MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc890782390a43bb02de2a7f6d6bbc1f05cceed4e6277f3f36719edb14cb5067. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	bc890782390a43bb02de2a7f6d6bbc1f05cceed4e6277f3f36719edb14cb5067
SHA3-384 hash:	a9bbeb9f41c43feb6ef74424e2abfa4f7e564952c41c1f74b6f68652b3d0305cbbc984f5e4452a7d7f7eb5284deaeb13
SHA1 hash:	0fea82ff3ce07f31c5e785b58b6a1aee43d8778f
MD5 hash:	45ee0796819451c310a4652b2f4c9e55
humanhash:	lithium-connecticut-king-vegan
File name:	RFQINVOICE09876000090.exe
Download:	download sample
Signature	Formbook Alert Create hunting rule
File size:	393'447 bytes
First seen:	2023-09-29 06:47:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9dda1a1d1f8a1d13ae0297b47046b26e (64 x Formbook, 39 x GuLoader, 22 x RemcosRAT)
ssdeep	12288:LnPdvKRsZayz+O73iyx48RAgaPF5dkg3FM:TPdvQsZvf48Q1kg3FM
Threatray	14 similar samples on MalwareBazaar
TLSH	T14F8423A17634CE97ECB34A370E3F9A1246F36C6492749B0F2390B66D3EA7381542E614
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	d2e8ecb2b2a2b282 (106 x AgentTesla, 106 x Formbook, 24 x RedLineStealer)
Reporter	Anonymous
Tags:	exe FormBook

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

308

Origin country :

PL

Vendor Threat Intelligence

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/451868/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Trojan.Loader.1550.905.16544.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Launching a process

Unauthorized injection to a recently created process by context flags manipulation

Dragonfly

Gathering data

FileScan.IO Likely Malicious

Verdict:

Likely Malicious

Threat level:

  5/10

Confidence:

100%

Tags:

control lolbin masquerade overlay packed shell32

Link:

https://www.filescan.io/uploads/6516732383a0c6425d026857/reports/8c6e43c5-de36-4e94-9b86-bf32435ade80/overview

Hybrid Analysis Win/malicious_confidence_100%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/bc890782390a43bb02de2a7f6d6bbc1f05cceed4e6277f3f36719edb14cb5067

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Formbook

Malware family:

Formbook

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dc12bb8e-ea00-46cb-9857-22593b4cd560

Joe Sandbox FormBook, NSISDropper

Result

Threat name:

FormBook, NSISDropper

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1316204

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample has a suspicious name (potential lure to open the executable)

Yara detected FormBook

Yara detected NSISDropper

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bc890782390a43bb02de2a7f6d6bbc1f05cceed4e6277f3f36719edb14cb5067/

ReversingLabs TitaniumCloud Win32.Trojan.Generic

Threat name:

Win32.Trojan.Generic

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-09-29 02:29:04 UTC

File Type:

PE (Exe)

Extracted files:

3

AV detection:

21 of 36 (58.33%)

Threat level:

  2/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xseqparzbjb3waw6fj7w2254d4c4z3wu4ytx6pzwogpnwfglkbtq._file

Threatray formbook

Verdict:

malicious

Label(s):

formbook

Alert

Create hunting rule

Similar samples:

1afbaaa3bed4cf1ea7975f019b5eac1faf75f78c4f727b32d3e88429ec64feee

Formbook

1f9a84f1b9a2d6e91efcf84470f260e867ac8c2a6c42109ceae024d9f370cd8f

Formbook

2a4b8b4d329377ee94fbb2fdb88afa277be98d82a1373adf5e43777833720265

Formbook

50f83575bd53ca54e6cccc82a0c6e2cf51947f2af2284701916e87500271e0e1

Formbook

b47036189825426c6e368fd21594aaba8dbdcf573464d2939f99da44c9874b97

Formbook

c261ace97411301444d9dfa50d29f9a0328e83ddf45bf15128ad9d796d050461

Formbook

f23c197a08df004d0646c8588e588d3ae064368a208f4679718c0c8995161362

Formbook

+ 4 additional samples on MalwareBazaar

Hatching Triage Suspicious

Result

Malware family:

n/a

Score:

  7/10

Tags:

n/a

Link:

https://tria.ge/reports/230929-hkrw3sgc5z/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

UnpacMe 2

Unpacked files

SH256 hash:

da7b0be64ebe422d4cbd53f072a32647b65c3a87b7ad333184b595efb42f5c13

MD5 hash:

d0d39072d96466898066b3a39747087e

SHA1 hash:

2c41d13e28a6ca285b1f2d44bc8eb5d27e8b33e2

Link:

https://www.unpac.me/results/79f1d230-454d-49d9-8378-dfe542f1b7f6/

SH256 hash:

bc890782390a43bb02de2a7f6d6bbc1f05cceed4e6277f3f36719edb14cb5067

MD5 hash:

45ee0796819451c310a4652b2f4c9e55

SHA1 hash:

0fea82ff3ce07f31c5e785b58b6a1aee43d8778f

Link:

https://www.unpac.me/results/79f1d230-454d-49d9-8378-dfe542f1b7f6/

VMRay Malicious

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bc890782390a/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bc890782390a43bb02de2a7f6d6bbc1f05cceed4e6277f3f36719edb14cb5067

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/451868/