MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2933d4ea491c2643557a6c3cfa8ef69e67b930dafdc1ba1f128da513752f449. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2933d4ea491c2643557a6c3cfa8ef69e67b930dafdc1ba1f128da513752f449
SHA3-384 hash: 0a6eb9cea617f80153329772a24646276e334d702af7bcd24da051b62b3ee1e0691b5bd02eb4321476c3fb6002eacede
SHA1 hash: 240457446e0dec6ba9954e282c64d243188068b6
MD5 hash: fa9a84a832837448d4c74982e02f53d2
humanhash: september-undress-skylark-mike
File name:SAPURA ENERGY - QUOTATION.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:395'393 bytes
First seen:2023-12-05 07:17:09 UTC
Last seen:2023-12-11 13:23:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:P8LxB0m7hURi7UMuEkjHDdHoFLnbqwyfollU52jMoOFiqSooaht0UX4:xmcJEkNAjywfU52j6+ooahi
TLSH T14284234366B504E7FA1043346ABF4AB9E362C119BA17710F97982A943F141836FD73BB
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
4
# of downloads :
321
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/462568/
Detection(s):
SecuriteInfo.com.Win32.Trojan.Agent.Q6BWPL.29542.30974.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Sending a custom TCP request
Launching a process
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
89%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/656eceaf3f60a810348901fb/reports/4870cc2b-48f3-4018-ba80-d8896fae2bc7/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/b2933d4ea491c2643557a6c3cfa8ef69e67b930dafdc1ba1f128da513752f449
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/cbe3e591-49c0-4cf8-a1a4-d9c7e99f2520
Result
Threat name:
FormBook, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1353769
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1353769 Sample: SAPURA_ENERGY_-_QUOTATION.exe Startdate: 05/12/2023 Architecture: WINDOWS Score: 100 32 www.zzennsensual.com 2->32 34 www.zippochinhhang88.online 2->34 36 14 other IPs or domains 2->36 46 Multi AV Scanner detection for domain / URL 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus detection for URL or domain 2->50 52 5 other signatures 2->52 11 SAPURA_ENERGY_-_QUOTATION.exe 17 2->11         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\...\yxhbhzs.exe, PE32 11->30 dropped 14 yxhbhzs.exe 11->14         started        process6 signatures7 62 Detected unpacking (changes PE section rights) 14->62 64 Maps a DLL or memory area into another process 14->64 17 yxhbhzs.exe 14->17         started        process8 signatures9 44 Maps a DLL or memory area into another process 17->44 20 eagQcaOiQgzjswYsF.exe 17->20 injected process10 process11 22 Utilman.exe 13 20->22         started        signatures12 54 Tries to steal Mail credentials (via file / registry access) 22->54 56 Tries to harvest and steal browser information (history, passwords, etc) 22->56 58 Writes to foreign memory regions 22->58 60 3 other signatures 22->60 25 eagQcaOiQgzjswYsF.exe 22->25 injected 28 firefox.exe 22->28         started        process13 dnsIp14 38 zzennsensual.com 81.169.145.84, 49726, 49727, 49728 STRATOSTRATOAGDE Germany 25->38 40 ext-sq.squarespace.com 198.185.159.144, 49716, 49717, 49718 SQUARESPACEUS United States 25->40 42 5 other IPs or domains 25->42
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b2933d4ea491c2643557a6c3cfa8ef69e67b930dafdc1ba1f128da513752f449
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b2933d4ea491c2643557a6c3cfa8ef69e67b930dafdc1ba1f128da513752f449/
Threat name:
Win32.Trojan.NSISInject
Create hunting rule
Status:
Malicious
First seen:
2023-12-04 23:38:22 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
23 of 36 (63.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wkjt2tveshbginkxu3b47khpnhthxeynv7obxiprfdnfcn2s6req._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231205-h4zq2ahg3x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
9cac4cee6d62ef2cbbe2d347ba696780b13025fbf92da34627b83e4cdd59e50a
MD5 hash:
0074f575b355cdadb8df24f9e8f9c442
SHA1 hash:
fa6f7bfa65b0d88063d5763c9e1a3ce8222fa533
Link:
https://www.unpac.me/results/b4c22620-4877-47f6-9c93-77ff78fbd33b/
SH256 hash:
9a8cb309debd2042c4c54b0abdc056f1e4e8cf78a88b5f1566ad6c19775b3d73
MD5 hash:
75c8c8640e2faed2e8ae339188193200
SHA1 hash:
c0dc64638690ed983fe3dd811337cff4629e453c
Link:
https://www.unpac.me/results/b4c22620-4877-47f6-9c93-77ff78fbd33b/
SH256 hash:
260dd7f4fb40ac4b3c17c8d126540ca3ba9e83527487718b89758357cb7c531e
MD5 hash:
dab99a410b4eddeccf672c3d02aae842
SHA1 hash:
acb62f4c11bbd70be1fb61edb96cee15c02084bd
Link:
https://www.unpac.me/results/b4c22620-4877-47f6-9c93-77ff78fbd33b/
SH256 hash:
8ad5e95fe062180054d5ff133ffff18b415f02512b51e634150c847eec26cdae
MD5 hash:
7cb4af8d1aa417d4cb31d93d38620209
SHA1 hash:
a29db93957c37b34266de42b0c7c038260152224
Link:
https://www.unpac.me/results/b4c22620-4877-47f6-9c93-77ff78fbd33b/
SH256 hash:
43a1b34773062340f899f1434bdb63188a80f01584175b25e66e2cbf86f66b25
MD5 hash:
ffc56a970161828fd2609a3abacd4ad9
SHA1 hash:
880d684db21c2ec4fd0b56a0e759ae9d4ace403c
Link:
https://www.unpac.me/results/b4c22620-4877-47f6-9c93-77ff78fbd33b/
SH256 hash:
11f8a8cc3713f9558ed2059d9e12082c003134c40e3076428691bb4c831ae02e
MD5 hash:
7240008873b70742a950c9eb48d1b5ef
SHA1 hash:
85e6564ec3cfa316bcd6ea28ab0de36708b3f75b
Link:
https://www.unpac.me/results/b4c22620-4877-47f6-9c93-77ff78fbd33b/
SH256 hash:
b2933d4ea491c2643557a6c3cfa8ef69e67b930dafdc1ba1f128da513752f449
MD5 hash:
fa9a84a832837448d4c74982e02f53d2
SHA1 hash:
240457446e0dec6ba9954e282c64d243188068b6
Link:
https://www.unpac.me/results/b4c22620-4877-47f6-9c93-77ff78fbd33b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b2933d4ea491/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b2933d4ea491c2643557a6c3cfa8ef69e67b930dafdc1ba1f128da513752f449

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe b2933d4ea491c2643557a6c3cfa8ef69e67b930dafdc1ba1f128da513752f449

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/462568/

Comments