MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7c09392aa26962b20d2fc58398b6425ebd062187b2923fbbb7b1866523f1e26. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	a7c09392aa26962b20d2fc58398b6425ebd062187b2923fbbb7b1866523f1e26
SHA3-384 hash:	69f2524f0ad0ed04879e828ec29e7e9b25a4902d7df759eed535589601a87d22754b1d30048b86505fcaa0b89a06bb7d
SHA1 hash:	97c623c38ec83ad146f80f4da6fcf083c95dd50b
MD5 hash:	10bef7b81cbd13b3dc58d813e7fc06c1
humanhash:	grey-orange-snake-venus
File name:	Shipping documentsProforma invoice.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	747'008 bytes
First seen:	2021-08-23 14:28:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9f4693fc0c511135129493f2161d1e86 (250 x Neshta, 15 x Formbook, 14 x AgentTesla)
ssdeep	12288:RQioUx/2JW1hxrQe+IguVZRFzODnQx0+NpYuJTquMvCEWs:R52JWhZvP4J+NpBsz3
Threatray	8'491 similar samples on MalwareBazaar
TLSH	T14CF47C36FAB1A874C4622F3DD82B44ADCD2D7D45DC7C78562AE60A0E4F39B913426387
dhash icon	cad7b5b2eaaaaab6 (1 x NetWire, 1 x Formbook, 1 x RemcosRAT)
Reporter	GovCERT_CH
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

300

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Shipping documentsProforma invoice.exe

Verdict:

Malicious activity

Analysis date:

2021-08-23 15:31:26 UTC

Tags:

installer

Link:

https://app.any.run/tasks/0b48c2c8-7284-48ed-ad23-328a652a1064

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

neshta

Link:

https://www.capesandbox.com/analysis/181522/

Detection(s):

Win.Trojan.Neshuta-1

PUA.Win.Packer.Pequake-4

PUA.Win.Packer.BorlandDelphi-15

Win.Virus.Neshta-7101689-0

PUA.Win.Adware.Slugin-6840354-0

Win.Trojan.Jadtre-5

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a file in the Windows directory

Modifying an executable file

Creating a window

Creating a file

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Sending a UDP request

Launching a process

Running batch commands

Creating a process with a hidden window

Launching cmd.exe command interpreter

Deleting a recently created file

Enabling autorun with the shell\open\command registry branches

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Infecting executable files

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Neshta

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5352ccc8-2757-4c2c-9e16-dfc58782cd21

Result

Threat name:

Neshta

Detection:

malicious

Classification:

spre

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/837608

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Creates an undocumented autostart registry key

Drops executable to a common third party application directory

Drops PE files with a suspicious file extension

Infects executable files (exe, dll, sys, html)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Neshta

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a7c09392aa26962b20d2fc58398b6425ebd062187b2923fbbb7b1866523f1e26/

Threat name:

Win32.Virus.Neshta

Status:

Malicious

First seen:

2021-08-23 11:49:58 UTC

AV detection:

45 of 46 (97.83%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=u7ajhevke2lcwigs7rmdtc3eexv5ayqypmush653pmmgmur7dyta._file

Verdict:

malicious

Label(s):

formbook

Formbook

36f75bca9696563fcf8d51cc8cf33685de3caa6618d2c2e61560349a4179188b

Formbook

3803dec5e2ab718dedda091e9ee84b588545614ae3d54aa78d956cec21128fda

Formbook

385f5ca91b0a230a14f5d32c79d061a3af0f5533923ad62e1982d1327ed086a4

Formbook

5b7a858563dfd290658d183a0d1c101e39a9dda3327e84c11ef12bc873cb98b9

Formbook

7f6e0bac11526a5e1bbcdb54476c0bb7e8fdb7d8008001a5a488c60a080fc51c

Formbook

93f0775c5a5512759f85db7b3d1c4b3ee7049369cd0dcd1d4f778626621bfa0c

Formbook

a2c6a9d6809c3cf2ea1108aae86677aaba31ef7e2f10017331716bedd2a8f91c

Formbook

b56e7b2be2bb194db6e8e7c95e9477c49863e0eb8d2818f266f69e8e1a09647b

Formbook

d6774ae6ca85dfb3220ac31355b1ad0e3b9a7fbd769cccce4a26ba48fe6d7148

Formbook

+ 8'481 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:modiloader family:xloader campaign:b6cu loader persistence rat spyware stealer suricata trojan

Link:

https://tria.ge/reports/210823-37v3qt63ja/

Behaviour

Modifies registry class

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Drops file in Windows directory

Suspicious use of SetThreadContext

Adds Run key to start application

Loads dropped DLL

Reads user/profile data of web browsers

Adds policy Run key to start application

Executes dropped EXE

Xloader Payload

ModiLoader, DBatLoader

Modifies system executable filetype association

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Malware Config

C2 Extraction:

http://www.xn--marketingrevolucin-61b.com/b6cu/

Unpacked files

SH256 hash:

a7c09392aa26962b20d2fc58398b6425ebd062187b2923fbbb7b1866523f1e26

MD5 hash:

10bef7b81cbd13b3dc58d813e7fc06c1

SHA1 hash:

97c623c38ec83ad146f80f4da6fcf083c95dd50b

Link:

https://www.unpac.me/results/a3b910da-f9f8-4e26-8aa4-979223dc248f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a7c09392aa26962b20d2fc58398b6425ebd062187b2923fbbb7b1866523f1e26

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EnvVarScheduledTasks Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MAL_Neshta_Generic Create hunting rule
Author:	Florian Roth
Description:	Detects Neshta malware
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe a7c09392aa26962b20d2fc58398b6425ebd062187b2923fbbb7b1866523f1e26

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/181522/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample