MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab617df3930b1ed1ee3bf2dc4ec2db8db8fdba68ba5198183cbf96b75f37c972. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab617df3930b1ed1ee3bf2dc4ec2db8db8fdba68ba5198183cbf96b75f37c972
SHA3-384 hash: a8f32b2297039d3bd7a066af2d4751df69e8c4d464d010294e2fefa98f747318e8b96c0fcc20a2d39d451a02995db893
SHA1 hash: 5d0357b0a458f9941a6941f6a4e7d6dd406a09c4
MD5 hash: 1986fb6ee09e4d2f1f254f965595113d
humanhash: beer-carolina-yankee-kilo
File name:inquiry20230309.doc.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:285'679 bytes
First seen:2023-11-13 06:38:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 431 x GuLoader)
ssdeep 6144:tYa6sM7Chh4UUspoaMKOBUVMVqpscBSE3FTl0zxi9PrGY08G:tYWMOhh4UUeoahO+VMVqK0rt08G
Threatray 1'841 similar samples on MalwareBazaar
TLSH T1ED54122427A08573E83146312E664B469BBA2D4D7D71EB4F27103D5AB933360CE3E3A7
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e0c4a2a2a4bcbcf8 (15 x Loki, 12 x Formbook, 5 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
296
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/458282/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65861618.1202.16725.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Sending a custom TCP request
Launching a process
DNS request
Sending an HTTP GET request
Reading critical registry keys
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Unauthorized injection to a system process
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/6551c48c993fbf888b731542/reports/ed08a809-4fdd-49e2-83d3-c67bac8edb6f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ab617df3930b1ed1ee3bf2dc4ec2db8db8fdba68ba5198183cbf96b75f37c972
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1341515
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1341515 Sample: inquiry20230309.doc.exe Startdate: 13/11/2023 Architecture: WINDOWS Score: 100 35 www.utmedicined.com 2->35 37 www.taskee.pro 2->37 39 7 other IPs or domains 2->39 53 Snort IDS alert for network traffic 2->53 55 Multi AV Scanner detection for domain / URL 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 8 other signatures 2->59 11 inquiry20230309.doc.exe 19 2->11         started        signatures3 process4 file5 33 C:\Users\user\AppData\Local\Temp\ngqzm.exe, PE32 11->33 dropped 14 ngqzm.exe 11->14         started        process6 signatures7 71 Antivirus detection for dropped file 14->71 73 Multi AV Scanner detection for dropped file 14->73 75 Machine Learning detection for dropped file 14->75 77 Maps a DLL or memory area into another process 14->77 17 ngqzm.exe 14->17         started        process8 signatures9 47 Maps a DLL or memory area into another process 17->47 49 Sample uses process hollowing technique 17->49 51 Queues an APC in another process (thread injection) 17->51 20 PxaUpuFgzRz.exe 17->20 injected process10 process11 22 WWAHost.exe 13 20->22         started        25 autofmt.exe 20->25         started        signatures12 61 Tries to steal Mail credentials (via file / registry access) 22->61 63 Tries to harvest and steal browser information (history, passwords, etc) 22->63 65 Writes to foreign memory regions 22->65 67 3 other signatures 22->67 27 explorer.exe 6 1 22->27 injected 31 firefox.exe 22->31         started        process13 dnsIp14 41 www.performingartshub.co.uk 217.160.0.64, 49707, 49708, 49709 ONEANDONE-ASBrauerstrasse48DE Germany 27->41 43 www.deglaz.xyz 199.192.28.121, 80 NAMECHEAP-NETUS United States 27->43 45 3 other IPs or domains 27->45 69 System process connects to network (likely due to code injection or exploit) 27->69 signatures15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ab617df3930b1ed1ee3bf2dc4ec2db8db8fdba68ba5198183cbf96b75f37c972
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab617df3930b1ed1ee3bf2dc4ec2db8db8fdba68ba5198183cbf96b75f37c972/
Threat name:
Win32.Trojan.Nemesis
Create hunting rule
Status:
Malicious
First seen:
2023-03-09 23:28:23 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vnqx344tbmpnd3r36loe5qw3rw4p3otixjizqgb4x6lloxzxzfza._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3353243680817a9543a9cd91723d5452591805ff28f458d740c0f94e85ea62e5
Formbook
3fc3939a2fc6d4c3fca7f8a09523c19052dde1cc175d80d03cd9f54e3543111b
Formbook
4dc1d7f5403f147bc8bd69fe671d86c1a990ed0c3727d07b757ef95fbcd232b9
Formbook
7421357a93e7c44d80dd1fca3c0359e23b98c590722ef09ee940766fb5252fdf
Formbook
80de560dcd30d364bc855a7ec22607f884b9f9f4e8989e85c2d71377c399f1d8
Formbook
8dd634edea7c470fe551cc425ff6851db72af868b04b747e5c516d4743fa3055
Formbook
9d4378cdf74af431b0ac0afc6f5341f896dcb5fba9ccc937deb50a4539aa712b
Formbook
b07ff609e78d096d73e434151b8d0d3e429110dc449656a6b9f7316dd6603d7a
Formbook
ee818f26515fa5b367639b6b76c96c3dd04cb96a46cdf7037e19b97f6a630d07
Formbook
+ 1'831 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231113-hemp6sbc55/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
974f20478e3d1e61365baf813f345a9c5a2d27a8795e4f649b5cc44f37293356
MD5 hash:
a2e982c087e76cc6d7cda3c61fc8e6d2
SHA1 hash:
8c47d2526727e527020442ca9fc14710dfd427cc
Detections:
XLoader
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/181d8241-5b53-4797-b1b8-df2a0dc835d8/
Parent samples :
768e93dbe738905b75a89ba17edae3c981219e7f0261b19cdc61a055c0bb51a2
38445abb6c7dd298fbbaad98a07b0909572ef3ffd42bb58cdfbd4b42e02aaa35
4a62aa62e4dbe3f70ef100846e6c7d41bc4ce6a7825c3a5df5253f8314983025
ab617df3930b1ed1ee3bf2dc4ec2db8db8fdba68ba5198183cbf96b75f37c972
SH256 hash:
ead07f5ee8c6c7652d6d6a14ec50e7780456250e2a88a02ca45f87c4e023286c
MD5 hash:
1983b276974dab91dad5346f0f4c39fa
SHA1 hash:
1ebbd45ea042e23a6452e2f37540481770b1785d
Link:
https://www.unpac.me/results/181d8241-5b53-4797-b1b8-df2a0dc835d8/
SH256 hash:
ab617df3930b1ed1ee3bf2dc4ec2db8db8fdba68ba5198183cbf96b75f37c972
MD5 hash:
1986fb6ee09e4d2f1f254f965595113d
SHA1 hash:
5d0357b0a458f9941a6941f6a4e7d6dd406a09c4
Link:
https://www.unpac.me/results/181d8241-5b53-4797-b1b8-df2a0dc835d8/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ab617df3930b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/458282/

Comments