MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b725d730c210274c7cc33fa90c06467cf9e3416a9d214e060e14f323d31aa3c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b725d730c210274c7cc33fa90c06467cf9e3416a9d214e060e14f323d31aa3c7
SHA3-384 hash: 5bb6c7bf6fed5ec60d1c5263cb361ed2b99d9372b83939242e1ff5b4e12e0aa176f0268fe8a75740fc7300d1ceb31f98
SHA1 hash: f335520110ef6cfe207e30a57b2f80edaf109f0f
MD5 hash: 7aaebf3ff4fca13fcdc815879b87279d
humanhash: social-bluebird-sierra-island
File name:AUGUST STATEMENT-DUE PAYMENTS.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:944'128 bytes
First seen:2022-08-25 08:35:44 UTC
Last seen:2022-08-25 13:52:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2f81b5c9269910375af465608d2f2ff2 (3 x RemcosRAT, 3 x Formbook, 2 x DBatLoader)
ssdeep 12288:AJUHQf66vLY0QWoYa5RsDDVQdDPf+rKU5IT7greRccA/s/rsGvRcZoYto:AsoUQin8uerHqRcv/sHsoIo
TLSH T191159E11F362C83FD6736638CC4796AC981D7E107934A44A77E50D487B7A3A2662F2CB
TrID 61.1% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
24.1% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
10.7% (.OCX) Windows ActiveX control (116521/4/18)
1.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.2% (.SCR) Windows screen saver (13101/52/3)
File icon (PE):PE icon
dhash icon ecdce4c48c9ce4c4 (14 x RemcosRAT, 9 x DBatLoader, 5 x Formbook)
Reporter 0xToxin
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
282
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AUGUST STATEMENT-DUE PAYMENTS.exe
Verdict:
Malicious activity
Analysis date:
2022-08-25 08:41:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/be0e940a-0669-46cd-8dd8-efea5f458aef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/301075/
Detection(s):
SecuriteInfo.com.Variant.Zusy.436143.17787.27254.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Query of malicious DNS domain
Sending a TCP request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/30037/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger overlay shell32.dll
Link:
https://www.filescan.io/uploads/630734f3c7e5977f84e8874f/reports/bddc02a7-77df-4930-8d8d-03cc60904928/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/7f03c43e-ad70-4d52-af9e-81a01659d46c
Result
Threat name:
DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj.expl
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1057548
Signature
Antivirus detection for URL or domain
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected DBatLoader
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b725d730c210274c7cc33fa90c06467cf9e3416a9d214e060e14f323d31aa3c7/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-08-25 02:52:42 UTC
File Type:
PE (Exe)
Extracted files:
70
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w4s5omgccatuy7gdh6uqybsgpt46gqlktuqu4bqoctzshuy2updq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220825-khk2vsabhm/
Unpacked files
SH256 hash:
53619866fb7adb9f5dcbed0dce75932a74830dc02351a6b6c819e9701a13ada1
MD5 hash:
38a86eff48873c72ca4d72f191a56f63
SHA1 hash:
25e96f601aa827d3b1ab70b0fdc67d0c15023b73
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/962d193e-bfd2-4dfd-8558-8f5e058ec0bb/
Parent samples :
e9f4a7f5f39ac0ea1fc287c5d9521667d3eca8344b2e60fe26f9f795d7f53a8d
2e86f98ee2dc99164970b21058123fda31af9feb290e14646c3a6f49525f2fcc
5968fd5908c38e76d8f57fbfe06bfc87956d15b778eaa637816e1630fb3eb7c4
b725d730c210274c7cc33fa90c06467cf9e3416a9d214e060e14f323d31aa3c7
6620f97090422729f9d69268a68b76cc854f81cd97c25f3463315344ba3d639e
eae13c9aa0b286157c56819381b92a4a6d8e2607f553e7b71539b1959f2cd7a2
efa8f5c281c591960f2a8f508f278b1541de0c308f4039432307de4e0f25627c
aa4a3cf409c65c84e33841c92533d1781a01cd5b1b5ba372e0b3d4c333a8f5fe
d9d5ed4a3733ad8d8edcdd4a4e36f965f3ad5b0b0bb38b54acd9091ee99ff7cf
9e6da348b123ec110ed3d923198f378f6398a6e1f87d3a440340c5ab479e6912
ad2c3ee8225bffd3052bb7d77be8e73b14731a65d420a08bac8cd72f979300b9
22c7ed8874209dd96c59fbc16dd829802729f9fa34c09cce41f6f64704af7578
SH256 hash:
b725d730c210274c7cc33fa90c06467cf9e3416a9d214e060e14f323d31aa3c7
MD5 hash:
7aaebf3ff4fca13fcdc815879b87279d
SHA1 hash:
f335520110ef6cfe207e30a57b2f80edaf109f0f
Link:
https://www.unpac.me/results/962d193e-bfd2-4dfd-8558-8f5e058ec0bb/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b725d730c210/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b725d730c210274c7cc33fa90c06467cf9e3416a9d214e060e14f323d31aa3c7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe b725d730c210274c7cc33fa90c06467cf9e3416a9d214e060e14f323d31aa3c7

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/301075/

Comments