MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b98b36386c77a585d5b8f5a5d0e5bea1d7e4722e0ebf3e224284e12bd77ddbae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b98b36386c77a585d5b8f5a5d0e5bea1d7e4722e0ebf3e224284e12bd77ddbae
SHA3-384 hash: 125f60e3251062c3be0cd337151e109e49c7e931f7b0d8d83da40933e344f88f0a9de50541c34fb2e51e2a28ccb3bcc3
SHA1 hash: 570a9d7315fb3228c52bd458f45f37056babc551
MD5 hash: 925fc682341a0b019497e155f063ad61
humanhash: april-blossom-seven-stairway
File name:925fc682341a0b019497e155f063ad61
Download: download sample
Signature Formbook
Create hunting rule
File size:790'528 bytes
First seen:2022-06-17 07:04:15 UTC
Last seen:2022-07-14 05:45:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:RRe9dkxgJpqATi+YBdiPMbY+TnWzOBK6:DMdlUA2+vPkYcnWzO1
TLSH T116F48C9D721072EFC857D072EEA82DA4EB6478BB431B4203A02755EDAE4D957CF240F6
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
4
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
CIT- P0234824.xlsx
Verdict:
Malicious activity
Analysis date:
2022-06-17 13:34:05 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/ae10ad26-abe4-47b3-8be0-23c9267e0b85

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/280856/
Detection(s):
SecuriteInfo.com.Suspicious.Win32.Save.a.11544.15929.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62ac277f7046ab63f87800b2/reports/2e29aa6a-fbe2-47a0-b1c6-c9713027ecb8/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/087e182b-5d52-40c3-836f-8d0f095d124e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1014942
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 647438 Sample: CHjawsJymY Startdate: 17/06/2022 Architecture: WINDOWS Score: 100 34 www.bravosbraziliansteakhouse.com 2->34 36 bravosbraziliansteakhouse.com 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected AntiVM3 2->42 44 6 other signatures 2->44 11 CHjawsJymY.exe 3 2->11         started        signatures3 process4 file5 32 C:\Users\user\AppData\...\CHjawsJymY.exe.log, ASCII 11->32 dropped 54 Tries to detect virtualization through RDTSC time measurements 11->54 56 Injects a PE file into a foreign processes 11->56 58 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 11->58 15 CHjawsJymY.exe 11->15         started        18 CHjawsJymY.exe 11->18         started        signatures6 process7 signatures8 60 Modifies the context of a thread in another process (thread injection) 15->60 62 Maps a DLL or memory area into another process 15->62 64 Sample uses process hollowing technique 15->64 66 Queues an APC in another process (thread injection) 15->66 20 explorer.exe 15->20 injected process9 signatures10 46 Uses netstat to query active network connections and open ports 20->46 23 NETSTAT.EXE 20->23         started        process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 23->48 50 Maps a DLL or memory area into another process 23->50 52 Tries to detect virtualization through RDTSC time measurements 23->52 26 cmd.exe 1 23->26         started        28 explorer.exe 2 157 23->28         started        process13 process14 30 conhost.exe 26->30         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b98b36386c77a585d5b8f5a5d0e5bea1d7e4722e0ebf3e224284e12bd77ddbae/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-06-17 04:10:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xgftmodmo6sylvny6ws5bzn6uhl6i4rob27t4iscqtqsxv353oxa._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:f02e rat spyware stealer trojan
Link:
https://tria.ge/reports/220617-hwhgsaahar/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Unpacked files
SH256 hash:
0d8f5c8ec491b768b4a24b4004f4ef3d358b3fc22abbb1c429ee80e43f73bf8d
MD5 hash:
6297ff1b4376e8b2a1c0a0fbdc37ba83
SHA1 hash:
0c47b9a30a34d853379d073362d3d9e28a5997d7
Link:
https://www.unpac.me/results/472eb655-681c-43d4-9de2-f77381cc46ab/
SH256 hash:
eda3c21c32c2e3af8356303c5bd15cd0a1d257220f2a5cefd741eb363ee5e7b9
MD5 hash:
48ed45c072ec5bf5c6a0f3443211da3e
SHA1 hash:
2ac4fc52b65eecfc20a6626ca5acb79856116fc3
Link:
https://www.unpac.me/results/472eb655-681c-43d4-9de2-f77381cc46ab/
SH256 hash:
f30e21065a5bd07ccacfd86acebf492915e83f43ccfd55d1131dcbebe43a0c81
MD5 hash:
fa7bbbc9ddb414f86a2bb08b9b065fc7
SHA1 hash:
2db69b212a72de75c8877847f78eaae21689db41
Link:
https://www.unpac.me/results/472eb655-681c-43d4-9de2-f77381cc46ab/
SH256 hash:
2f6cfd6e244e4f7cf74f98a9dbb4380e60315b3c1bf51de3d4bc45ed5346c0af
MD5 hash:
647d3649f3ad477f016229d939a951fe
SHA1 hash:
a0e6d455cc77b5f131b6889b0b53b64757d935fa
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/472eb655-681c-43d4-9de2-f77381cc46ab/
Parent samples :
8c6cf3dd51c256ea804a793af94fa9e62da8d3208d1ea25b11042ed9e021db6e
b98b36386c77a585d5b8f5a5d0e5bea1d7e4722e0ebf3e224284e12bd77ddbae
28fc7ef1aa47bbec6342320a56f7accc1bc57cf96a5b75762f33fb5f9eea96c7
11d6c53b493966f211c1c2bea054385dbb189f3505e237ca544488884a39562f
f65cab4e1be0cd94844f227bd7c5b2c0b875970973d271a0a2deaf0a700bfaed
a96a34c47ca8192a0e77c99c8993a08bc4f66824bb243f423db8632491df13a6
SH256 hash:
b98b36386c77a585d5b8f5a5d0e5bea1d7e4722e0ebf3e224284e12bd77ddbae
MD5 hash:
925fc682341a0b019497e155f063ad61
SHA1 hash:
570a9d7315fb3228c52bd458f45f37056babc551
Link:
https://www.unpac.me/results/472eb655-681c-43d4-9de2-f77381cc46ab/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/b98b36386c77a585d5b8f5a5d0e5bea1d7e4722e0ebf3e224284e12bd77ddbae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe b98b36386c77a585d5b8f5a5d0e5bea1d7e4722e0ebf3e224284e12bd77ddbae

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/280856/
  
URLhaus
https://urlhaus.abuse.ch/url/2241479/

Comments


Avatar
zbet commented on 2022-06-17 07:04:35 UTC

url : hxxp://103.167.84.176/dataspace/vbc.exe