MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a55705a5d4e2cf1e3d98b3081a2523c83c02b034f1b3dedcadc7731711863eb4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a55705a5d4e2cf1e3d98b3081a2523c83c02b034f1b3dedcadc7731711863eb4
SHA3-384 hash: 94a2b1450c7c3dde11ec61406743515c573aac5a18745cde496d15ccc3cdd93a8980c6bddc3c7976d0a68dcc4cfffcfa
SHA1 hash: f372dd5ae3354c900767745423656a1846898abf
MD5 hash: 97cf574d71a2264657126ec9cb413ad7
humanhash: quebec-skylark-wyoming-beer
File name:SecuriteInfo.com.Win32.DropperX-gen.29632.23307
Download: download sample
Signature Formbook
Create hunting rule
File size:1'135'104 bytes
First seen:2023-09-19 10:32:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f44d2d08aa3f7e0759f9441d70198a12 (2 x DBatLoader, 1 x Formbook, 1 x RemcosRAT)
ssdeep 12288:eo1mZWdG+Q25wOymUo04zNbv/dY/gmfXJJG2uZX8H5ZravCvhOX:e0pG+F53ycRVv/eIKGfZX8H5tavos
Threatray 3'518 similar samples on MalwareBazaar
TLSH T197358D24B352EC60F01AB975C84B6A88E0E93CD07E5D68CA51EC39361AF93E37E1C557
TrID 75.9% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
12.4% (.EXE) InstallShield setup (43053/19/16)
4.1% (.EXE) Win32 Executable Delphi generic (14182/79/4)
3.7% (.SCR) Windows screen saver (13097/50/3)
1.3% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 809cf0f2c4c2d000 (2 x DBatLoader, 1 x Formbook, 1 x RemcosRAT)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
289
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
ModiLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/449647/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.29632.23307.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Searching for the window
Launching cmd.exe command interpreter
Setting browser functions hooks
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control keylogger lolbin overlay
Link:
https://www.filescan.io/uploads/650978e11edabd99829cd08e/reports/dc303345-b60b-4a16-b0ea-f4e1d1c6a677/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/a55705a5d4e2cf1e3d98b3081a2523c83c02b034f1b3dedcadc7731711863eb4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a090d4a8-a029-4339-aa02-dcc6f63799b1
Result
Threat name:
DBatLoader, FormBook, Magniber
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1310703
Signature
Adds a directory exclusion to Windows Defender
Allocates many large memory junks
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Yara detected Magniber Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1310703 Sample: SecuriteInfo.com.Win32.Drop... Startdate: 19/09/2023 Architecture: WINDOWS Score: 100 104 Snort IDS alert for network traffic 2->104 106 Found malware configuration 2->106 108 Malicious sample detected (through community Yara rule) 2->108 110 11 other signatures 2->110 11 SecuriteInfo.com.Win32.DropperX-gen.29632.23307.exe 1 7 2->11         started        process3 dnsIp4 84 web.fe.1drv.com 11->84 86 onedrive.live.com 11->86 88 2 other IPs or domains 11->88 60 C:\Users\Public\Libraries\netutils.dll, PE32+ 11->60 dropped 62 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 11->62 dropped 64 C:\Users\Public\Libraries\Zgwzpqle.PIF, PE32 11->64 dropped 142 Drops PE files with a suspicious file extension 11->142 144 Writes to foreign memory regions 11->144 146 Allocates memory in foreign processes 11->146 148 2 other signatures 11->148 16 SndVol.exe 11->16         started        19 cmd.exe 1 11->19         started        file5 signatures6 process7 signatures8 90 Modifies the context of a thread in another process (thread injection) 16->90 92 Maps a DLL or memory area into another process 16->92 94 Sample uses process hollowing technique 16->94 102 2 other signatures 16->102 21 explorer.exe 29 16->21 injected 96 Uses ping.exe to sleep 19->96 98 Drops executables to the windows directory (C:\Windows) and starts them 19->98 100 Uses ping.exe to check the status of other devices and networks 19->100 25 easinvoker.exe 19->25         started        27 PING.EXE 1 19->27         started        29 xcopy.exe 2 19->29         started        32 8 other processes 19->32 process9 dnsIp10 76 drrcybersec.com 20.119.0.38, 49739, 80 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 21->76 78 weaverhaim.site 112.175.247.150, 49743, 80 KIXS-AS-KRKoreaTelecomKR Korea Republic of 21->78 82 15 other IPs or domains 21->82 128 System process connects to network (likely due to code injection or exploit) 21->128 34 Zgwzpqle.PIF 21->34         started        38 cmstp.exe 21->38         started        40 cmmon32.exe 21->40         started        42 cmd.exe 1 25->42         started        80 127.0.0.1 unknown unknown 27->80 66 C:\Windows \System32\easinvoker.exe, PE32+ 29->66 dropped 68 C:\Windows \System32\netutils.dll, PE32+ 32->68 dropped file11 signatures12 process13 dnsIp14 70 web.fe.1drv.com 34->70 72 onedrive.live.com 34->72 74 2 other IPs or domains 34->74 112 Multi AV Scanner detection for dropped file 34->112 114 Machine Learning detection for dropped file 34->114 116 Writes to foreign memory regions 34->116 126 3 other signatures 34->126 44 colorcpl.exe 34->44         started        118 Modifies the context of a thread in another process (thread injection) 38->118 120 Maps a DLL or memory area into another process 38->120 122 Tries to detect virtualization through RDTSC time measurements 38->122 47 cmd.exe 38->47         started        124 Adds a directory exclusion to Windows Defender 42->124 49 cmd.exe 1 42->49         started        51 conhost.exe 42->51         started        signatures15 process16 signatures17 132 Modifies the context of a thread in another process (thread injection) 44->132 134 Maps a DLL or memory area into another process 44->134 136 Sample uses process hollowing technique 44->136 138 Tries to detect virtualization through RDTSC time measurements 44->138 53 conhost.exe 47->53         started        140 Adds a directory exclusion to Windows Defender 49->140 55 powershell.exe 23 49->55         started        process18 signatures19 130 DLL side loading technique detected 55->130 58 conhost.exe 55->58         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a55705a5d4e2cf1e3d98b3081a2523c83c02b034f1b3dedcadc7731711863eb4/
Threat name:
Win32.Trojan.ModiLoader
Create hunting rule
Status:
Malicious
First seen:
2023-09-19 06:54:37 UTC
File Type:
PE (Exe)
Extracted files:
96
AV detection:
22 of 36 (61.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uvlqljou4lhr4pmywmebujjdza6afmbu6gz55xfny5zroemgh22a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
112da5dc2023c407a5d080239836143b39d1a75aa579c373fea4f7b3171c2925
Formbook
1c629a87d868f7e9a1d1b3b121a17c18facf18fff084438f40e853bfd5cb1169
Formbook
36ea5e98f9aa4987174b4edb33c937f9091f1e06fd370f7f8e66da700700539f
Formbook
4f5c467411c837a992614f516e8894702370854dc6abc7644754a3be19b85476
Formbook
78c83e6e7ce1c4708302ea7cd0a51b142b49f1e58e5fdefa07d9891b019683a4
Formbook
ab885c190a5cf8f650a0c8ff3b6e0bd2ed857e4126cfde672fa5a70db5616751
Formbook
d4ab87e55002c6b6e0aafcf9365ab9017946e998371e43b15a50bae8475b947c
Formbook
ee0603d9ad98809ae728d4d1ebee72fcb97b28d493df380a6805f7d45a086b64
Formbook
+ 3'508 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader campaign:go04 persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/230919-mljz3sgd9y/
Behaviour
Enumerates system info in registry
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Formbook payload
ModiLoader Second Stage
Formbook
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
cba4816de6e72d867e32efff1a2aec17fb05f32f522321696510e9ea7bfbf807
MD5 hash:
f63cb8a6dacfbd4f51c03ace6e0909fa
SHA1 hash:
d908d6f2785e4f8a3077a9a62b92fd54a4ebf46e
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/e35db2eb-73cf-4de3-83fc-e388ef01a9ab/
Parent samples :
ac3e8b42a550451d60e23bc3252ca7e8023e72b38fafd33a5e7357d11b212458
a55705a5d4e2cf1e3d98b3081a2523c83c02b034f1b3dedcadc7731711863eb4
3f91df1694752e2393e88e98c63348a310db58b7665d6e9d2ec7b2e84344aeda
131a53178cbae4b360182b1b2913374dad6fb40423c1ce528874a720c053ec7d
95c4b78aa2574cc094f0ab1ca7fac7b2adef8123aab82680c1a88df43f5a282e
7d42baf12969f24e3f68e53b146b4f049c1f772396c2e68c1a18bf75e26992ad
SH256 hash:
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
MD5 hash:
c116d3604ceafe7057d77ff27552c215
SHA1 hash:
452b14432fb5758b46f2897aeccd89f7c82a727d
Link:
https://www.unpac.me/results/e35db2eb-73cf-4de3-83fc-e388ef01a9ab/
SH256 hash:
a55705a5d4e2cf1e3d98b3081a2523c83c02b034f1b3dedcadc7731711863eb4
MD5 hash:
97cf574d71a2264657126ec9cb413ad7
SHA1 hash:
f372dd5ae3354c900767745423656a1846898abf
Link:
https://www.unpac.me/results/e35db2eb-73cf-4de3-83fc-e388ef01a9ab/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a55705a5d4e2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a55705a5d4e2cf1e3d98b3081a2523c83c02b034f1b3dedcadc7731711863eb4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/449647/

Comments