MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be001461acb26523b913f93761b14f56fc7dd7f256e90ae53b40f0b40dd859b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 16 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be001461acb26523b913f93761b14f56fc7dd7f256e90ae53b40f0b40dd859b7
SHA3-384 hash: d7bfedcbe1fb94d557d6d3849b53f869b54a96660886cff1e40f8c43231ae4d50aaf4e8276d8cc371eeb89b1067ad750
SHA1 hash: a311ff39223cf604b033fb940f5bcb5975e1dd21
MD5 hash: c17f541fdb6b3cb61be539e348d6ee0f
humanhash: moon-pasta-white-alpha
File name:c17f541fdb6b3cb61be539e348d6ee0f
Download: download sample
Signature Formbook
Create hunting rule
File size:316'811 bytes
First seen:2023-10-03 19:07:26 UTC
Last seen:2023-10-03 19:35:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9dda1a1d1f8a1d13ae0297b47046b26e (64 x Formbook, 39 x GuLoader, 22 x RemcosRAT)
ssdeep 6144:LnPdudwDzzZCMdRe6C20MlphqSWkwB8DTKvG5wAPVj6laU2Dzbnw6fJD6nHFlVwT:LnPdvz3uqphtWHB8DTKvQPUIbnML6T
Threatray 3'600 similar samples on MalwareBazaar
TLSH T10464125173ACC041D96746300EB9CA3195B3892DC6B1970A97F07F5DB8B33A2973E7A2
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d2e8ecb2b2a2b282 (106 x AgentTesla, 106 x Formbook, 24 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
293
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen21.35298.17199.23722.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Sending a custom TCP request
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Unauthorized injection to a browser process
Gathering data
Verdict:
Likely Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin overlay packed remcos shell32 threat virus
Link:
https://www.filescan.io/uploads/651c669364965c51f773250a/reports/b61c94e4-2c6a-42a8-93d7-d05ea49941dc/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/be001461acb26523b913f93761b14f56fc7dd7f256e90ae53b40f0b40dd859b7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8cbeca1c-23f8-4402-8aad-86cd61f84a73
Result
Threat name:
FormBook, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1318988
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1318988 Sample: HXHdAK5GSf.exe Startdate: 03/10/2023 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 8 other signatures 2->53 11 HXHdAK5GSf.exe 18 2->11         started        process3 file4 31 C:\Users\user\AppData\...\jvvbbwmcda.exe, PE32 11->31 dropped 14 jvvbbwmcda.exe 11->14         started        process5 signatures6 65 Multi AV Scanner detection for dropped file 14->65 67 Maps a DLL or memory area into another process 14->67 69 Tries to detect virtualization through RDTSC time measurements 14->69 17 jvvbbwmcda.exe 14->17         started        process7 signatures8 39 Modifies the context of a thread in another process (thread injection) 17->39 41 Maps a DLL or memory area into another process 17->41 43 Sample uses process hollowing technique 17->43 45 Queues an APC in another process (thread injection) 17->45 20 explorer.exe 3 1 17->20 injected process9 dnsIp10 33 b2b-scaling.com 15.197.142.173, 49805, 80 TANDEMUS United States 20->33 35 www.summitstracecolumbus.com 85.202.174.60, 49804, 80 QUICKPACKETUS United Kingdom 20->35 37 10 other IPs or domains 20->37 55 System process connects to network (likely due to code injection or exploit) 20->55 57 Uses netsh to modify the Windows network and firewall settings 20->57 24 netsh.exe 20->24         started        signatures11 process12 signatures13 59 Modifies the context of a thread in another process (thread injection) 24->59 61 Maps a DLL or memory area into another process 24->61 63 Tries to detect virtualization through RDTSC time measurements 24->63 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/be001461acb26523b913f93761b14f56fc7dd7f256e90ae53b40f0b40dd859b7/
Threat name:
Win32.Trojan.Nsisx
Create hunting rule
Status:
Malicious
First seen:
2023-10-03 11:29:14 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
25 of 37 (67.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xyabiynmwjsshoit7e3wdmkpk36h3v7sk3uqvzj3idylidoylg3q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
18241c79365258168f917fe03f0d27cc9c9ef3dbc81d3161ebee32887569496c
Formbook
1837977343db27c358f1e1591e4aac16bb0cbd920ccb5663c2d4c7cf1baa1067
Formbook
247c8156cf06c5d9dec7d5fa0b158339110b556d41b0750bff34d36086554746
Formbook
2ef0bca062416bb4b30fe880508050fbf92c3f5e4669ce151f91b5a146e84d66
Formbook
8b57c28d168dbb2d1f1a7520c4331c657ba9970be6eba72a552b58ad3519e0e8
Formbook
acdf8d88a30518cf72ff6b37e7610fa5774d657da25ff500e8a76390e56fe103
Formbook
eb793e35af4458eb9591d27e4788f34f4d6babcd866879a71b307842bc68fdfb
Formbook
ecd04804617988e39d5f075e021f6403a33b688ef388f75b897e4c4f7e21e466
Formbook
f34fd6bbeea3da4838e068cb7aa4f867b3d4d8c435dcc8926895d1c033bd7622
Formbook
f3c99b21d43e967be5b3e53e70050b9d6dce181fe5415f9825b512850ecb0b52
Formbook
+ 3'590 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:sy22 rat spyware stealer trojan
Link:
https://tria.ge/reports/231003-xs7ptsfb4v/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Formbook payload
Formbook
Unpacked files
SH256 hash:
997242c520c2a643699d29f75914969c3f31f8058fbe8ecf0840b8206df5b22a
MD5 hash:
7f1193528553395e064f4d3c4425e9f6
SHA1 hash:
14030101197f13a5b5f1d6ea54d341609fe082fa
Link:
https://www.unpac.me/results/67396eb3-ac5a-42fa-804c-f3afb92e7b83/
SH256 hash:
be001461acb26523b913f93761b14f56fc7dd7f256e90ae53b40f0b40dd859b7
MD5 hash:
c17f541fdb6b3cb61be539e348d6ee0f
SHA1 hash:
a311ff39223cf604b033fb940f5bcb5975e1dd21
Link:
https://www.unpac.me/results/67396eb3-ac5a-42fa-804c-f3afb92e7b83/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/be001461acb2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/be001461acb26523b913f93761b14f56fc7dd7f256e90ae53b40f0b40dd859b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe be001461acb26523b913f93761b14f56fc7dd7f256e90ae53b40f0b40dd859b7

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2715646/
  
URLhaus
https://urlhaus.abuse.ch/url/2715727/
  
URLhaus
https://urlhaus.abuse.ch/url/2716195/

Comments


Avatar
zbet commented on 2023-10-03 19:07:27 UTC

url : hxxp://107.172.75.146/700/nvpn.exe