MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa4a3cf409c65c84e33841c92533d1781a01cd5b1b5ba372e0b3d4c333a8f5fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa4a3cf409c65c84e33841c92533d1781a01cd5b1b5ba372e0b3d4c333a8f5fe
SHA3-384 hash: fea66f73f4111fed3307c81708ce8595a51b71d98bfcd716e5a5c52725762d291f478f23d8f1fd7a1aaf4171f00cbaf6
SHA1 hash: b38e41f282db7e780cb03d609b190b56a91e5c5d
MD5 hash: 1fac862a649460588c75ae2eb49bbd9c
humanhash: enemy-vermont-burger-steak
File name:triage_dropped_file
Download: download sample
Signature Formbook
Create hunting rule
File size:1'031'680 bytes
First seen:2022-08-26 12:01:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4ece17b2e649d5a5008f1aa7cdee9f6f (4 x RemcosRAT, 1 x Formbook, 1 x ModiLoader)
ssdeep 12288:fMrKprISPxdtyWrV3vneDB5JkTEp9ybqTiQJ5KT7grzwGjReiOXRDJymf7fvO:fMmljztfw+woiiqPheiOXRDDvO
TLSH T14F25AFE1B2E2CA3BD0231538DD67A3559C29FE801A24644E67F62C5CAF3A353342F657
TrID 68.5% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
27.0% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.3% (.SCR) Windows screen saver (13101/52/3)
0.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon ecdce4c48c9ce4c4 (14 x RemcosRAT, 9 x DBatLoader, 5 x Formbook)
Reporter malwarelabnet
Tags:exe FormBook ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
416
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
REVISED EPDA for AUGUST 22 -UPDATED (STATEMENT).docx
Verdict:
Malicious activity
Analysis date:
2022-08-26 10:05:18 UTC
Tags:
opendir trojan exploit CVE-2017-11882 loader formbook stealer phishing
Link:
https://app.any.run/tasks/1fe8a778-aa34-487b-a771-5b2e4b1ee00b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/301396/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.39208.15296.20834.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Query of malicious DNS domain
Sending a TCP request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/30193/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger overlay
Link:
https://www.filescan.io/uploads/6308b6b6393b1c8c47156edb/reports/bd4c4d8f-8781-44a4-9e37-3b5875e461e7/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b82d1221-e5c4-468c-afa9-83718044e96c
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1058394
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 690908 Sample: triage_dropped_file Startdate: 26/08/2022 Architecture: WINDOWS Score: 100 66 Malicious sample detected (through community Yara rule) 2->66 68 Multi AV Scanner detection for dropped file 2->68 70 Multi AV Scanner detection for submitted file 2->70 72 5 other signatures 2->72 10 triage_dropped_file.exe 1 22 2->10         started        15 Awflwvnek.exe 14 2->15         started        17 Awflwvnek.exe 12 2->17         started        process3 dnsIp4 62 morientlines.com 103.11.189.121, 443, 49707, 49708 VODIEN-AS-AP-LOC2VodienInternetSolutionsPteLtdSG Singapore 10->62 54 C:\Users\Public\Libraries\netutils.dll, PE32+ 10->54 dropped 56 C:\Users\Public\Libraries\Awflwvnek.exe, PE32 10->56 dropped 58 C:\Users\...\Awflwvnek.exe:Zone.Identifier, ASCII 10->58 dropped 60 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 10->60 dropped 88 Writes to foreign memory regions 10->88 90 Allocates memory in foreign processes 10->90 92 Creates a thread in another existing process (thread injection) 10->92 94 Injects a PE file into a foreign processes 10->94 19 cmd.exe 3 10->19         started        22 iexpress.exe 10->22         started        96 Multi AV Scanner detection for dropped file 15->96 98 Machine Learning detection for dropped file 15->98 24 iexpress.exe 15->24         started        26 iexpress.exe 17->26         started        file5 signatures6 process7 signatures8 74 Uses ping.exe to sleep 19->74 76 Drops executables to the windows directory (C:\Windows) and starts them 19->76 78 Uses ping.exe to check the status of other devices and networks 19->78 28 easinvoker.exe 19->28         started        30 PING.EXE 1 19->30         started        33 xcopy.exe 2 19->33         started        38 6 other processes 19->38 80 Maps a DLL or memory area into another process 22->80 36 explorer.exe 22->36 injected process9 dnsIp10 40 cmd.exe 1 28->40         started        64 127.0.0.1 unknown unknown 30->64 50 C:\Windows \System32\easinvoker.exe, PE32+ 33->50 dropped 52 C:\Windows \System32\netutils.dll, PE32+ 38->52 dropped file11 process12 signatures13 82 Suspicious powershell command line found 40->82 84 Adds a directory exclusion to Windows Defender 40->84 43 powershell.exe 26 40->43         started        46 conhost.exe 40->46         started        process14 signatures15 86 DLL side loading technique detected 43->86 48 conhost.exe 43->48         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa4a3cf409c65c84e33841c92533d1781a01cd5b1b5ba372e0b3d4c333a8f5fe/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-08-26 03:09:11 UTC
File Type:
PE (Exe)
Extracted files:
51
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vjfdz5ajyzoijyzyiheskm6rpanadtk3dnn2g4xawpkmgm5i6x7a._file
Verdict:
malicious
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader persistence trojan
Link:
https://tria.ge/reports/220826-n7fp8acbak/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
ff783f09dc68f0b6855e1a4d38acceaba749b51355c4a72730a8d3b8b8124d33
MD5 hash:
82710cae7fe6b6a1413f02528e3e8063
SHA1 hash:
bbad2e642148c629a26680fc15538e503dcf0a8c
Link:
https://www.unpac.me/results/a818b38f-60b8-4517-ab5c-8295c8fcf91a/
SH256 hash:
53619866fb7adb9f5dcbed0dce75932a74830dc02351a6b6c819e9701a13ada1
MD5 hash:
38a86eff48873c72ca4d72f191a56f63
SHA1 hash:
25e96f601aa827d3b1ab70b0fdc67d0c15023b73
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/a818b38f-60b8-4517-ab5c-8295c8fcf91a/
Parent samples :
e9f4a7f5f39ac0ea1fc287c5d9521667d3eca8344b2e60fe26f9f795d7f53a8d
2e86f98ee2dc99164970b21058123fda31af9feb290e14646c3a6f49525f2fcc
5968fd5908c38e76d8f57fbfe06bfc87956d15b778eaa637816e1630fb3eb7c4
b725d730c210274c7cc33fa90c06467cf9e3416a9d214e060e14f323d31aa3c7
6620f97090422729f9d69268a68b76cc854f81cd97c25f3463315344ba3d639e
eae13c9aa0b286157c56819381b92a4a6d8e2607f553e7b71539b1959f2cd7a2
efa8f5c281c591960f2a8f508f278b1541de0c308f4039432307de4e0f25627c
aa4a3cf409c65c84e33841c92533d1781a01cd5b1b5ba372e0b3d4c333a8f5fe
d9d5ed4a3733ad8d8edcdd4a4e36f965f3ad5b0b0bb38b54acd9091ee99ff7cf
9e6da348b123ec110ed3d923198f378f6398a6e1f87d3a440340c5ab479e6912
ad2c3ee8225bffd3052bb7d77be8e73b14731a65d420a08bac8cd72f979300b9
22c7ed8874209dd96c59fbc16dd829802729f9fa34c09cce41f6f64704af7578
SH256 hash:
aa4a3cf409c65c84e33841c92533d1781a01cd5b1b5ba372e0b3d4c333a8f5fe
MD5 hash:
1fac862a649460588c75ae2eb49bbd9c
SHA1 hash:
b38e41f282db7e780cb03d609b190b56a91e5c5d
Link:
https://www.unpac.me/results/a818b38f-60b8-4517-ab5c-8295c8fcf91a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aa4a3cf409c65c84e33841c92533d1781a01cd5b1b5ba372e0b3d4c333a8f5fe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/301396/

Comments