MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb95ccaab5ce2f87f0fc110601b059f67425defa9ebcbaa4b106fc763a477f7c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb95ccaab5ce2f87f0fc110601b059f67425defa9ebcbaa4b106fc763a477f7c
SHA3-384 hash: 90f2d88df4c5f66a4774251eed5c7a6b0317440cef3d90d0e2b056c80aff9c6946df70d31cac9b212571d2f33e5fbae2
SHA1 hash: 8f751a63377498c1f4d0e4f619f573a96a978ec9
MD5 hash: 0871cbfa8ce408ea52b756e11393d2e3
humanhash: nine-angel-floor-fifteen
File name:T31597760-Confirm-20220928-100016-Email-1574408.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:720'384 bytes
First seen:2022-10-03 21:01:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 654e4d4e7a0e951b80123a7b5c1f7794 (1 x Formbook)
ssdeep 12288:ybOmOriMiEDW9a4nrpUbOrRL7e+ax+6m23m23mo26pbZeZr:yiprmEDWM4nCyrxi+ax+6m23m23mSpbc
Threatray 18'075 similar samples on MalwareBazaar
TLSH T1D1E49F26A6D08533C0235A348E5BC7DCA82EBF103D35D8877BD56E4C5F76681342A7AB
TrID 26.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
24.5% (.SCR) Windows screen saver (13101/52/3)
19.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon f4e4d4d4d4e8e8d4 (4 x ModiLoader, 2 x Formbook, 1 x RemcosRAT)
Reporter Racco42
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
287
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316240/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.62424145.3879.22965.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Creating a file
Launching a process
Creating a process with a hidden window
Searching for the window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/40930/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
formbook keylogger overlay
Link:
https://www.filescan.io/uploads/633b4dcbd089a0c15dd4da3c/reports/d3ec1990-d721-41e3-8125-2cd36018ce32/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/711856f2-dd8c-4bc4-a0a5-aebacfe7ad23
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1082821
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 715378 Sample: T31597760-Confirm-20220928-... Startdate: 03/10/2022 Architecture: WINDOWS Score: 100 32 www.sorbetcolours.com 2->32 38 Snort IDS alert for network traffic 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus detection for URL or domain 2->42 44 6 other signatures 2->44 9 T31597760-Confirm-20220928-100016-Email-1574408.exe 1 20 2->9         started        signatures3 process4 dnsIp5 34 resimarmo.com 109.234.162.66, 49712, 49713, 80 O2SWITCHFR France 9->34 24 C:\Users\Public\Libraries\Cimczndw.exe, PE32 9->24 dropped 54 Writes to foreign memory regions 9->54 56 Allocates memory in foreign processes 9->56 58 Creates a thread in another existing process (thread injection) 9->58 60 Injects a PE file into a foreign processes 9->60 14 msiexec.exe 9->14         started        file6 signatures7 process8 signatures9 62 Modifies the context of a thread in another process (thread injection) 14->62 64 Maps a DLL or memory area into another process 14->64 66 Sample uses process hollowing technique 14->66 68 Queues an APC in another process (thread injection) 14->68 17 explorer.exe 14->17 injected process10 dnsIp11 26 saspresence.perf1.com 81.92.80.55, 49726, 49727, 80 NAMESHIELDFR France 17->26 28 www.admiral-juegos.com 172.105.103.207, 49725, 80 LINODE-APLinodeLLCUS United States 17->28 30 5 other IPs or domains 17->30 36 System process connects to network (likely due to code injection or exploit) 17->36 21 systray.exe 13 17->21         started        signatures12 process13 signatures14 46 Tries to steal Mail credentials (via file / registry access) 21->46 48 Tries to harvest and steal browser information (history, passwords, etc) 21->48 50 Modifies the context of a thread in another process (thread injection) 21->50 52 Maps a DLL or memory area into another process 21->52
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bb95ccaab5ce2f87f0fc110601b059f67425defa9ebcbaa4b106fc763a477f7c/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2022-09-30 07:40:22 UTC
File Type:
PE (Exe)
Extracted files:
43
AV detection:
17 of 26 (65.38%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xok4zkvvzyxyp4h4cedadmcz6z2clxx2t26lvjfra36hmoshp56a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
14432a0f459c599dcf7726e1fd8b0c2a602c12db9b7db6be009b9c884801b47c
Formbook
15e1d48f4ba136aa876c88c4fb16fe160795f40e9850252ce1a4f3a695b4fcb7
Formbook
24dbe688a855d9f0c1db91574e24837ab537b63a2e69c8a55240b14f151e5ed2
Formbook
39ddaee91bc18e34a3c39e4072d30bb05348713bdac74202e804857ccbcf6991
Formbook
4994e7acf451ce7d8abdccb79cce806011f09bd49a811fcd2689f32a51fdee09
Formbook
53376f42d74555ca568c7d1e205bcacc8c5ac970b110cb75fa0c389ed7713bb8
Formbook
74866c9e39b3fc10fa60155dad5cfb2e6b98c8d938349584ff6c358bf69c8482
Formbook
c5f31d9d3c1a204926f1a87c5873b01ba37153af5e55594ac5037091d56026ac
Formbook
ddb24ba8d91f511ca86554d35f16cb9ef5d6103f5275c90217bc8ddb35111616
Formbook
+ 18'065 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader family:xloader campaign:2dou loader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/221003-zve4psfdbm/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader Second Stage
Formbook
ModiLoader, DBatLoader
Xloader
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3caa0965-a365-467b-b4f3-5ea59a269464
Unpacked files
SH256 hash:
bb95ccaab5ce2f87f0fc110601b059f67425defa9ebcbaa4b106fc763a477f7c
MD5 hash:
0871cbfa8ce408ea52b756e11393d2e3
SHA1 hash:
8f751a63377498c1f4d0e4f619f573a96a978ec9
Link:
https://www.unpac.me/results/d8b1a8b2-a1b5-49b1-b754-581e119a29d8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bb95ccaab5ce/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bb95ccaab5ce2f87f0fc110601b059f67425defa9ebcbaa4b106fc763a477f7c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe bb95ccaab5ce2f87f0fc110601b059f67425defa9ebcbaa4b106fc763a477f7c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/316240/

Comments