MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea
SHA3-384 hash: 3c6f19af40e4da07ab9142c85c0aa2796a4bcf8f01fb91e782315041f7ce53e1f3cb06975237fc028fb62df5ee676d0c
SHA1 hash: dbb94e0f0a99558b8786a2c2ce3322ba281e7f9c
MD5 hash: 34c80f81e518370f859cc9f2454e6d83
humanhash: mexico-cola-pluto-island
File name:34c80f81e518370f859cc9f2454e6d83.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'047'552 bytes
First seen:2021-11-03 19:25:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f4693fc0c511135129493f2161d1e86 (253 x Neshta, 15 x Formbook, 14 x AgentTesla)
ssdeep 12288:leMZj0Cgr/vTwXTnYQUluk8wRR51Pyu4y:kM9Y/vOTnHNwrJyXy
Threatray 11'374 similar samples on MalwareBazaar
TLSH T1A4255C915E5A84F6D85B2B39103B9A2972346D702D252846DEFBBD830DF72C3A1F5C83
File icon (PE):PE icon
dhash icon e4eee286acb4bcb4 (16 x RemcosRAT, 12 x Formbook, 3 x DBatLoader)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
34c80f81e518370f859cc9f2454e6d83.exe
Verdict:
Malicious activity
Analysis date:
2021-11-03 19:47:04 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/d7df0aa6-bc55-40e4-8c44-2797e55cdd76

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/202015/
Detection(s):
Win.Trojan.Neshuta-1
Create hunting rule

PUA.Win.Packer.Pequake-4
Create hunting rule

Win.Virus.Neshta-7101689-0
Create hunting rule

Win.Trojan.Jadtre-5
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file in the Windows directory
Creating a process from a recently created file
Modifying an executable file
Creating a window
Creating a file
DNS request
Connection attempt
Sending a custom TCP request
Enabling autorun with the shell\open\command registry branches
Infecting executable files
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware keylogger neshta overlay
Link:
https://www.filescan.io/uploads/6182e24d9982ff7c3f7e12c8/reports/70b1ecd6-f710-4bd1-9c33-9757171986df/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Neshta
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/10b90f42-6354-4d3a-8918-96720667fd61
Result
Threat name:
Neshta
Create hunting rule
Detection:
malicious
Classification:
spre
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/882574
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Neshta
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea/
Threat name:
Win32.Virus.Neshta
Create hunting rule
Status:
Malicious
First seen:
2021-11-03 19:26:07 UTC
AV detection:
42 of 44 (95.45%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=t5y666rhg2lhj57vxnhweazvrjsil7f5bqs7bsacoi3eofvhhxva._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
44447e8ee66daa872048fcca50842694d35a78e77cf9d6ac8e8e4979958d46e7
Formbook
94cea10956f43a889c8714c742cb10e57b44919a05c2c4703d3111acc5d6aafc
Formbook
a7c09392aa26962b20d2fc58398b6425ebd062187b2923fbbb7b1866523f1e26
Formbook
b56e7b2be2bb194db6e8e7c95e9477c49863e0eb8d2818f266f69e8e1a09647b
Formbook
c714016a86e00deb18aa9c8a9f786b69e5bfcc2e341218d51946b722522cab37
Formbook
cd68f767521571e7cf8acfe5671f15ee164f5f0f075b32448ffddaddd5c6351e
Formbook
cf06e027c3102bcc58a5306d7d16f6955c1aff1f2aefc43c325e230ebeb5ed52
Formbook
+ 11'364 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:neshta family:xloader campaign:rqan loader persistence rat spyware stealer
Link:
https://tria.ge/reports/211103-x5h71aefb3/
Behaviour
Enumerates system info in registry
Gathers network information
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Xloader Payload
Modifies system executable filetype association
Neshta
Xloader
Malware Config
C2 Extraction:
http://www.cardboutiqueapp.com/rqan/
Unpacked files
SH256 hash:
9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea
MD5 hash:
34c80f81e518370f859cc9f2454e6d83
SHA1 hash:
dbb94e0f0a99558b8786a2c2ce3322ba281e7f9c
Link:
https://www.unpac.me/results/aca5938d-f4c9-469b-8288-2b74b56351d9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9f71ef7a2736/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_Neshta
Create hunting rule
Author:ditekSHen
Description:Detects Neshta
Rule name:MAL_Neshta_Generic
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:MAL_Neshta_Generic_RID2DC9
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1722888/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/202015/

Comments