MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d02d076842cc94fa6612b13ff0d2f77e1ff9150d22607cfe3962da4234cf4ed5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA File information Comments 1

SHA256 hash: d02d076842cc94fa6612b13ff0d2f77e1ff9150d22607cfe3962da4234cf4ed5
SHA3-384 hash: 4a00a2d75a0bda5629a1704adfc3ee1646e43efbdeca3aa45d75bbfa4c94ae78c3f750dc4d2e0c023ae7f652658ee928
SHA1 hash: 2ace6bc0488df9b8592e25be3de38e6c9a0c16da
MD5 hash: 5fc986129c3d833b1c7e5ba6ff3678bc
humanhash: king-fruit-emma-oklahoma
File name:5fc986129c3d833b1c7e5ba6ff3678bc
Download: download sample
Signature Formbook
File size:219'440 bytes
First seen:2022-05-05 06:05:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (326 x Formbook, 222 x Loki, 138 x GuLoader)
ssdeep 3072:l1NjcVVnLpPunbD0r9X/MP5LsCIVa1aP+KQ4kFHP67DzJEhShrM/joS9zAQNgOau:HNeZmQrV/MP8XXklIiheMLPztvau
TLSH T1DA2412351380C8E7D91B07305E392BA7D7B9AB366375931B139826ACBCA1391E31F794
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (1'240 x Formbook, 766 x Loki, 246 x AgentTesla)
Reporter @zbetcheckin
Tags:32 exe FormBook trojan

Intelligence


File Origin
# of uploads :
1
# of downloads :
1'112
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
formbook
ID:
1
File name:
AWB_NO_9284730932.xlsx
Verdict:
Malicious activity
Analysis date:
2022-05-05 05:18:36 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader formbook trojan stealer

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
–°reating synchronization primitives
Launching cmd.exe command interpreter
Searching for synchronization primitives
Sending a custom TCP request
Reading critical registry keys
Setting browser functions hooks
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
FormBook
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 620775 Sample: Ay9xkK3NYN Startdate: 05/05/2022 Architecture: WINDOWS Score: 100 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 4 other signatures 2->49 11 Ay9xkK3NYN.exe 18 2->11         started        process3 file4 31 C:\Users\user\AppData\Local\...\rysgtozci.exe, PE32 11->31 dropped 14 rysgtozci.exe 11->14         started        process5 signatures6 59 Tries to detect virtualization through RDTSC time measurements 14->59 17 rysgtozci.exe 14->17         started        process7 signatures8 35 Modifies the context of a thread in another process (thread injection) 17->35 37 Maps a DLL or memory area into another process 17->37 39 Sample uses process hollowing technique 17->39 41 Queues an APC in another process (thread injection) 17->41 20 explorer.exe 17->20 injected process9 dnsIp10 33 www.fortitude-tech.com 20->33 51 System process connects to network (likely due to code injection or exploit) 20->51 24 systray.exe 20->24         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 24->53 55 Maps a DLL or memory area into another process 24->55 57 Tries to detect virtualization through RDTSC time measurements 24->57 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       
Threat name:
Win32.Trojan.FormBook
Status:
Malicious
First seen:
2022-05-05 06:06:06 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Result
Malware family:
formbook
Score:
  10/10
Tags:
family:formbook campaign:fw02 rat spyware stealer suricata trojan
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
874f73e2673462859967afc64c3c33c1957d7b69915124cca91ced26dcfcd5c0
MD5 hash:
96b3c3b0f05b4cedf349797d7cb05627
SHA1 hash:
b2d7084dcae06676c21d0ab393c60d6480e1d03f
SH256 hash:
d02d076842cc94fa6612b13ff0d2f77e1ff9150d22607cfe3962da4234cf4ed5
MD5 hash:
5fc986129c3d833b1c7e5ba6ff3678bc
SHA1 hash:
2ace6bc0488df9b8592e25be3de38e6c9a0c16da

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe d02d076842cc94fa6612b13ff0d2f77e1ff9150d22607cfe3962da4234cf4ed5

(this sample)

  
Delivery method
Distributed via web download

Comments



Avatar
zbet commented on 2022-05-05 06:05:49 UTC

url : hxxp://103.147.185.53/gdrive/scrss.exe