MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2e993f1197c85683981bec427cd5e5bb4cbf844f053a3c4727a717e9c123cb7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2e993f1197c85683981bec427cd5e5bb4cbf844f053a3c4727a717e9c123cb7
SHA3-384 hash: 1abe9d55fc66d349c4b2eef67a7bc2c9eb3bda0d4b54c5719e959274130a20fc117f001763090bf8dd9d75d87b3679f9
SHA1 hash: c16ea1f1642dd3c5d353c61ab651e97cf0519e11
MD5 hash: c8f3f5bd3838ac153aa6c0f2abbd3c8a
humanhash: pluto-crazy-april-alanine
File name:Buyer's order No. 207 dated 18.07.2022_.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:931'328 bytes
First seen:2022-07-18 09:50:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d032dd22763347b8e35a8054190593b4 (5 x ModiLoader, 3 x RemcosRAT, 1 x Formbook)
ssdeep 24576:m/lJKxUEzLCgaSbKKeSTtVSn52pAf2rDNtl2aCHX:m/lJOCOWsSn52KN
Threatray 17'065 similar samples on MalwareBazaar
TLSH T1B8159E52E3B1DC32D162163F8D67B6A95D3DBF412A28F88927E43E4C6EF434178252D2
TrID 84.1% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
4.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.1% (.SCR) Windows screen saver (13101/52/3)
2.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 27d0d8d6d6d8d023 (11 x RemcosRAT, 6 x DBatLoader, 5 x ModiLoader)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
284
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.17027.27854.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Sending an HTTP GET request
Creating a file
Launching a process
DNS request
Reading critical registry keys
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware keylogger obfuscated packed remcos wacatac
Link:
https://www.filescan.io/uploads/62d52d8461945a46c8d33144/reports/59ef0683-4d00-4542-8a4d-a7f32747cd38/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b96ca700-9b25-4429-b502-09bb1bb929b1
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1035641
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 668135 Sample: Buyer's order No. 207 dated... Startdate: 18/07/2022 Architecture: WINDOWS Score: 100 40 www.technology-web3.com 2->40 42 www.olymp-trad.com 2->42 48 Snort IDS alert for network traffic 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 3 other signatures 2->54 10 Buyer's order No. 207 dated 18.07.2022_.exe 1 17 2->10         started        signatures3 process4 dnsIp5 46 20.48.255.12, 49720, 49725, 49747 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 10->46 36 C:\Users\Public\Libraries\Lsjsbs.exe, PE32 10->36 dropped 38 C:\Users\...\Lsjsbs.exe:Zone.Identifier, ASCII 10->38 dropped 72 Writes to foreign memory regions 10->72 74 Allocates memory in foreign processes 10->74 76 Creates a thread in another existing process (thread injection) 10->76 78 Injects a PE file into a foreign processes 10->78 15 mobsync.exe 10->15         started        file6 signatures7 process8 signatures9 80 Modifies the context of a thread in another process (thread injection) 15->80 82 Maps a DLL or memory area into another process 15->82 84 Sample uses process hollowing technique 15->84 86 Queues an APC in another process (thread injection) 15->86 18 explorer.exe 2 15->18 injected process10 dnsIp11 44 www.areaareapointwhere.cfd 188.114.97.3, 49767, 80 CLOUDFLARENETUS European Union 18->44 56 System process connects to network (likely due to code injection or exploit) 18->56 22 Lsjsbs.exe 13 18->22         started        25 Lsjsbs.exe 14 18->25         started        27 cmstp.exe 18->27         started        29 2 other processes 18->29 signatures12 process13 signatures14 58 Multi AV Scanner detection for dropped file 22->58 60 Writes to foreign memory regions 22->60 62 Allocates memory in foreign processes 22->62 31 mobsync.exe 22->31         started        64 Creates a thread in another existing process (thread injection) 25->64 66 Injects a PE file into a foreign processes 25->66 34 mobsync.exe 25->34         started        68 Modifies the context of a thread in another process (thread injection) 27->68 70 Maps a DLL or memory area into another process 27->70 process15 signatures16 88 Modifies the context of a thread in another process (thread injection) 31->88 90 Maps a DLL or memory area into another process 31->90 92 Sample uses process hollowing technique 31->92
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b2e993f1197c85683981bec427cd5e5bb4cbf844f053a3c4727a717e9c123cb7/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-07-18 07:53:39 UTC
File Type:
PE (Exe)
Extracted files:
41
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wluzh4izpscwqombx3ccptk6lo2mx6ce6bj2hrdspjyx5hashs3q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
19abd30bf9cb709307f9d1d1a2eda16d087dc4b699732841ea5a210aede0ebc4
Formbook
23d18a124c44e1f80a9eed03f108139f21a9cbfe060b36211bf21c6cf7213a16
Formbook
25349b2c8f2818db5174e1a60ca9c589ea76d90fd9422c9fb8d4f860caf9696a
Formbook
4d11cc329c2e378d5a0f9c1032d01a9fc1f82a8d31fae79e851d05b87dca6563
Formbook
4d69d40bb281b4f3e23d1a12e060e7705b2b4ac67ede8ea6ec593d1a5991d960
Formbook
7163a32593b5045deb3bdce59153aa423a4fb8a7b155d233040945455e9c23fc
Formbook
71d4416a94c93021b07c9f0dc6a2d388b39bf429b58546dd85944b5681b19de5
Formbook
a8542b82f30bd1f1ac0fad9da2d06c9c0ee63d4a5b2e02534b7cbf97be882c0a
Formbook
bcdb1cf55758eba1f5a2af93e137ce0bf004969e59419c576b2781f80659da55
Formbook
f3fed1b0555a01cd3e481c2cd164f8cca01df0e461a0378fba8b7a1f53469a3d
Formbook
+ 17'055 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/220718-lvgewabbe8/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
ModiLoader Second Stage
ModiLoader, DBatLoader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Unpacked files
SH256 hash:
e5cee39f56c43d207f40862077d5b015e62929ff21f9de4e45c3b958c8947770
MD5 hash:
0de7dbbda445e257c9169774b9a8000b
SHA1 hash:
23ab78a6fdd513f2b3877efc92a71fe7d44db0db
Link:
https://www.unpac.me/results/c3b21743-bf58-4e50-adfd-04129dac6d2e/
SH256 hash:
b2e993f1197c85683981bec427cd5e5bb4cbf844f053a3c4727a717e9c123cb7
MD5 hash:
c8f3f5bd3838ac153aa6c0f2abbd3c8a
SHA1 hash:
c16ea1f1642dd3c5d353c61ab651e97cf0519e11
Link:
https://www.unpac.me/results/c3b21743-bf58-4e50-adfd-04129dac6d2e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b2e993f1197c85683981bec427cd5e5bb4cbf844f053a3c4727a717e9c123cb7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe b2e993f1197c85683981bec427cd5e5bb4cbf844f053a3c4727a717e9c123cb7

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments