MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d16b6458ecfca8bfe19aff18071efcf91d1d5b11c056f1a764044e1242e8f15e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d16b6458ecfca8bfe19aff18071efcf91d1d5b11c056f1a764044e1242e8f15e
SHA3-384 hash: b9f46a9b92bf7ff977c7624151a61b4ff8a0b8f5ab9ff2be79a015bb731a7ebda863b198351d69308c404c91793f4a60
SHA1 hash: a45dc186286d95acf747f9aa521fb3b39a229b07
MD5 hash: 92ef75a3ee0a68490eff334e4dcd7627
humanhash: maine-magnesium-mike-echo
File name:BEM00263.docx
Download: download sample
Signature Formbook
Create hunting rule
File size:23'412 bytes
First seen:2023-11-22 11:02:42 UTC
Last seen:Never
File type:Word file doc
MIME type:application/vnd.openxmlformats-officedocument.wordprocessingml.document
ssdeep 384:LrR+wlG6f59UORfqNy4Y0Fivd7ZMM4EUS9rDhCl0mppO7+S88m91v8tIQ:LrpomfsRYKiAMx9Xg0mpa6Z8
TLSH T1C3B2CFB3C670187ECF354136B2E93602C21C684B911B2E0CBB72E71D5D7908E5D7A9AC
TrID 51.0% (.DOCX) Word Microsoft Office Open XML Format document (23500/1/4)
38.0% (.ZIP) Open Packaging Conventions container (17500/1/4)
8.6% (.ZIP) ZIP compressed archive (4000/1)
2.1% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter malwarelabnet
Tags:doc FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
800
Origin country :
CA CA
Vendor Threat Intelligence
Verdict:
Legit
File type:
application/msword
Has a screenshot:
False
Contains macros:
False
Detection(s):
SecuriteInfo.com.Other.Malware-gen.9718.11228.UNOFFICIAL
Create hunting rule

MiscreantPunch.Suspicious.RemoteTemplateCall.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
DNS request
Creating a window
Creating a file
Sending a custom TCP request
Launching a process
Creating a file in the %AppData% directory
Sending an HTTP GET request
Launching a process by exploiting the app vulnerability
Sending a custom TCP request by exploiting the app vulnerability
Creating a process from a recently created file
Result
Verdict:
Malicious
File Type:
OOXML Word File
Link:
https://app.docguard.net/d16b6458ecfca8bfe19aff18071efcf91d1d5b11c056f1a764044e1242e8f15e/results/dashboard
Document image
Image:
Download PNG
Document image
Gathering data
Verdict:
Malicious
Labled as:
CVE-2017-0199
Link:
https://www.hybrid-analysis.com/sample/d16b6458ecfca8bfe19aff18071efcf91d1d5b11c056f1a764044e1242e8f15e
Label:
Malicious
Suspicious Score:
8.6/10
Score Malicious:
86%
Score Benign:
14%
Link:
https://www.malware.ai/gui/files/?id=df7bf728-9a9c-4e07-9f39-7aae10e38110
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/d16b6458ecfca8bfe19aff18071efcf91d1d5b11c056f1a764044e1242e8f15e
Details
External Relationship Element
Document contains an externally hosted relationship, which fetches further content.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1346218
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains an external reference to another file
DLL side loading technique detected
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Microsoft Office drops suspicious files
Microsoft Office launches external ms-search protocol handler (WebDAV)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Office viewer loads remote template
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses runas.exe to run programs with evaluated privileges
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1346218 Sample: BEM00263.docx Startdate: 22/11/2023 Architecture: WINDOWS Score: 100 57 tyny.to 2->57 71 Multi AV Scanner detection for domain / URL 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 Antivirus detection for URL or domain 2->75 77 12 other signatures 2->77 11 EQNEDT32.EXE 12 2->11         started        15 WINWORD.EXE 300 57 2->15         started        signatures3 process4 dnsIp5 37 C:\Users\user\AppData\Roaming\asusns.exe, PE32 11->37 dropped 39 C:\Users\user\AppData\Local\...\asusns[1].exe, PE32 11->39 dropped 83 Office equation editor establishes network connection 11->83 85 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->85 18 asusns.exe 1 7 11->18         started        63 tyny.to 104.21.48.17, 443, 49161, 49162 CLOUDFLARENETUS United States 15->63 65 23.95.235.10, 49171, 49173, 80 AS-COLOCROSSINGUS United States 15->65 41 C:\Users\user\AppData\Roaming\...\sd9069.url, MS 15->41 dropped 43 C:\Users\user\...\html on 23.95.235.10.url, MS 15->43 dropped 45 ~WRF{05C92374-F491...7-6A13AC22DECC}.tmp, Composite 15->45 dropped 47 2 other malicious files 15->47 dropped 87 Microsoft Office launches external ms-search protocol handler (WebDAV) 15->87 89 Office viewer loads remote template 15->89 91 Microsoft Office drops suspicious files 15->91 file6 signatures7 process8 signatures9 67 Machine Learning detection for dropped file 18->67 69 Injects a PE file into a foreign processes 18->69 21 asusns.exe 18->21         started        process10 signatures11 79 Maps a DLL or memory area into another process 21->79 24 OLhfWrGGWfwy.exe 21->24 injected process12 signatures13 81 Maps a DLL or memory area into another process 24->81 27 runas.exe 1 20 24->27         started        process14 dnsIp15 59 www.sqlite.org 45.33.6.223, 49178, 80 LINODE-APLinodeLLCUS United States 27->59 61 www.pjgfupyp.click 27->61 49 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 27->49 dropped 93 Tries to steal Mail credentials (via file / registry access) 27->93 95 Tries to harvest and steal browser information (history, passwords, etc) 27->95 97 Maps a DLL or memory area into another process 27->97 99 3 other signatures 27->99 32 OLhfWrGGWfwy.exe 27->32 injected 35 firefox.exe 27->35         started        file16 signatures17 process18 dnsIp19 51 www.tangzhilian.com 32->51 53 www.majinfo.tech 32->53 55 12 other IPs or domains 32->55
Score:
0%
Verdict:
Benign
File Type:
DOC
Link:
https://malprob.io/report/d16b6458ecfca8bfe19aff18071efcf91d1d5b11c056f1a764044e1242e8f15e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d16b6458ecfca8bfe19aff18071efcf91d1d5b11c056f1a764044e1242e8f15e/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-11-22 02:39:55 UTC
File Type:
Document
Extracted files:
13
AV detection:
10 of 23 (43.48%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2fvwiwhm7sul7ym274maohx47eor2wyryblpdj3earhbeqxi6fpa._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/231122-m5n35sbh38/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Launches Equation Editor
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Drops file in Windows directory
Suspicious use of SetThreadContext
Abuses OpenXML format to download file from external location
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Process spawned unexpected child process
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d16b6458ecfc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d16b6458ecfca8bfe19aff18071efcf91d1d5b11c056f1a764044e1242e8f15e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments