local\...\install.vbs, data 40->75 dropped 47 wscript.exe 1 40->47         started        process12 process13 49 cmd.exe 1 47->49         started        process14 51 remcos.exe 2 49->51         started        55 conhost.exe 49->55         started        file15 65 C:\Users\user\AppData\Local\Temp\1D6C.tmp, PE32 51->65 dropped 67 C:\Users\user\AppData\Local\Temp\176.tmp, PE32 51->67 dropped 101 Multi AV Scanner detection for dropped file 51->101 103 Machine Learning detection for dropped file 51->103 105 Found hidden mapped module (file has been removed from disk) 51->105 107 Maps a DLL or memory area into another process 51->107 57 remcos.exe 2 17 51->57         started        61 WerFault.exe 19 9 51->61         started        63 remcos.exe 51->63         started        signatures16 process17 dnsIp18 87 91.192.100.20, 49703, 7967 AS-SOFTPLUSCH Switzerland 57->87 89 geoplugin.net 178.237.33.50, 49704, 80 ATOM86-ASATOM86NL Netherlands 57->89 117 Installs a global keyboard hook 57->117 signatures19
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9bd4004d7b777b2b3e5228419c24ded2b93b128b1a9becd9d8914c008a04d2a0/
Threat name:
Win32.Trojan.GenericML
Create hunting rule
Status:
Malicious
First seen:
2022-10-10 08:42:18 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tpkaatl3o55swpssfbazyjg62k4tweuldkn6zwoysfgabcqe2kqa._file
Verdict:
malicious
Similar samples:
058bce4a498b1f075cd7100d2bc46a205b7d808acde265293efca026125e1857
Formbook
45969e23492b09bf7e761590493dc169570c2c4d66b20a523e20ea923d2b6070
Formbook
6713a526ffb1f9608dfb3769e696aff9908b0fc018447639c94c71f46dfe7ebe
Formbook
9378e7d749031db44b0ba686cfaf2bb02011e7877f688f4edd601fb48fdbdd7e
Formbook
b1bc91086e6fe98ad32079eec01e28b01ae0706d513bf494bd321aaf22e641ec
Formbook
b89449bf3d7fe4c6e077f9940c78433737f1c57e6fe04a9aa725f451fb439176
Formbook
ff4cff76876cda952a48855396ca07f5fb5216a5df0efd10c9701c135552703c
Formbook
+ 601 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:test collection persistence rat spyware stealer upx
Link:
https://tria.ge/reports/221010-klfasabcb3/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
91.192.100.20:7967
Gathering data
Unpacked files
SH256 hash:
6eed9b3d658b78350df592eeac27e672dcb06b596ee92ea3dcedb48f3bedae12
MD5 hash:
bde82f7ae3aa0ef8abcfd541aa8fdb56
SHA1 hash:
d68ae4535984b7fa28468e10440ef2fbc419ecfa
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/6e9800f0-5262-4089-8000-3a23a055d422/
Parent samples :
9bd4004d7b777b2b3e5228419c24ded2b93b128b1a9becd9d8914c008a04d2a0
6666e726f66dfa52c7c2e17523f4a72b3936539fd6baddea1cf5b2b35e9f49b0
4f7e671c26e269961ffa6a6639a5522b66c06c8c119bdfb297797473bb7b4cbc
SH256 hash:
4c23eb8537ed56eedbf0aab2e062de7113bdabb31e2db4ff4945f54ce7c415d2
MD5 hash:
fff5ceed8d5b55c24e23f7b92d6b6b2f
SHA1 hash:
750c86890054621ebac638d0c6747d2485c244cf
Link:
https://www.unpac.me/results/6e9800f0-5262-4089-8000-3a23a055d422/
SH256 hash:
9bd4004d7b777b2b3e5228419c24ded2b93b128b1a9becd9d8914c008a04d2a0
MD5 hash:
b42515e2f9cb5a3ee7ad6bc34a295677
SHA1 hash:
66a168a23b0a6947e6c1145f5836dc55da21c82e
Link:
https://www.unpac.me/results/6e9800f0-5262-4089-8000-3a23a055d422/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9bd4004d7b77/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9bd4004d7b777b2b3e5228419c24ded2b93b128b1a9becd9d8914c008a04d2a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 9bd4004d7b777b2b3e5228419c24ded2b93b128b1a9becd9d8914c008a04d2a0

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2354986/
Cape
Cape
https://www.capesandbox.com/analysis/318273/

Comments


Avatar
zbet commented on 2022-10-10 08:40:56 UTC

url : hxxp://103.114.107.27/winsave/vbc.exe