MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bca02faf8b705cffad72deb87ef895ce6626636d498e05b274b079c9ace3dc5b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bca02faf8b705cffad72deb87ef895ce6626636d498e05b274b079c9ace3dc5b
SHA3-384 hash: 46da2b7625077e3be229ae0401295c8672f8d72bc132f0135af9ab6cb19ab39bc63968764e5df559ff6dc88f2b818c58
SHA1 hash: d7524fd3525faa6af6d4c329167c322062fb77b6
MD5 hash: d94b223af3fd6bedbc1552ffc63b85cd
humanhash: shade-indigo-emma-romeo
File name:NEW INQ vGT410267234500633.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:393'528 bytes
First seen:2023-11-22 05:17:51 UTC
Last seen:2023-11-22 07:16:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 12288:RKt9zvWPOpk/oxQD9inI3PnmLws4475zzgBQvamwvq:oLzpxQD9iIPn38zzwi
Threatray 13 similar samples on MalwareBazaar
TLSH T181841291B5F59D7BC006A5B1A877DB505279EE3B1010D387131CFE67A9B22C70A8B32B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon fcd8d0d2dac0c0e4 (44 x Formbook, 1 x AgentTesla, 1 x XWorm)
Reporter JAMESWT_WT
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
360
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/459649/
Detection(s):
SecuriteInfo.com.Gen.Variant.Fragtor.446728.209.3750.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/655d8f0b58449c2b4e63ba58/reports/8dc855e6-6826-4614-a219-145d73729562/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/bca02faf8b705cffad72deb87ef895ce6626636d498e05b274b079c9ace3dc5b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5e03fdc5-956b-4a00-ae83-e0b585378e6f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1346247
Signature
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Uses netstat to query active network connections and open ports
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1346247 Sample: NEW_INQ_vGT410267234500633.exe Startdate: 22/11/2023 Architecture: WINDOWS Score: 100 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected FormBook 2->46 48 2 other signatures 2->48 10 NEW_INQ_vGT410267234500633.exe 17 2->10         started        13 irnwgcl.exe 2->13         started        16 irnwgcl.exe 2->16         started        process3 file4 40 C:\Users\user\AppData\Local\...\ppxsvdjxm.exe, PE32 10->40 dropped 18 ppxsvdjxm.exe 1 2 10->18         started        62 Multi AV Scanner detection for dropped file 13->62 64 Detected unpacking (changes PE section rights) 13->64 66 Machine Learning detection for dropped file 13->66 68 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 13->68 22 irnwgcl.exe 13->22         started        70 Maps a DLL or memory area into another process 16->70 24 irnwgcl.exe 16->24         started        signatures5 process6 file7 38 C:\Users\user\AppData\Roaming\...\irnwgcl.exe, PE32 18->38 dropped 50 Multi AV Scanner detection for dropped file 18->50 52 Detected unpacking (changes PE section rights) 18->52 54 Machine Learning detection for dropped file 18->54 56 2 other signatures 18->56 26 ppxsvdjxm.exe 18->26         started        signatures8 process9 signatures10 58 Maps a DLL or memory area into another process 26->58 60 Queues an APC in another process (thread injection) 26->60 29 GWlOtoeqHzhTkNEHx.exe 26->29 injected process11 process12 31 NETSTAT.EXE 29->31         started        signatures13 72 Maps a DLL or memory area into another process 31->72 34 explorer.exe 2 31->34 injected 36 GWlOtoeqHzhTkNEHx.exe 31->36 injected process14
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bca02faf8b705cffad72deb87ef895ce6626636d498e05b274b079c9ace3dc5b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bca02faf8b705cffad72deb87ef895ce6626636d498e05b274b079c9ace3dc5b/
Threat name:
Win32.Trojan.NSISInject
Create hunting rule
Status:
Malicious
First seen:
2023-11-22 05:17:32 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
21 of 23 (91.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xsqc7l4lobop7lls324h56evzztcmy3njghalmtuwb44tlhd3rnq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
039de216dbdc8232a2235d2bd6b69ba4d3c43569e8547479051939c0fe16b775
Formbook
4169bc8ef83d44e5cd72de2f88c40602f7840d578e1ec0bbdd9b2a874bb75c4c
Formbook
889c9ba7e1d8f960077f5d150377151842bd435aef4485c4c5c78272bff35f9b
Formbook
9fa31f0b376ff15692417c2950eb8bca16391aa9e730e7947c47a9f566c5e025
Formbook
ddbd4b7c13d365eb339aad4d0e2deb0dff4b50287d5111f57ca8756f3746f940
Formbook
eb6639834b1b3fda93dc52d164f7d11f500188cd959810cf4c2f3b22eea1dde1
Formbook
f0831ec2522d7d8e085f88c8ead0df0478c75efe438e8449bab3f54553e47788
Formbook
+ 3 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/231122-fy99gabc4x/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
06cf57c6efb811190dc617d16520958ca0baf9a93ce2b42bd5c4f3543d1723e9
MD5 hash:
3e0d825a09dd2a3f4cf8e619d485f234
SHA1 hash:
8767712b5587156bd7f8cdadc6ea5a2c46e8fbd4
Link:
https://www.unpac.me/results/a875bf24-e161-4541-ae0c-1f9b7a99adee/
SH256 hash:
6de34355d6937b9c10ab201d3399faabffae74d0c87d30d8558b047175916256
MD5 hash:
72833bf0596aadf15a65e266f19c4f4b
SHA1 hash:
c2e5a08e16d4113f4a3e7d402c7a6374aab8cb87
Link:
https://www.unpac.me/results/a875bf24-e161-4541-ae0c-1f9b7a99adee/
SH256 hash:
bca02faf8b705cffad72deb87ef895ce6626636d498e05b274b079c9ace3dc5b
MD5 hash:
d94b223af3fd6bedbc1552ffc63b85cd
SHA1 hash:
d7524fd3525faa6af6d4c329167c322062fb77b6
Link:
https://www.unpac.me/results/a875bf24-e161-4541-ae0c-1f9b7a99adee/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bca02faf8b70/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bca02faf8b705cffad72deb87ef895ce6626636d498e05b274b079c9ace3dc5b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/459649/

Comments