MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bef21badc9c82be3a2446c61d67213addd54b665d17c4b75b64ec8d9558034f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bef21badc9c82be3a2446c61d67213addd54b665d17c4b75b64ec8d9558034f5
SHA3-384 hash: e9814910ac5d47464335947c9684b6b94758217a4cce18959670962f8b248d2ba74899925a9d08fee115c0efc574ba58
SHA1 hash: 697a2b76a204fa7eec1b64974c82e599644ff7cd
MD5 hash: 52be464a440327051147bd477aab97d5
humanhash: diet-washington-sixteen-yellow
File name:BL.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:844'800 bytes
First seen:2020-07-20 12:13:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:YK2wlDGtLRvr7S1q9I6/kldSCGDyaod+ik4g8y3SoD7ebJAkvP6ust66:72wJMtjuOPW2rEloD7UCo1
Threatray 5'089 similar samples on MalwareBazaar
TLSH 8405E0C93B40940EC59E1EBA4E51CD309370AD42F6F2E34767D26EDE29BE39BC905252
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/29086/
Detection(s):
SecuriteInfo.com.CIL.HeapOverride.Heur.6857.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/391554
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 248151 Sample: BL.exe Startdate: 21/07/2020 Architecture: WINDOWS Score: 100 48 www.vdfmi.info 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 3 other signatures 2->56 11 BL.exe 1 2->11         started        signatures3 process4 file5 40 C:\Users\user\AppData\Local\...\BL.exe.log, ASCII 11->40 dropped 14 RegSvcs.exe 11->14         started        process6 signatures7 70 Modifies the context of a thread in another process (thread injection) 14->70 72 Maps a DLL or memory area into another process 14->72 74 Sample uses process hollowing technique 14->74 76 2 other signatures 14->76 17 explorer.exe 4 14->17 injected process8 dnsIp9 42 www.whatswhat.net 109.68.33.18, 49717, 80 GD-EMEA-DC-LD5GB United Kingdom 17->42 44 www.xn--cckzabl5b1kwfbgfm8f.com 17->44 46 www.nhangiaivn79.com 17->46 32 C:\Users\user\AppData\...\xdiltxaxxtl.exe, PE32 17->32 dropped 58 System process connects to network (likely due to code injection or exploit) 17->58 60 Benign windows process drops PE files 17->60 22 cmstp.exe 1 18 17->22         started        26 autofmt.exe 17->26         started        file10 signatures11 process12 file13 34 C:\Users\user\AppData\...\277logrv.ini, data 22->34 dropped 36 C:\Users\user\AppData\...\277logri.ini, data 22->36 dropped 38 C:\Users\user\AppData\...\277logrf.ini, data 22->38 dropped 62 Detected FormBook malware 22->62 64 Tries to steal Mail credentials (via file access) 22->64 66 Tries to harvest and steal browser information (history, passwords, etc) 22->66 68 3 other signatures 22->68 28 cmd.exe 1 22->28         started        signatures14 process15 process16 30 conhost.exe 28->30         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bef21badc9c82be3a2446c61d67213addd54b665d17c4b75b64ec8d9558034f5/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 09:01:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
25 of 29 (86.21%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x3zbxlojzav6hisenrq5m4qtvxovjntf2f6ew5nwj3ensvmagt2q._file
Verdict:
malicious
Similar samples:
112b6fe2084ca3501c8a98a9cd90f60ce691a438864be736b049062379195818
Formbook
37299afa1d46a1aa02b7b06a39d41d876f454047527e406e7cbcb659833de728
Formbook
38ac4538725c959e9c2b280e4838ed511a2d4d4339a2be5ba91fe1fb5ec76545
Formbook
8114e5e30720952dbf0515a5f3801c7c0ef51844758e25b100b768a29c01155a
Formbook
9f53e0ba2145f3e5c599392f4420513df545be0f4a5034310eb149672d5c44e5
Formbook
a9089afb7795019bd9b1a2395b387a6c9957d499f10ff2929bf8d65c9913f453
Formbook
d823d3c8c26635339f3de0090fb21441f5d2f4db1a0567b2028ca8e3e7f5670e
Formbook
ea6bf70c8d6a8518f7429d86a52199a64476182e00c033cfba597a0ce7a09352
Formbook
f626ac44e4d6711e2b2a128fbde9bebf2a8b7c66d7161376993d3252c16dd083
Formbook
fc95c84eb428f263fef3220d512a2f602570f2acb41a46114244c30af48fd51b
Formbook
+ 5'079 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
persistence spyware trojan stealer family:formbook
Link:
https://tria.ge/reports/200720-y83dgtsye2/
Behaviour
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Gathers network information
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bef21badc9c82be3a2446c61d67213addd54b665d17c4b75b64ec8d9558034f5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/29086/

Comments