MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 12 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08
SHA3-384 hash: 79419fde29b0acee873d74a9d1aac06e6ee354513bf331fc42a3a194092e429de0ba7b17d9ec4238c6f3411259e61125
SHA1 hash: d5814cff46164e3011bfce0d3bd7f6692ec63c64
MD5 hash: 8392650851d29f54e051d8a6499889a5
humanhash: twelve-maryland-fanta-william
File name:8392650851d29f54e051d8a6499889a5
Download: download sample
Signature Formbook
Create hunting rule
File size:2'385'720 bytes
First seen:2024-04-06 09:20:42 UTC
Last seen:2024-04-06 10:30:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 49152:4EWDvY84YWarHKnuQDuZu/RJJlB8xsDDckz8YKBg1i1IIMoq:OxkDumRJJlQuDcXMDJ
Threatray 1'312 similar samples on MalwareBazaar
TLSH T15CB52233BF9BC7E1C2D95B36EAC641040774EA8162A3E7093C4B27684D477FA998161F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
310
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08.exe
Verdict:
Malicious activity
Analysis date:
2024-04-06 09:21:23 UTC
Tags:
evasion xworm
Link:
https://app.any.run/tasks/4b311f3b-8092-4a29-8b55-4c9b107c903f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Creating a file
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file in the %AppData% directory
Creating a window
Enabling the 'hidden' option for recently created files
Connection attempt to an infection source
Creating a file in the %temp% directory
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
net_reactor overlay packed packed
Link:
https://www.filescan.io/uploads/6611140315f64ac5035251b5/reports/cb6c9f9c-4aac-47b8-997d-a761dd7ab393/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/292b241a-2092-4e0b-986d-7a5f41b93c79
Result
Threat name:
Chaos, PureLog Stealer, Wiper, XWorm
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1421293
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to infect the boot sector
Deletes shadow drive data (may be related to ransomware)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Chaos Ransomware
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected PureLog Stealer
Yara detected Wiper
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1421293 Sample: vJ1BkIFajK.exe Startdate: 06/04/2024 Architecture: WINDOWS Score: 100 70 gamemodz.duckdns.org 2->70 72 ip-api.com 2->72 86 Snort IDS alert for network traffic 2->86 88 Multi AV Scanner detection for domain / URL 2->88 90 Found malware configuration 2->90 94 17 other signatures 2->94 9 vJ1BkIFajK.exe 1 2->9         started        12 svchost.exe 2->12         started        14 svchost.exe 8 2->14         started        16 7 other processes 2->16 signatures3 92 Uses dynamic DNS services 70->92 process4 dnsIp5 112 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->112 19 cvtres.exe 17 21 9->19         started        24 WerFault.exe 12->24         started        26 WerFault.exe 12->26         started        28 WerFault.exe 2 14->28         started        68 127.0.0.1 unknown unknown 16->68 30 conhost.exe 16->30         started        32 conhost.exe 16->32         started        34 conhost.exe 16->34         started        36 2 other processes 16->36 signatures6 process7 dnsIp8 74 gamemodz.duckdns.org 45.128.96.133, 4678, 49731, 49750 XXLNETNL Germany 19->74 76 ip-api.com 208.95.112.1, 49730, 80 TUT-ASUS United States 19->76 58 C:\Users\user\AppData\Local\Temp\tigzll.exe, PE32 19->58 dropped 60 C:\Users\user\AppData\Local\Temp\oheqcn.exe, PE32 19->60 dropped 62 C:\Users\user\AppData\Local\Temp\fsggyd.exe, PE32 19->62 dropped 64 C:\Users\user\AppData\Roaming\cvtres.exe, PE32 19->64 dropped 96 Protects its processes via BreakOnTermination flag 19->96 98 Uses schtasks.exe or at.exe to add and modify task schedules 19->98 38 oheqcn.exe 19->38         started        41 fsggyd.exe 19->41         started        44 tigzll.exe 19->44         started        46 3 other processes 19->46 file9 signatures10 process11 dnsIp12 100 Antivirus detection for dropped file 38->100 102 Multi AV Scanner detection for dropped file 38->102 104 Machine Learning detection for dropped file 38->104 49 WerFault.exe 19 16 38->49         started        66 C:\Windows\System32\drivers\vfdr.sys, PE32+ 41->66 dropped 106 Contains functionality to infect the boot sector 41->106 108 Sample is not signed and drops a device driver 41->108 110 Deletes shadow drive data (may be related to ransomware) 44->110 51 WerFault.exe 44->51         started        82 192.168.2.4, 443, 4678, 49723 unknown unknown 46->82 84 239.255.255.250 unknown Reserved 46->84 53 chrome.exe 46->53         started        56 conhost.exe 46->56         started        file13 signatures14 process15 dnsIp16 78 www.google.com 142.250.217.164, 443, 49757 GOOGLEUS United States 53->78 80 i.imgflip.com 104.16.71.101, 443, 49744, 49747 CLOUDFLARENETUS United States 53->80
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08/
Threat name:
Win32.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2024-04-06 09:21:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xgf2j5ek2wfflj4xglxkd6aihc6cnxakwo5aia6qji6clx44huea._file
Verdict:
malicious
Similar samples:
0cb284abb63cf61b070bfa0a5250ff536f92907bbf5eec07070b9aeafa4ac2bd
Formbook
495c76a1f5b27c1d1dd4c02a2d6b14c33f02f7fff1d4720e9f751055f9dd9a51
Formbook
9df4aaa956d54f55f1bb038f3e8f086169983e094ef8432cd71df928a888a2d0
Formbook
c4e838a74e5baf5dbd86beedff96c1c9353b49ecf2ad362f47a4b134453701ab
Formbook
c952c8f048ab52ec54ca80540bcf4432edfecaacc47922abf582f84b7add49fb
Formbook
d545f5b27e90abc54cf5a37c35e866c08336a500cecd95e8267c0c729a6b9bbc
Formbook
f786d300e911c09396715900b66e26e1666570bb9483477f76040db3eaae15de
Formbook
+ 1'302 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:chaos family:hermeticwiper family:xworm family:zgrat persistence ransomware rat trojan wiper
Link:
https://tria.ge/reports/240406-lbbqaafg92/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
Drops file in Drivers directory
Chaos
Chaos Ransomware
Detect HermeticWiper
Detect Xworm Payload
Detect ZGRat V1
HermeticWiper
Xworm
ZGRat
Malware Config
C2 Extraction:
gamemodz.duckdns.org:4678
Unpacked files
SH256 hash:
46f7851e987da704a186230855ec9eb3d81f13b5459b3087d4e84e04c1ee034d
MD5 hash:
d183ed3e9d1a22025d175ae56ce68b3c
SHA1 hash:
fc9ec2348ea492a6f3d9d608aa8fc37fa703ad7a
Detections:
XWorm
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
Link:
https://www.unpac.me/results/12d0472b-b886-4e4a-90ee-4b6ba46fe339/
SH256 hash:
b8019baf6e362990c6327a031d32f1640b608ce4de8d10f10d5abd45a4599286
MD5 hash:
57f2a7f991dd8f4ca8e1434839164d80
SHA1 hash:
c89e0519e81554cdb7418f9afbc54b1e09159fb0
Link:
https://www.unpac.me/results/12d0472b-b886-4e4a-90ee-4b6ba46fe339/
SH256 hash:
47df0b2f9ba0ec582b594b6dc62faf5350ddcc678cd31ac031f0dc74db4a9f6b
MD5 hash:
325268f77bfee1e1591779d9a91de005
SHA1 hash:
c06947746faae0cc0e330a0f65c989b60acceffa
Link:
https://www.unpac.me/results/12d0472b-b886-4e4a-90ee-4b6ba46fe339/
SH256 hash:
56b646ed5929ca9755e9d426be09cf1fbf00d1b099a39f61d342f360ba20f7f7
MD5 hash:
2c4bf96cbb63f2533c4377fa27b9bdc7
SHA1 hash:
45814115b36457dcc3d1e55881e44180640019a8
Link:
https://www.unpac.me/results/12d0472b-b886-4e4a-90ee-4b6ba46fe339/
SH256 hash:
78f73e1734daa918b253517c75971fbb8df773a3d77d02a752e9a0ad1711a677
MD5 hash:
f9d2985aa1c41cca281321fffb5ed424
SHA1 hash:
3a7a58d2dcae2762882357ae34d372744b1dbb9d
Link:
https://www.unpac.me/results/12d0472b-b886-4e4a-90ee-4b6ba46fe339/
SH256 hash:
b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08
MD5 hash:
8392650851d29f54e051d8a6499889a5
SHA1 hash:
d5814cff46164e3011bfce0d3bd7f6692ec63c64
Link:
https://www.unpac.me/results/12d0472b-b886-4e4a-90ee-4b6ba46fe339/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b98ba4f48ad5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.05
Link:
https://yomi.yoroi.company/submissions/b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:MALWARE_Win_XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2802713/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments


Avatar
zbet commented on 2024-04-06 09:20:43 UTC

url : hxxp://168.138.211.88:8099/q5mdd5/func.exe