MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc1639de9b817b9d369cae27aa956d74339e106bff317c9c1c2bca4310fd1403. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bc1639de9b817b9d369cae27aa956d74339e106bff317c9c1c2bca4310fd1403
SHA3-384 hash: 4fedbdc9ea5bd0678fb5cce1aa1be21e16c742b6c97564978223ccef97b217796ec7fd361de2efbc80305cb7497d40b2
SHA1 hash: f4af2d842027698d049b173c84fe8f546cee500b
MD5 hash: 0f24969f6ee318933274f77d6d6ff7b0
humanhash: pluto-angel-wisconsin-fillet
File name:BEFEHL pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'007'616 bytes
First seen:2023-06-27 05:28:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b2ffe640086070c19351a52301f6fb90 (2 x ModiLoader, 2 x Formbook, 1 x RemcosRAT)
ssdeep 12288:zWI+n1cF0p4WhPQbXfu/i7Nx29T1CWaXqIov5n0fc8MMvdgV25wqYyEyHcsbOonK:z28tWhPKXf9PvXqgfvcQrEyHFbOwd
Threatray 3'449 similar samples on MalwareBazaar
TLSH T12825CF57A2C088BBC9A266785C8F9674FC15BE243E78B805FED03F5C6E7624174192B3
TrID 86.8% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
4.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.3% (.SCR) Windows screen saver (13097/50/3)
1.4% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 70f8ecdac6e6c0d0 (4 x Formbook, 3 x ModiLoader, 2 x RemcosRAT)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
292
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
BEFEHL pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-06-27 05:30:56 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/255d2089-06d0-4f2c-bf18-30a0a3d49256

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/403099/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.10021.31663.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
DNS request
Creating a file
Launching a process
Creating a process with a hidden window
Searching for the window
Launching cmd.exe command interpreter
Setting browser functions hooks
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/92808/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
keylogger lolbin overlay packed remcos
Link:
https://www.filescan.io/uploads/649a739fdf3d0b939156d262/reports/c57cc1e3-1bb1-4bdf-a737-a7ded3baee02/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/bc1639de9b817b9d369cae27aa956d74339e106bff317c9c1c2bca4310fd1403
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6584d662-570c-488b-837d-6e4aa380bfab
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1261815
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 894835 Sample: BEFEHL_pdf.exe Startdate: 27/06/2023 Architecture: WINDOWS Score: 100 44 www.thesexyviking.com 2->44 86 Snort IDS alert for network traffic 2->86 88 Found malware configuration 2->88 90 Malicious sample detected (through community Yara rule) 2->90 92 8 other signatures 2->92 11 BEFEHL_pdf.exe 1 2 2->11         started        signatures3 process4 dnsIp5 64 web.fe.1drv.com 11->64 66 ph-files.fe.1drv.com 11->66 68 2 other IPs or domains 11->68 42 C:\Users\Public\Libraries\Sfgcelnj.bat, PE32 11->42 dropped 116 Writes to foreign memory regions 11->116 118 Allocates memory in foreign processes 11->118 120 Creates a thread in another existing process (thread injection) 11->120 122 Injects a PE file into a foreign processes 11->122 16 logagent.exe 11->16         started        file6 signatures7 process8 signatures9 70 Modifies the context of a thread in another process (thread injection) 16->70 72 Maps a DLL or memory area into another process 16->72 74 Sample uses process hollowing technique 16->74 76 2 other signatures 16->76 19 explorer.exe 7 3 16->19 injected process10 dnsIp11 46 www.howgoodisgod.online 27.124.125.171, 49722, 80 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU Australia 19->46 48 www.pulsahokii.xyz 104.21.83.170, 49721, 80 CLOUDFLARENETUS United States 19->48 50 2 other IPs or domains 19->50 94 System process connects to network (likely due to code injection or exploit) 19->94 96 Performs DNS queries to domains with low reputation 19->96 23 Sfgcelnj.bat 19->23         started        27 systray.exe 19->27         started        29 Sfgcelnj.bat 19->29         started        31 control.exe 19->31         started        signatures12 process13 dnsIp14 52 web.fe.1drv.com 23->52 54 ph-files.fe.1drv.com 23->54 60 2 other IPs or domains 23->60 98 Writes to foreign memory regions 23->98 100 Allocates memory in foreign processes 23->100 102 Creates a thread in another existing process (thread injection) 23->102 104 Injects a PE file into a foreign processes 23->104 33 colorcpl.exe 23->33         started        106 Modifies the context of a thread in another process (thread injection) 27->106 108 Maps a DLL or memory area into another process 27->108 110 Tries to detect virtualization through RDTSC time measurements 27->110 36 cmd.exe 1 27->36         started        56 web.fe.1drv.com 29->56 58 ph-files.fe.1drv.com 29->58 62 2 other IPs or domains 29->62 112 Multi AV Scanner detection for dropped file 29->112 114 Machine Learning detection for dropped file 29->114 38 logagent.exe 29->38         started        signatures15 process16 signatures17 78 Modifies the context of a thread in another process (thread injection) 33->78 80 Maps a DLL or memory area into another process 33->80 82 Sample uses process hollowing technique 33->82 84 Tries to detect virtualization through RDTSC time measurements 33->84 40 conhost.exe 36->40         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bc1639de9b817b9d369cae27aa956d74339e106bff317c9c1c2bca4310fd1403/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-06-26 08:30:11 UTC
File Type:
PE (Exe)
Extracted files:
87
AV detection:
22 of 37 (59.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xqldtxu3qf5z2nu4vyt2vflnoqzz4edl74yxzha4fpfegeh5cqbq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
16dbc44d14a74defb998a30220b5401ab840e1590e895a3ed5b2cb96b4c3a3c3
Formbook
2413b677dc6d6a5c958ce9b8cfab7eab38151088dcbe5a1d3b0ea903a0fc5ef6
Formbook
323dc9de135c89b75b7a42b2c5a6327e09acafe52c035464316e170f3f55b6ac
Formbook
4a85949b7ffe19e22e4191b55b225cb3ac8b59246785144f585006b94e9ba574
Formbook
8510156c681956fa592f4e2f346a7cd02ce7a00a31264dc2106e6e0b5a4b267b
Formbook
a83adc88feb896f4fa1b09b3d5043fd506f9de5f6d695f7e18bb3d84019abb85
Formbook
efd586fdc04eae13911a3f2638cb478edb6c952716e3279d854c4d855a9a70c1
Formbook
+ 3'439 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader campaign:ges9 persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/230627-f6knsaea9z/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Formbook payload
ModiLoader Second Stage
Formbook
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
77dc4c40bbc2b53f5a6bebaf4f4a0ce052ff80cf3bc5d4a832abfc0eebeb8adf
MD5 hash:
ecd8ca3845d9d9b592ed8fa0fca410e1
SHA1 hash:
1429eab11b4245275c1c44d9df54e34882d4ef3f
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/64ea4a79-9d85-4428-bb4f-81fcd8f8ebf0/
Parent samples :
904c33cddf1d9930deaafe80395988a6b61f4acd79e8e29058a6dc00a3de851b
bc1639de9b817b9d369cae27aa956d74339e106bff317c9c1c2bca4310fd1403
1f3550afc182c66a51c5d40bcafd4713f9b8552afbb52347185d98418d8c1549
SH256 hash:
bc1639de9b817b9d369cae27aa956d74339e106bff317c9c1c2bca4310fd1403
MD5 hash:
0f24969f6ee318933274f77d6d6ff7b0
SHA1 hash:
f4af2d842027698d049b173c84fe8f546cee500b
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/64ea4a79-9d85-4428-bb4f-81fcd8f8ebf0/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bc1639de9b81/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.39
Link:
https://yomi.yoroi.company/submissions/bc1639de9b817b9d369cae27aa956d74339e106bff317c9c1c2bca4310fd1403

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe bc1639de9b817b9d369cae27aa956d74339e106bff317c9c1c2bca4310fd1403

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/403099/

Comments