MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1e2238ed835357f061456c7a38d0620cef8b78f0e1a9856133cc5b2805e0ed1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1e2238ed835357f061456c7a38d0620cef8b78f0e1a9856133cc5b2805e0ed1
SHA3-384 hash: 5c9b8868f4170fcd4dc00411af0a83f8991d11f37c24d9773f5aee3a98b4781202b9a0d674fbd2c0785f0d307a9f1cf4
SHA1 hash: 3c8d27ee915227285f75b2767ee657234034d02b
MD5 hash: d8e4d7c88794e965084c673d265d3e2e
humanhash: happy-minnesota-steak-happy
File name:d8e4d7c88794e965084c673d265d3e2e
Download: download sample
Signature Formbook
Create hunting rule
File size:1'018'880 bytes
First seen:2022-02-07 10:28:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b8291d27d1843f891720ab7e926d8c23 (3 x DBatLoader, 2 x Loki, 2 x Formbook)
ssdeep 12288:9Yt08SVogpiVHy+BiVzo3u1ioALA/zlFPnukXlvMdZx908V7b1NlplJ/:2trSRiVHy+BOAgsA/zbnLkzj7pNlpr/
Threatray 13'505 similar samples on MalwareBazaar
TLSH T1C8258CA2E381583ED21726359D1ED674A91A7E703E2CE9C67FE03D0C2E74244B926DD3
File icon (PE):PE icon
dhash icon eef2f3969292d42a (18 x Formbook, 4 x Loki, 2 x DBatLoader)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/234458/
Detection(s):
SecuriteInfo.com.Artemis5D5866815F00.22073.20754.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Searching for synchronization primitives
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/6214/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe keylogger replace.exe
Link:
https://www.filescan.io/uploads/6200f474accdde96b5e5052a/reports/3626ee87-1f5e-4841-97b6-824c10626770/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c94987da-9b5f-449c-89f2-3c62771f60de
Result
Threat name:
DBatLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/935064
Signature
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Drops PE files to the user root directory
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 567542 Sample: BC6pzL1YQs Startdate: 07/02/2022 Architecture: WINDOWS Score: 100 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->63 65 4 other signatures 2->65 9 BC6pzL1YQs.exe 1 17 2->9         started        process3 dnsIp4 51 onedrive.live.com 9->51 53 o6dtxw.bl.files.1drv.com 9->53 55 bl-files.fe.1drv.com 9->55 35 C:\Users\user\Btuuumns.exe, PE32 9->35 dropped 37 C:\Users\user\Btuuumns.exe:Zone.Identifier, ASCII 9->37 dropped 81 Drops PE files to the user root directory 9->81 83 Writes to foreign memory regions 9->83 85 Creates a thread in another existing process (thread injection) 9->85 87 Injects a PE file into a foreign processes 9->87 14 logagent.exe 9->14         started        file5 signatures6 process7 signatures8 89 Modifies the context of a thread in another process (thread injection) 14->89 91 Maps a DLL or memory area into another process 14->91 93 Sample uses process hollowing technique 14->93 95 2 other signatures 14->95 17 explorer.exe 2 14->17 injected process9 signatures10 57 Uses ipconfig to lookup or modify the Windows network settings 17->57 20 Btuuumns.exe 15 17->20         started        24 Btuuumns.exe 16 17->24         started        26 ipconfig.exe 17->26         started        process11 dnsIp12 39 onedrive.live.com 20->39 41 o6dtxw.bl.files.1drv.com 20->41 43 bl-files.fe.1drv.com 20->43 67 Multi AV Scanner detection for dropped file 20->67 69 Writes to foreign memory regions 20->69 71 Creates a thread in another existing process (thread injection) 20->71 28 logagent.exe 20->28         started        45 onedrive.live.com 24->45 47 o6dtxw.bl.files.1drv.com 24->47 49 bl-files.fe.1drv.com 24->49 73 Injects a PE file into a foreign processes 24->73 30 DpiScaling.exe 24->30         started        75 Modifies the context of a thread in another process (thread injection) 26->75 77 Maps a DLL or memory area into another process 26->77 79 Tries to detect virtualization through RDTSC time measurements 26->79 33 explorer.exe 114 26->33         started        signatures13 process14 signatures15 97 Tries to detect virtualization through RDTSC time measurements 30->97
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b1e2238ed835357f061456c7a38d0620cef8b78f0e1a9856133cc5b2805e0ed1/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-02-07 10:29:15 UTC
File Type:
PE (Exe)
Extracted files:
121
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=whrchdwygu2x6bquk3d2hdigedhprn4pbynjqvqthtc3fac6b3iq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
01222693e4698149f19d31ac66567a9815f89509bac13d690de8a5afda2bee08
Formbook
074991cefc03a7683cb3c81e83c383010f45c130fdc6dafa13469bfffaf87867
Formbook
0abec9fa236e37269a9bf904a27b2a2650bea8a5b81fcdbed6a1c5b5f37218cf
Formbook
4c1916f66fa05e3ce6bfc378af5ca0afb182fc1f5b866e8f5b86eaf0c1300015
Formbook
527036f9e449de86dc23ca03f80ea7da2d0ee7d7752203bbfad4ffb9237a19a8
Formbook
67bf345a4ea3e03b4b58a7d9e47f9d31a93f79fefe4e69067ee6c15250930169
Formbook
786698eab83f77c1fdc3d37daf49966befe788b0e85167083726354225176d1f
Formbook
bc94f855af63f2b711742d13249e36791c034b6369ecdc79878c04de8a4dbd6b
Formbook
c180bb8451472fc5931d0dc3aac6ef18ca417665b958d1480dd0787ba3de238a
Formbook
+ 13'495 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220207-mh9fkaahhj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
b1e2238ed835357f061456c7a38d0620cef8b78f0e1a9856133cc5b2805e0ed1
MD5 hash:
d8e4d7c88794e965084c673d265d3e2e
SHA1 hash:
3c8d27ee915227285f75b2767ee657234034d02b
Link:
https://www.unpac.me/results/15c5396a-8356-4f38-a661-d85169198cda/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b1e2238ed835/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe b1e2238ed835357f061456c7a38d0620cef8b78f0e1a9856133cc5b2805e0ed1

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2033765/
Cape
Cape
https://www.capesandbox.com/analysis/234458/

Comments


Avatar
zbet commented on 2022-02-07 10:28:55 UTC

url : hxxp://2.58.149.229/mkto.exe