MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab4f589d0f4ed44507e58153403916908d773badeca5daac840fb7eb6ce7bc54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab4f589d0f4ed44507e58153403916908d773badeca5daac840fb7eb6ce7bc54
SHA3-384 hash: 6bec0f8c7ee419a53c9ef7788748a6d54aaacdd206f39f180cb7bddf4c76d5f08ef264821972cc5cced13c25f8ae816c
SHA1 hash: 496fce3999d0689c4bdb6de4e6a861566658bae1
MD5 hash: 271cb345f5c456e08e1e7b4cdcd032de
humanhash: washington-south-georgia-purple
File name:NSPPD.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:848'384 bytes
First seen:2022-05-17 03:25:10 UTC
Last seen:2022-05-17 06:18:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 44f46b6e3c134872b672cdd5c96ff6c6 (1 x Formbook, 1 x ModiLoader, 1 x NetWire)
ssdeep 12288:v7QA85i5WRqtJ4y19CvTpZ9McIrl/a5CQegMbWmuXMdk:vkAmhuJ4M6PMl/rQUMMe
TLSH T1B00539A221A088F3D7725233DD6A9AEC56317D70DD25544F3B9C7D8C5A33280EE2A9C7
TrID 46.4% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
31.5% (.EXE) Win32 Executable Borland Delphi 5 (451463/56/28)
18.3% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
0.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
0.9% (.SCR) Windows screen saver (13101/52/3)
File icon (PE):PE icon
dhash icon 161c9bcbd32b565b (5 x Formbook, 2 x NetWire, 1 x ModiLoader)
Reporter FORMALITYDE
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
219
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NSPPD.exe
Verdict:
Suspicious activity
Analysis date:
2022-05-17 03:28:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/82add6d9-ebf7-4e93-b08e-a1dc88fb442c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/271332/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Searching for synchronization primitives
Searching for the window
Сreating synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe keylogger wacatac
Link:
https://www.filescan.io/uploads/6283159ffd71ca8b2ee8db1d/reports/89c4167b-ef15-47f1-a8f0-b90e62b59fb1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3afa80d6-ef7d-481a-bdea-470ace954136
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/995491
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab4f589d0f4ed44507e58153403916908d773badeca5daac840fb7eb6ce7bc54/
Threat name:
Win32.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2022-05-16 15:54:35 UTC
File Type:
PE (Exe)
Extracted files:
79
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vnhvrhipj3kekb7fqfjuaoiwscgxoo5n5ss5vleeb636w3hhxrka._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:xloader campaign:tee5 loader persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220517-dy7ggaeeg7/
Behaviour
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
ModiLoader Second Stage
Xloader Payload
ModiLoader, DBatLoader
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Unpacked files
SH256 hash:
ab4f589d0f4ed44507e58153403916908d773badeca5daac840fb7eb6ce7bc54
MD5 hash:
271cb345f5c456e08e1e7b4cdcd032de
SHA1 hash:
496fce3999d0689c4bdb6de4e6a861566658bae1
Link:
https://www.unpac.me/results/21f2de48-9c59-4b2e-9d78-938beeaf73b0/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ab4f589d0f4e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/ab4f589d0f4ed44507e58153403916908d773badeca5daac840fb7eb6ce7bc54

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe ab4f589d0f4ed44507e58153403916908d773badeca5daac840fb7eb6ce7bc54

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/271332/

Comments