MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b66f52015626800cdcdce8eaf8cf25e729202eff110a5c95479752c8f64dd566. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b66f52015626800cdcdce8eaf8cf25e729202eff110a5c95479752c8f64dd566
SHA3-384 hash: 65dc72c8717112eecf95067867710a7e574733f86c3947b45131c31bc4f99b4948a18df94c701b79770ac6f8cccaf828
SHA1 hash: 80d63a2a71a8fc800fbd56baea4125b7c5f61e09
MD5 hash: 4c2cdb900536961dfdcda8be0be11574
humanhash: lamp-winter-artist-fanta
File name:4c2cdb900536961dfdcda8be0be11574
Download: download sample
Signature Formbook
Create hunting rule
File size:1'335'296 bytes
First seen:2022-09-27 06:28:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 70 x LummaStealer, 61 x Rhadamanthys)
ssdeep 24576:M3ER93ESIXfCwGjfcBacjssVW//sSjCJWWQflDWUDzREhSur7+F1/CPaKOC+s:Mu/IvszcQsW//fSWFftWUDzShSur7aKE
Threatray 14'585 similar samples on MalwareBazaar
TLSH T18055CEC15267F0C8D2E0717844710B52A67638333EB9DD9F15C2AA3EAA2D1934727B6F
TrID 83.7% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
7.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
4.4% (.EXE) Win64 Executable (generic) (10523/12/4)
2.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter zbetcheckin
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
255
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
lrPBx4qjVQLL_9.exe
Verdict:
Malicious activity
Analysis date:
2022-09-27 05:02:35 UTC
Tags:
loader stealer
Link:
https://app.any.run/tasks/3f29026e-d8ea-4510-9f9a-bc7c6d5572ad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/313833/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.18513.31275.18664.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Launching a process
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a window
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/39411/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
advpack.dll packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/63329830665fcdb8807a2cc1/reports/fb4ca80b-b75d-4cfe-8fd5-b18229eb5acd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/5dcf36e6-7af9-48ae-b2ca-6983ef1e3f8d
Result
Threat name:
DarkTortilla, FormBook
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1078044
Signature
Antivirus / Scanner detection for submitted sample
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious icon found
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Uses 7zip to decompress a password protected archive
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected DarkTortilla Crypter
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 710593 Sample: 46fgZhhrCv.exe Startdate: 27/09/2022 Architecture: WINDOWS Score: 100 41 www.google.com 2->41 53 Potential malicious icon found 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Antivirus / Scanner detection for submitted sample 2->57 59 3 other signatures 2->59 11 46fgZhhrCv.exe 1 5 2->11         started        14 rundll32.exe 2->14         started        signatures3 process4 file5 39 C:\Users\user\AppData\Local\Temp\...\7za.exe, PE32 11->39 dropped 16 cmd.exe 1 11->16         started        process6 signatures7 47 Uses ping.exe to sleep 16->47 49 Uses ping.exe to check the status of other devices and networks 16->49 51 Uses 7zip to decompress a password protected archive 16->51 19 3GGqW2HDHW.exe 15 3 16->19         started        23 PING.EXE 1 16->23         started        25 7za.exe 2 16->25         started        28 conhost.exe 16->28         started        process8 dnsIp9 43 www.google.com 142.250.185.228, 443, 49701 GOOGLEUS United States 19->43 61 Multi AV Scanner detection for dropped file 19->61 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->63 65 Injects a PE file into a foreign processes 19->65 30 3GGqW2HDHW.exe 19->30         started        45 127.0.0.1 unknown unknown 23->45 37 C:\Users\user\AppData\...\3GGqW2HDHW.exe, PE32 25->37 dropped file10 signatures11 process12 signatures13 67 Modifies the context of a thread in another process (thread injection) 30->67 69 Maps a DLL or memory area into another process 30->69 71 Sample uses process hollowing technique 30->71 73 Queues an APC in another process (thread injection) 30->73 33 explorer.exe 30->33 injected process14 process15 35 msdt.exe 33->35         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b66f52015626800cdcdce8eaf8cf25e729202eff110a5c95479752c8f64dd566/
Threat name:
Win64.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-09-24 16:22:46 UTC
File Type:
PE+ (Exe)
Extracted files:
30
AV detection:
11 of 26 (42.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wzxveakwe2aazxg45dvprtzf44usalx7ceffzfkhs5jmr5sn2vta._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
formbook
Create hunting rule
Similar samples:
15eb688bffed96b0b324724e48b258dc6c6deb76d71310b26b01e1e12f26108c
Formbook
66e023153783841c82581216957c689782313b971b270bf48f1ec3bc1885d3e4
Formbook
78d04244289fe215008b2c7d8937813b740228e5b60092287346e66e29c8182d
Formbook
7ca3b28aa32d6b9bd972c430c47691db7212f9fd7b713c3ff2fab8b10a0bd66a
Formbook
7f0d2570e95993562f659f45e635df91b3155a8c220bc1b859f1cf838bb66278
Formbook
8af9276a69ab25e20e96921b19b6d3dd4b8d15c7472addbad8a89757fe4251ef
Formbook
c5aaaf40148a7d8bd30681af759e7e922c491404610c1691d3ce7d1c1b849bcd
Formbook
f5e4fe8ba1f482c650dfe0122078475da2330edf2a0bab3357ff071d27fa1a36
Formbook
+ 14'575 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader campaign:qtmt loader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220927-g8xa2acgb7/
Behaviour
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Formbook
Xloader
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bb8bf1b0-60f0-48f6-8649-27c99454fa9e
Unpacked files
SH256 hash:
b66f52015626800cdcdce8eaf8cf25e729202eff110a5c95479752c8f64dd566
MD5 hash:
4c2cdb900536961dfdcda8be0be11574
SHA1 hash:
80d63a2a71a8fc800fbd56baea4125b7c5f61e09
Link:
https://www.unpac.me/results/9d3bd19c-bfed-4f42-9c2d-05479faea926/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b66f52015626/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b66f52015626800cdcdce8eaf8cf25e729202eff110a5c95479752c8f64dd566

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe b66f52015626800cdcdce8eaf8cf25e729202eff110a5c95479752c8f64dd566

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2314945/
Cape
Cape
https://www.capesandbox.com/analysis/313833/

Comments


Avatar
zbet commented on 2022-09-27 06:28:12 UTC

url : hxxp://wizecenter.com/js/netnvm64.exe