MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2c65c335545ffd73fb92349404d68bd4f0866aae7e3d9eeec19ac28d0410312. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2c65c335545ffd73fb92349404d68bd4f0866aae7e3d9eeec19ac28d0410312
SHA3-384 hash: 2c19044a0ad906c43b7f34612d6f23fb93355364b88cc17577eb0b5eef42e5e86fe02b5ccd5af20f0b416c7e024fa726
SHA1 hash: a7cdcda31513b4614ad2bcfd4c3dd0321d8e6460
MD5 hash: bc8d6f34fb023a57395156053eb1a76e
humanhash: cat-don-red-washington
File name:QUOTATION_pdf.gz.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:351'546 bytes
First seen:2023-12-05 08:39:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:P8LxB0R+/EhktiI+fJyxSDRF8V1WKCPfqu33BBj30tyfJQx:xIijJyxyYqX93RZkMJW
Threatray 313 similar samples on MalwareBazaar
TLSH T1557423A226D18473D6DA23F1A8DBD77DF73B21290AC300074FB0AE7B35219999907393
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter cocaman
Tags:exe FormBook QUOTATION

Intelligence

File Origin
# of uploads :
1
# of downloads :
353
Origin country :
CH CH
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/462590/
Detection(s):
SecuriteInfo.com.Trojan.Loader.1894.16204.11509.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Launching a process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control installer lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/656ee1e656d08f7811a9842e/reports/9fc5b4d6-01f4-4b16-8c23-761954508bde/overview
Verdict:
Malicious
Labled as:
Babar.Generic
Link:
https://www.hybrid-analysis.com/sample/b2c65c335545ffd73fb92349404d68bd4f0866aae7e3d9eeec19ac28d0410312
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/44fe4d27-2787-4a1f-bfbd-753d796236f7
Result
Threat name:
FormBook, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1353830
Signature
Antivirus detection for dropped file
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1353830 Sample: QUOTATION_pdf.gz.exe Startdate: 05/12/2023 Architecture: WINDOWS Score: 100 32 www.melodiemoreira.com 2->32 34 70716.BODIS.com 2->34 40 Snort IDS alert for network traffic 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 4 other signatures 2->46 11 QUOTATION_pdf.gz.exe 17 2->11         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\Temp\lbheb.exe, PE32 11->30 dropped 14 lbheb.exe 11->14         started        process6 signatures7 56 Antivirus detection for dropped file 14->56 58 Multi AV Scanner detection for dropped file 14->58 60 Machine Learning detection for dropped file 14->60 62 2 other signatures 14->62 17 lbheb.exe 14->17         started        process8 signatures9 38 Maps a DLL or memory area into another process 17->38 20 FhzpxhVhydJwhVEKlsLkJmY.exe 17->20 injected process10 process11 22 mcbuilder.exe 13 20->22         started        signatures12 48 Tries to steal Mail credentials (via file / registry access) 22->48 50 Tries to harvest and steal browser information (history, passwords, etc) 22->50 52 Maps a DLL or memory area into another process 22->52 54 Queues an APC in another process (thread injection) 22->54 25 FhzpxhVhydJwhVEKlsLkJmY.exe 22->25 injected 28 firefox.exe 22->28         started        process13 dnsIp14 36 70716.BODIS.com 199.59.243.225, 49714, 80 BODIS-NJUS United States 25->36
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b2c65c335545ffd73fb92349404d68bd4f0866aae7e3d9eeec19ac28d0410312
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b2c65c335545ffd73fb92349404d68bd4f0866aae7e3d9eeec19ac28d0410312/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-12-04 15:53:17 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
24 of 36 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wldfym2vix75op5zeneuatlixvhqqzvk47r5t3xmdgwcrucbamja._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
62b04ac132c93b0b77450de95c73aa65790d34b542728780077956ac568ee85d
Formbook
86ccb3501f458d9be3d7e62627d533cb83d2786c8325b1e03ed74bec21eedfd2
Formbook
aa7afebfd032006687eddefc5578bbc1933f1477aeaef5a17427677a4de08d95
Formbook
afa3fdb1128e9f1c66459130cd28486858ed1e04ef553f7e51f06fc70a9cda0f
Formbook
b5081a6bb5cd550a99f314c6dd7e76cd217473ddfec2f65c1b5ec13a000680b7
Formbook
b5aae370f7b29f63c9dd24562d16b7a77bda593fbe4d2f316046cdb444e343f6
Formbook
d0c0f885cba76d7fe0c438ce7c3dbada5c8a46cd47e0f61b5f1258cf5cd3b53f
Formbook
eb579b2da7f6601c803c0231f0528e99c38ccfe3d84349717f744684c125967b
Formbook
f925810c89fa8a74336dd667fd0b57e3caf827a0976647a20d655351252b91cd
Formbook
fd2ac4af2e4d90f117a8ba49d77cc480f0ad6a8a6cfa7479384d68ce27939f1a
Formbook
+ 303 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231205-kkvn3sab3z/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
a204335cd78301b04f7617e17521daa2d6e4946f85ffaad348cf920bcb3bd3cb
MD5 hash:
1957de57341b64f17b6514871908d29d
SHA1 hash:
cb8b17e1e4817c4cd19c4c24cfbe57a5a9248c7d
Link:
https://www.unpac.me/results/ae4d713d-f226-4896-89dc-db6f15a7f499/
SH256 hash:
d9a3b0fb941fb9ecdde79aa358f2b277a4ea6c46be148b3562f1ae39d829cfe9
MD5 hash:
702b13e23f56aaa79bd97dcaa3f93ec3
SHA1 hash:
720816cbd80c3fa07647637c613728155ca7f2b2
Link:
https://www.unpac.me/results/ae4d713d-f226-4896-89dc-db6f15a7f499/
SH256 hash:
47ad32bda82f92d0744fef230689c85fc4e94f76fba18c3842b72bc64fd5537e
MD5 hash:
e5684d859165b82e4eb51fb84d9f9163
SHA1 hash:
2d6cb1ecf5394cac3dccf3c341bfaa1fca53fe08
Link:
https://www.unpac.me/results/ae4d713d-f226-4896-89dc-db6f15a7f499/
SH256 hash:
be56a6be61402dab225e62acf7ef748021669575ff29f779686ae32b88ddf6ab
MD5 hash:
784085adb26c22b1e88e1e6bc19ba461
SHA1 hash:
27fad379f440f376b54952af1f9bb8e5d0700817
Link:
https://www.unpac.me/results/ae4d713d-f226-4896-89dc-db6f15a7f499/
SH256 hash:
e00167acecb8fd5dfd613a822262b908cd751035267bd2d60730bec5e1e5184a
MD5 hash:
ad2b27d4928ba02a97fc9c28876b7706
SHA1 hash:
05b8763fd9a118e0bfeda9f4fc1281ac4f45b952
Link:
https://www.unpac.me/results/ae4d713d-f226-4896-89dc-db6f15a7f499/
SH256 hash:
588e0aa9caab9cf2b9eccc7ccb569ed622317403c79193ba1a5d6064a9e91f89
MD5 hash:
2e510e06ff78989382c2a1d0a7e00ea0
SHA1 hash:
0125daeef662944f4395a4af814bf9c9ba66e977
Link:
https://www.unpac.me/results/ae4d713d-f226-4896-89dc-db6f15a7f499/
SH256 hash:
b2c65c335545ffd73fb92349404d68bd4f0866aae7e3d9eeec19ac28d0410312
MD5 hash:
bc8d6f34fb023a57395156053eb1a76e
SHA1 hash:
a7cdcda31513b4614ad2bcfd4c3dd0321d8e6460
Link:
https://www.unpac.me/results/ae4d713d-f226-4896-89dc-db6f15a7f499/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b2c65c335545/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b2c65c335545ffd73fb92349404d68bd4f0866aae7e3d9eeec19ac28d0410312

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz eef3a1c2b765433521f44e737d313ff6103e7f6edbdfd5d446c5e6636e3c9125

Formbook

Executable exe b2c65c335545ffd73fb92349404d68bd4f0866aae7e3d9eeec19ac28d0410312

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 eef3a1c2b765433521f44e737d313ff6103e7f6edbdfd5d446c5e6636e3c9125
Cape
Cape
https://www.capesandbox.com/analysis/462590/
  
Dropped by
MD5 46051246532519f2991c86e8107a135e

Comments