MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc89bbfbb6a41a488a2ad9a1a55be9ba28b1ff3501a4d22072ead32b121836c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bc89bbfbb6a41a488a2ad9a1a55be9ba28b1ff3501a4d22072ead32b121836c9
SHA3-384 hash: fe21f17a65234a525dafdac77e8de94605f652ebb6f1364e8d73803bb9983014344b88504e9915d542a0be9dff90d203
SHA1 hash: 82c3dd777223be8e04eb4160bdad3c5f275955a7
MD5 hash: 60defe8016bcba74daad948ee62fab5a
humanhash: double-lake-alpha-muppet
File name:xls.com-
Download: download sample
Signature FormBook
Create hunting rule
File size:875'008 bytes
First seen:2022-05-26 02:06:38 UTC
Last seen:2022-05-26 02:34:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c91d4a716276d049724e2941865c6cb3 (1 x FormBook, 1 x AveMariaRAT)
ssdeep 12288:OiEB1H+YaRBrQmkq2ik9XpaJl6d1d4tg3D7lCrOjgB3tVSX3x7FRS4003B3ktfH:OiO6bQmGJXpaHngHUAgdtVSn523GB0
TLSH T145159E23F1A17433D1732A789C1BA7989E25BE003924B94B7FE81E4C9F397917935293
TrID 65.6% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
25.9% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
4.2% (.EXE) InstallShield setup (43053/19/16)
1.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.2% (.SCR) Windows screen saver (13101/52/3)
File icon (PE):PE icon
dhash icon 66e69292caa2e2c8 (2 x FormBook, 1 x AveMariaRAT)
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
316
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
xls.com-
Verdict:
Malicious activity
Analysis date:
2022-05-26 02:08:30 UTC
Tags:
installer trojan formbook stealer
Link:
https://app.any.run/tasks/c484d2bd-dbf2-4bea-a16a-3001e422bd84

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/274631/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.23971.9504.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching the process to interact with network services
Launching a process
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Creating a file in the %temp% directory
Searching for synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe fareit keylogger packed remote.exe replace.exe
Link:
https://www.filescan.io/uploads/628ee0c9370bb1455cc69e2a/reports/852a6b48-e7e4-40fd-9eeb-2f8aacbce556/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ab0b0dcd-e9e2-46bb-bd7f-c1be175a429b
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1001924
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Detected FormBook malware
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 634420 Sample: xls.com- Startdate: 26/05/2022 Architecture: WINDOWS Score: 100 76 Found malware configuration 2->76 78 Malicious sample detected (through community Yara rule) 2->78 80 Multi AV Scanner detection for submitted file 2->80 82 2 other signatures 2->82 10 xls.exe 1 21 2->10         started        process3 dnsIp4 58 qqn4va.db.files.1drv.com 10->58 60 onedrive.live.com 10->60 62 db-files.fe.1drv.com 10->62 54 C:\Users\Public\Libraries\Svissuc.exe, PE32 10->54 dropped 56 C:\Users\...\Svissuc.exe:Zone.Identifier, ASCII 10->56 dropped 112 Writes to foreign memory regions 10->112 114 Allocates memory in foreign processes 10->114 116 Creates a thread in another existing process (thread injection) 10->116 118 Injects a PE file into a foreign processes 10->118 15 DpiScaling.exe 10->15         started        18 cmd.exe 1 10->18         started        file5 signatures6 process7 signatures8 120 Modifies the context of a thread in another process (thread injection) 15->120 122 Maps a DLL or memory area into another process 15->122 124 Sample uses process hollowing technique 15->124 126 2 other signatures 15->126 20 explorer.exe 2 15->20 injected 22 cmd.exe 1 18->22         started        24 conhost.exe 18->24         started        process9 process10 26 wlanext.exe 18 20->26         started        30 Svissuc.exe 15 20->30         started        33 Svissuc.exe 15 20->33         started        35 mstsc.exe 20->35         started        37 conhost.exe 22->37         started        dnsIp11 50 C:\Users\user\AppData\...\OQNlogrv.ini, data 26->50 dropped 52 C:\Users\user\AppData\...\OQNlogri.ini, data 26->52 dropped 92 Detected FormBook malware 26->92 94 Tries to steal Mail credentials (via file / registry access) 26->94 96 Tries to harvest and steal browser information (history, passwords, etc) 26->96 110 2 other signatures 26->110 39 cmd.exe 2 26->39         started        64 qqn4va.db.files.1drv.com 30->64 66 onedrive.live.com 30->66 68 db-files.fe.1drv.com 30->68 98 Multi AV Scanner detection for dropped file 30->98 100 Writes to foreign memory regions 30->100 102 Allocates memory in foreign processes 30->102 42 DpiScaling.exe 30->42         started        70 qqn4va.db.files.1drv.com 33->70 72 onedrive.live.com 33->72 74 db-files.fe.1drv.com 33->74 104 Creates a thread in another existing process (thread injection) 33->104 106 Injects a PE file into a foreign processes 33->106 44 DpiScaling.exe 33->44         started        108 Tries to detect virtualization through RDTSC time measurements 35->108 file12 signatures13 process14 signatures15 84 Tries to harvest and steal browser information (history, passwords, etc) 39->84 46 conhost.exe 39->46         started        86 Modifies the context of a thread in another process (thread injection) 44->86 88 Maps a DLL or memory area into another process 44->88 90 Sample uses process hollowing technique 44->90 48 wlanext.exe 44->48         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bc89bbfbb6a41a488a2ad9a1a55be9ba28b1ff3501a4d22072ead32b121836c9/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2022-05-26 01:37:23 UTC
File Type:
PE (Exe)
Extracted files:
70
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xse3x65wuqnercrk3gq2kw7jxiuld7zvagsneids5ljsweqyg3eq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader campaign:p3ss persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220526-cjzmmsbdgq/
Behaviour
Modifies Internet Explorer settings
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Formbook Payload
ModiLoader Second Stage
Formbook
ModiLoader, DBatLoader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
cb4371c8bfd71e36a09b764720cdbe9f9e35661b97e1c781174242ad8a623b24
MD5 hash:
8f6b4ef81142cfb7e431083fcaa4632e
SHA1 hash:
39603d4bb7828285b2e7b45db99d3f08099f2615
Link:
https://www.unpac.me/results/63f004ce-0ade-4d56-86ad-17161e772006/
SH256 hash:
bc89bbfbb6a41a488a2ad9a1a55be9ba28b1ff3501a4d22072ead32b121836c9
MD5 hash:
60defe8016bcba74daad948ee62fab5a
SHA1 hash:
82c3dd777223be8e04eb4160bdad3c5f275955a7
Link:
https://www.unpac.me/results/63f004ce-0ade-4d56-86ad-17161e772006/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bc89bbfbb6a4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bc89bbfbb6a41a488a2ad9a1a55be9ba28b1ff3501a4d22072ead32b121836c9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/274631/

Comments