MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9eb2b7acb3ab10e79a731f59d8cb0674cdaeff303db290a18e86d808d0aeb6ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Maldoc score: 22


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9eb2b7acb3ab10e79a731f59d8cb0674cdaeff303db290a18e86d808d0aeb6ca
SHA3-384 hash: f4d87b9efb03a9102019adf4654349dd02792795db92f584cfdfd94998facbd96638808b9062c3d2618857a61b457167
SHA1 hash: 176b67e99bb252345bf71b30e909a47f6f95333d
MD5 hash: bb4c1fc0513552cb4a5845d8acad983c
humanhash: table-solar-batman-ten
File name:PI.xls
Download: download sample
Signature Formbook
Create hunting rule
File size:586'240 bytes
First seen:2022-11-25 11:28:18 UTC
Last seen:Never
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 12288:l5UMHq/88o5zJOcVLEP9iEtHlifM9fGaHC:l2M2C5zJwbtHv9fGa
TLSH T1D1C48C9277C08CB0C4482AB385D97350B77EAF03A64D5C03767A77492E3A3E05F2AB56
TrID 46.5% (.XLS) Microsoft Excel sheet (alternate) (56500/1/4)
26.7% (.XLS) Microsoft Excel sheet (32500/1/3)
20.1% (.XLS) Microsoft Excel sheet (alternate) (24500/1/2)
6.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter lowmal3
Tags:FormBook xls

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 22
OLE dump

MalwareBazaar was able to identify 15 sections in this file using oledump:

Section IDSection sizeSection name
1107 bytesCompObj
2244 bytesDocumentSummaryInformation
3208 bytesSummaryInformation
4379310 bytesWorkbook
5477 bytes_VBA_PROJECT_CUR/PROJECT
686 bytes_VBA_PROJECT_CUR/PROJECTwm
7950 bytes_VBA_PROJECT_CUR/VBA/Module1
8991 bytes_VBA_PROJECT_CUR/VBA/Sheet1
9187549 bytes_VBA_PROJECT_CUR/VBA/ThisWorkbook
102851 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
111760 bytes_VBA_PROJECT_CUR/VBA/__SRP_0
12209 bytes_VBA_PROJECT_CUR/VBA/__SRP_1
131003 bytes_VBA_PROJECT_CUR/VBA/__SRP_2
14390 bytes_VBA_PROJECT_CUR/VBA/__SRP_3
15564 bytes_VBA_PROJECT_CUR/VBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecAutoOpenRuns when the Word document is opened
AutoExecWorkbook_OpenRuns when the Excel Workbook is opened
IOC185.246.220.65IPv4 address
IOCsvchost.exeExecutable file name
IOCOrder_088067.exeExecutable file name
SuspiciousOpenMay open a file
SuspiciouswriteMay write to a file (if combined with Open)
SuspiciousAdodb.StreamMay create a text file
SuspicioussavetofileMay create a text file
SuspiciousShellMay run an executable file or a system command
SuspiciousWScript.ShellMay run an executable file or a system command
SuspiciousRunMay run an executable file or a system command
SuspiciousCreateObjectMay create an OLE object
SuspiciousMicrosoft.XMLHTTPMay download files from the Internet
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
1
# of downloads :
407
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
PI.xls
Verdict:
Malicious activity
Analysis date:
2022-11-25 11:31:18 UTC
Tags:
macros macros-on-open loader formbook trojan stealer
Link:
https://app.any.run/tasks/54a856b2-1443-4ac3-bbcc-58c19f299a1e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/338428/
Detection(s):
MiscreantPunch.EvilMacro.AODBWSRBMS.UNOFFICIAL
Create hunting rule

Doc.Dropper.Agent-6412232-1
Create hunting rule

TwinWave.EvilDoc.PublicDottedQuadDLrRunLikeHell.20210223.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Office.Macro-11.UNOFFICIAL
Create hunting rule

Sanesecurity.Badmacro.Xls.Wshell.G.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Launching a process
Unauthorized injection to a system process
Result
Verdict:
Malicious
File Type:
Legacy Excel File with Macro
Link:
https://app.docguard.net/9eb2b7acb3ab10e79a731f59d8cb0674cdaeff303db290a18e86d808d0aeb6ca/results/dashboard
Payload URLs
URL
File name
http://185.246.220.65/btc/Order_088067.exe
ThisWorkbook
Behaviour
BlacklistAPI detected
Document image
Image:
Download PNG
Document image
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware language-mt macros macros-on-open setupapi.dll shdocvw.dll shell32.dll svchost.exe
Link:
https://www.filescan.io/uploads/6380a6ff536377388865ca0f/reports/9488282a-f2a3-45db-ba05-bfdf96087112/overview
Label:
Malicious
Suspicious Score:
7.8/10
Score Malicious:
78%
Score Benign:
22%
Link:
https://www.malware.ai/gui/files/?id=0ea85bde-40ed-4984-9e0b-602283d524ff
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/9eb2b7acb3ab10e79a731f59d8cb0674cdaeff303db290a18e86d808d0aeb6ca
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro with File System Write
Detected macro logic that can write data to the file system.
IPv4 Dotted Quad URL
A URL was detected referencing a direct IP address, as opposed to a domain name.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1121101
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Drops PE files with benign system names
Found API chain indicative of sandbox detection
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Office process drops PE file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM autoit script
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 753818 Sample: PI.xls Startdate: 25/11/2022 Architecture: WINDOWS Score: 100 70 Snort IDS alert for network traffic 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Antivirus detection for URL or domain 2->74 76 16 other signatures 2->76 13 EXCEL.EXE 53 24 2->13         started        18 taskeng.exe 1 2->18         started        process3 dnsIp4 68 185.246.220.65, 49173, 80 LVLT-10753US Germany 13->68 58 C:\Users\user\AppData\Local\...\svchost.exe, PE32 13->58 dropped 60 C:\Users\user\AppData\...\Order_088067[1].exe, PE32 13->60 dropped 62 C:\Users\user\Desktop\PI.xls, Composite 13->62 dropped 98 Document exploit detected (creates forbidden files) 13->98 20 svchost.exe 32 13->20         started        23 svcupdater.exe 1 18->23         started        file5 signatures6 process7 file8 54 C:\Users\user\AppData\Local\...\gtolaje.exe, PE32 20->54 dropped 26 wscript.exe 2 1 20->26         started        86 Antivirus detection for dropped file 23->86 signatures9 process10 process11 28 gtolaje.exe 2 26->28         started        signatures12 88 Antivirus detection for dropped file 28->88 90 Found API chain indicative of sandbox detection 28->90 92 Contains functionality to inject code into remote processes 28->92 94 4 other signatures 28->94 31 RegSvcs.exe 5 28->31         started        34 RegSvcs.exe 28->34         started        process13 file14 64 C:\Users\user\AppData\...\FB_CAF.tmp.exe, PE32 31->64 dropped 66 C:\Users\user\AppData\...\FB_7CE.tmp.exe, PE32 31->66 dropped 36 FB_7CE.tmp.exe 31->36         started        39 FB_CAF.tmp.exe 2 31->39         started        process15 file16 78 Antivirus detection for dropped file 36->78 80 Machine Learning detection for dropped file 36->80 82 Modifies the context of a thread in another process (thread injection) 36->82 84 4 other signatures 36->84 42 explorer.exe 36->42 injected 56 C:\Users\user\AppData\...\svcupdater.exe, PE32 39->56 dropped 44 cmd.exe 39->44         started        signatures17 process18 signatures19 47 svchost.exe 42->47         started        96 Uses schtasks.exe or at.exe to add and modify task schedules 44->96 50 schtasks.exe 44->50         started        process20 signatures21 100 Modifies the context of a thread in another process (thread injection) 47->100 102 Maps a DLL or memory area into another process 47->102 104 Tries to detect virtualization through RDTSC time measurements 47->104 52 cmd.exe 47->52         started        process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9eb2b7acb3ab10e79a731f59d8cb0674cdaeff303db290a18e86d808d0aeb6ca/
Threat name:
Script.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2022-11-25 08:23:28 UTC
File Type:
Document
Extracted files:
20
AV detection:
17 of 41 (41.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t2zlplftvmiopgttd5m5rsygotg257zqhwzjbimoq3marufow3fa._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:nurs macro macro_on_action rat spyware stealer trojan
Link:
https://tria.ge/reports/221125-nlj6hsgg6z/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Formbook payload
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f342e229-f362-494d-aa43-a03042d9c099
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9eb2b7acb3ab/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9eb2b7acb3ab10e79a731f59d8cb0674cdaeff303db290a18e86d808d0aeb6ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:informational_win_ole_protected
Create hunting rule
Author:Jeff White (karttoon@gmail.com) @noottrak
Description:Identify OLE Project protection within documents.
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Excel file xls 9eb2b7acb3ab10e79a731f59d8cb0674cdaeff303db290a18e86d808d0aeb6ca

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/338428/

Comments