MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b93895bf25b4802252c954577edfceb1ec4288270bbd04a5aa6226f7c974774a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b93895bf25b4802252c954577edfceb1ec4288270bbd04a5aa6226f7c974774a
SHA3-384 hash: 9e95a921b0acfdbf40bf750bcc9c1f5f38b8fe6093a32b0b3fc7c8f21a2490e56df5f15eae01cda976458e6c70644665
SHA1 hash: 688d24bcf41841ad8d7b9b1b90ec6c5c20dae498
MD5 hash: a4cb79737cd6958c38b7bba6e414d795
humanhash: neptune-fish-black-network
File name:VSL_BUNKER INQ(009-010).exe
Download: download sample
Signature Formbook
Create hunting rule
File size:741'888 bytes
First seen:2022-11-10 12:29:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:Vx8sg+dhSpDh1rAKm4xUXXTXjfRCbYiLMTPcu3d6lM/:AkdU5z+JXTTfRGC3
TLSH T12DF49DA820518599FBAF977561ECFFB052B630F3A1CC875692756084CBD9FD20E8128F
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13097/50/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0ce4d09ecefc799a (13 x Formbook, 9 x AgentTesla, 6 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
209
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
VSL_BUNKER INQ(009-010).exe
Verdict:
Malicious activity
Analysis date:
2022-11-10 12:48:46 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/95b0152a-b42d-4634-9e21-f5eb00633324

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/331908/
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed rundll32.exe
Link:
https://www.filescan.io/uploads/636ceed382dd9f2e265354be/reports/aad4c71f-c09f-44b1-b9f3-63ed31c032b6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/49137856-095f-4bf1-b192-350e909a9e4b
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1110487
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 743181 Sample: VSL_BUNKER INQ(009-010).exe Startdate: 10/11/2022 Architecture: WINDOWS Score: 100 32 Malicious sample detected (through community Yara rule) 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected AntiVM3 2->36 38 5 other signatures 2->38 8 VSL_BUNKER INQ(009-010).exe 3 2->8         started        process3 file4 22 C:\Users\...\VSL_BUNKER INQ(009-010).exe.log, ASCII 8->22 dropped 48 Injects a PE file into a foreign processes 8->48 12 VSL_BUNKER INQ(009-010).exe 8->12         started        signatures5 process6 signatures7 50 Modifies the context of a thread in another process (thread injection) 12->50 52 Maps a DLL or memory area into another process 12->52 54 Sample uses process hollowing technique 12->54 56 Queues an APC in another process (thread injection) 12->56 15 explorer.exe 12->15 injected process8 dnsIp9 24 www.yes2e.tech 79.98.26.42, 49724, 49725, 49726 RACKRAYUABRakrejusLT Lithuania 15->24 26 www.infraedu.info 121.254.178.253, 49721, 49722, 49723 LGDACOMLGDACOMCorporationKR Korea Republic of 15->26 28 2 other IPs or domains 15->28 30 System process connects to network (likely due to code injection or exploit) 15->30 19 msdt.exe 13 15->19         started        signatures10 process11 signatures12 40 Tries to steal Mail credentials (via file / registry access) 19->40 42 Tries to harvest and steal browser information (history, passwords, etc) 19->42 44 Deletes itself after installation 19->44 46 2 other signatures 19->46
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b93895bf25b4802252c954577edfceb1ec4288270bbd04a5aa6226f7c974774a/
Threat name:
Win32.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2022-11-10 02:16:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
60
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xe4jlpzfwsaceuwjkrlx5x6owhwefcbhbo6qjjnkmitppsluo5fa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:u2t4 rat spyware stealer trojan
Link:
https://tria.ge/reports/221110-ppgegahgf6/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/52ea7b86-42ed-49f0-a175-cb1438b02a04
Unpacked files
SH256 hash:
959bd36359bbcaa56a2add5d7a34a96a326dc93cbf9423f242830570b31f94f4
MD5 hash:
bc0d16b08ecfb94a917bd18442054e3c
SHA1 hash:
925b845dccc589d6a65ebd0927786165e87e989b
Detections:
XLoader
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/e09404c0-9b62-48f4-907c-cae6ae41cf9e/
Parent samples :
b93895bf25b4802252c954577edfceb1ec4288270bbd04a5aa6226f7c974774a
2382a65e62ea823df4d480c958ba0df9712521d74cbf85327f1279c6729f4797
6c0b46a75222d73d7c3b383335b4445ecbf1e4559b132dc64a291929128c04ae
bf72c2caa17e8d579ea996b2bf36bb251498e56e26375b88703f1d59289d9e80
SH256 hash:
782be9612927fe798168cb379202d7d4965a8f7271f4d4c73233e3fedcc05489
MD5 hash:
5bad6dcdad3c91897b544a21bac192c1
SHA1 hash:
5ed31cb612c82d1b61aec69b4074b8cf47378091
Link:
https://www.unpac.me/results/e09404c0-9b62-48f4-907c-cae6ae41cf9e/
SH256 hash:
79cdcb839d8f9aa2b884a1a3f4baed98160dc02234eef331212d1c0a63157927
MD5 hash:
6370e5bf725a4e286787e52776f76c9f
SHA1 hash:
cacdcfdce756881c18cf632750743116218c0a5b
Link:
https://www.unpac.me/results/e09404c0-9b62-48f4-907c-cae6ae41cf9e/
SH256 hash:
c1d58f15d9f752f10a5cbad868956a9fd127aa7f294f61ae08b0964342dd4bbd
MD5 hash:
4c4f2c4cdb3022d81cfa5f8146555e64
SHA1 hash:
c6a5db4282a8577833c51d4990cfa486645850c6
Link:
https://www.unpac.me/results/e09404c0-9b62-48f4-907c-cae6ae41cf9e/
SH256 hash:
7f272c4db499b1501a5ea1711d23de0e6a0c07faf16275e9b01722dae889c7c9
MD5 hash:
dd8b9511dda8eb7c84e1621046828883
SHA1 hash:
7f715270ffcadcba5c3148d2a0cecfaaf6c2e805
Link:
https://www.unpac.me/results/e09404c0-9b62-48f4-907c-cae6ae41cf9e/
SH256 hash:
ab19f28c700d64814b0c55df868c30dfb94e0a1f9fb6f7bca05bac6eb78a4e52
MD5 hash:
1f2a6c02dcf9aa00a28a5039fb5b8ce0
SHA1 hash:
1ef480867d39b98368af7586a8e6ba38c0c3893a
Link:
https://www.unpac.me/results/e09404c0-9b62-48f4-907c-cae6ae41cf9e/
SH256 hash:
b93895bf25b4802252c954577edfceb1ec4288270bbd04a5aa6226f7c974774a
MD5 hash:
a4cb79737cd6958c38b7bba6e414d795
SHA1 hash:
688d24bcf41841ad8d7b9b1b90ec6c5c20dae498
Link:
https://www.unpac.me/results/e09404c0-9b62-48f4-907c-cae6ae41cf9e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/b93895bf25b4802252c954577edfceb1ec4288270bbd04a5aa6226f7c974774a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe b93895bf25b4802252c954577edfceb1ec4288270bbd04a5aa6226f7c974774a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/331908/

Comments