MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bafe3979cf8761e4f305509427099ef0e6193ce077236e31540aff4c47ddc74c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 24 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bafe3979cf8761e4f305509427099ef0e6193ce077236e31540aff4c47ddc74c
SHA3-384 hash: efc3558e609ce24d1d5ad6187c4495800b3ae28369c431b764f5f14ba1a66e81d22b67142a0ba0f2bcd5da79715c12d9
SHA1 hash: 94a3e2a59202fd3590d1f9e4755727303e14662f
MD5 hash: 739cefccf7fa26e1f7f9923a6cc9620a
humanhash: sixteen-king-cola-yankee
File name:739cefccf7fa26e1f7f9923a6cc9620a
Download: download sample
Signature Formbook
Create hunting rule
File size:724'488 bytes
First seen:2024-04-18 09:45:48 UTC
Last seen:2024-04-18 10:44:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'739 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:n3bjrXu7i/5sf2FOcMoywdwDvJaFSitOjaQEeopByBJ548Mpp+8MiwgNOj626tcs:3TQeFxTgoFSiODigilklco6pf
Threatray 505 similar samples on MalwareBazaar
TLSH T115F4235FBF9DA343D63C1EB1A1A6963843F195C60483FBA91C85247B6BD2BD04603B27
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 70e4d8b8f8e8c470 (8 x AgentTesla, 4 x Formbook)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
306
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bafe3979cf8761e4f305509427099ef0e6193ce077236e31540aff4c47ddc74c.exe
Verdict:
Malicious activity
Analysis date:
2024-04-18 09:46:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0a6269ee-803b-4eff-a9f7-0c87e7d03bf6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Moving a file to the Program Files subdirectory
Replacing files
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated overlay packed
Link:
https://www.filescan.io/uploads/6620ebe13137a4e0f3bae66d/reports/f621ab7e-f923-4ade-acd2-e10572dca7f6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/bafe3979cf8761e4f305509427099ef0e6193ce077236e31540aff4c47ddc74c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
KeyBase
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5029e0f4-d3c0-4de3-957f-da3db5b3fb17
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1427959
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Deletes itself after installation
Found direct / indirect Syscall (likely to bypass EDR)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1427959 Sample: 2x6j7GSmbu.exe Startdate: 18/04/2024 Architecture: WINDOWS Score: 100 65 www.book-of-degen.xyz 2->65 67 www.wewear-jim.com 2->67 69 18 other IPs or domains 2->69 77 Snort IDS alert for network traffic 2->77 79 Malicious sample detected (through community Yara rule) 2->79 81 Sigma detected: Scheduled temp file as task from temp location 2->81 85 7 other signatures 2->85 10 2x6j7GSmbu.exe 7 2->10         started        14 IUesisbqruhCfD.exe 5 2->14         started        signatures3 83 Performs DNS queries to domains with low reputation 65->83 process4 file5 55 C:\Users\user\AppData\...\IUesisbqruhCfD.exe, PE32 10->55 dropped 57 C:\Users\user\AppData\Local\...\tmp812F.tmp, XML 10->57 dropped 91 Uses schtasks.exe or at.exe to add and modify task schedules 10->91 93 Adds a directory exclusion to Windows Defender 10->93 16 2x6j7GSmbu.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        27 2 other processes 10->27 95 Multi AV Scanner detection for dropped file 14->95 97 Machine Learning detection for dropped file 14->97 23 IUesisbqruhCfD.exe 14->23         started        25 schtasks.exe 14->25         started        signatures6 process7 signatures8 71 Maps a DLL or memory area into another process 16->71 29 uGFTLkfUaeVmmnimMivakBAZ.exe 16->29 injected 73 Loading BitLocker PowerShell Module 19->73 31 WmiPrvSE.exe 19->31         started        33 conhost.exe 19->33         started        35 conhost.exe 21->35         started        37 uGFTLkfUaeVmmnimMivakBAZ.exe 23->37 injected 40 conhost.exe 25->40         started        42 conhost.exe 27->42         started        process9 signatures10 44 wecutil.exe 13 29->44         started        87 Maps a DLL or memory area into another process 37->87 89 Found direct / indirect Syscall (likely to bypass EDR) 37->89 47 wecutil.exe 37->47         started        process11 signatures12 99 Tries to steal Mail credentials (via file / registry access) 44->99 101 Tries to harvest and steal browser information (history, passwords, etc) 44->101 103 Deletes itself after installation 44->103 105 3 other signatures 44->105 49 uGFTLkfUaeVmmnimMivakBAZ.exe 44->49 injected 53 firefox.exe 44->53         started        process13 dnsIp14 59 www.stellarso.top 203.161.50.129, 49754, 49755, 49756 VNPT-AS-VNVNPTCorpVN Malaysia 49->59 61 webwheelsmedia.com 162.241.253.78, 49745, 49746, 49747 UNIFIEDLAYER-AS-1US United States 49->61 63 11 other IPs or domains 49->63 75 Found direct / indirect Syscall (likely to bypass EDR) 49->75 signatures15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bafe3979cf8761e4f305509427099ef0e6193ce077236e31540aff4c47ddc74c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bafe3979cf8761e4f305509427099ef0e6193ce077236e31540aff4c47ddc74c/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2024-04-18 09:46:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xl7ds6opq5q6j4yfkckcocm66dtbsphao4rw4mkubl7uyr65y5ga._file
Verdict:
malicious
Similar samples:
0a88a2e3cd7e300b0d55966ff1b19c3643739dd1bdeaada05f9e7f8841557202
Formbook
37fd7b8035bd49b8dfad405a793428dda8cbf623de0133818756d05a1191d8b7
Formbook
7b692628c5a43cef1780ecd6223c6fa9e40a1e45932db8456738ecd61700544d
Formbook
99450e636243dad54861d58c1e62fae329b69b4c9af6ed1f53fba851d20b2fa7
Formbook
9a565700a3d3c7a802780c0e4ba717b082175fd33b5afc7dcfeb95905b6db784
Formbook
ad048fa92eef59c07432e25c1afa2af4853be0a301e3ea64910352373fdea51c
Formbook
c7a16881f8c69d16a9b0bdcbfdd5c4aada81eba19521d1c03ee7f6005f7d6629
Formbook
e6d6e42a6b67e3fdad165a4a0b5659773c3212c3aac6d323c30bea339da8f686
Formbook
fe4b792ecc090ae8bcbef6fcff695cfdb39218a8407bcadb6dcbfabfc6109ca5
Formbook
+ 495 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240418-lrlv7aag51/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
e585ca9d0396c37f302106024b1b590a3bade9ed1eb0101c8143472e0e856490
MD5 hash:
3f4caae94621f067cf137d4ad8dd51b2
SHA1 hash:
53d7d1db287c60e92d005f9ae1d90b8815fa0247
Link:
https://www.unpac.me/results/f5980c28-775d-4106-8165-f6a20557e8b5/
SH256 hash:
8b49e2bfbaabc25153e2142a98e42db19ffb127ba35c509adba1ad1aa162dbe3
MD5 hash:
ebf68ea33f3be56f936456a4767a1f52
SHA1 hash:
af3c848a35605e18a391111cd1311f4073bc2810
Link:
https://www.unpac.me/results/f5980c28-775d-4106-8165-f6a20557e8b5/
SH256 hash:
1c633f39a192f108f755e0bcf412e8489ad80781f3b7807c80892deb2526ff0d
MD5 hash:
e4b5d57e9e46a4e76075b5b92f71577f
SHA1 hash:
d76dc165724148193c6911cc75fc62c198737d3a
Link:
https://www.unpac.me/results/f5980c28-775d-4106-8165-f6a20557e8b5/
Parent samples :
d89ea6a01347b82f963ed7960583e5d76c6a07e91852fae83bc290e0f64a06b2
3f700fd41c6cca501d50cc2f62afd8e0d951efc1a918aa65ab3e84ee563ff1d6
26a36920e7a463398a4251828ec02fd965ad1d782f819b0c04904706efb083be
SH256 hash:
e8d5a9219e8af1cf0ed3c2dffaeee22b38da4ea86d02502ea3e48e6da80dc40e
MD5 hash:
eb53f8b2ad757b9fdaaa04ccf238a125
SHA1 hash:
698712042011f2ee4c9a014912920c82b0a230d2
Link:
https://www.unpac.me/results/f5980c28-775d-4106-8165-f6a20557e8b5/
SH256 hash:
05ccdcde99a2a3cdd140041276d45c42ebfea445df1b97d7ab6e0989248eae72
MD5 hash:
04f04e576f60a4572fb34de097f76886
SHA1 hash:
3edcbc2f56a25ddc31e000740dbb530cc0267810
Link:
https://www.unpac.me/results/f5980c28-775d-4106-8165-f6a20557e8b5/
SH256 hash:
bafe3979cf8761e4f305509427099ef0e6193ce077236e31540aff4c47ddc74c
MD5 hash:
739cefccf7fa26e1f7f9923a6cc9620a
SHA1 hash:
94a3e2a59202fd3590d1f9e4755727303e14662f
Detections:
INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Link:
https://www.unpac.me/results/f5980c28-775d-4106-8165-f6a20557e8b5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bafe3979cf87/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Formbook
Create hunting rule
Author:kevoreilly
Description:Formbook Payload
Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/formbook-adopts-cab-less-approach
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe bafe3979cf8761e4f305509427099ef0e6193ce077236e31540aff4c47ddc74c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2816557/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments


Avatar
zbet commented on 2024-04-18 09:45:49 UTC

url : hxxps://universalmovies.top/o9RbXKF6ZJDK949.scr