MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d301b5b6aa982ba02745d7f75db0cfbb9453cfaf136fc8e334c0592292f6a511. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d301b5b6aa982ba02745d7f75db0cfbb9453cfaf136fc8e334c0592292f6a511
SHA3-384 hash: 2fe0a9585f249e6d5a85e477a0f147a08f70f317aa0090456a9890ab83f8060808ab042c5cc1d9e3e65a4828f8d3a150
SHA1 hash: 08cfce42c071e93dd92cffe68aea11abd0cad556
MD5 hash: 932f0c194925ccf952c8687d8649c647
humanhash: item-tennessee-virginia-hotel
File name:BOQ and MEP WORKS.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:265'699 bytes
First seen:2022-04-04 11:41:17 UTC
Last seen:2022-04-04 13:17:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 6144:ENeZ42W+bRVVFkAWmvpPp+l9eJEztOEHvalc:ENk3bgA9vpB+lJZ/x
Threatray 14'609 similar samples on MalwareBazaar
TLSH T1994402856BF0C577C93587302A35E4CA4FBCAC3316B0161B1B617FFE691A682A13E365
File icon (PE):PE icon
dhash icon d0e49af860d8c2d4 (1 x Formbook)
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/260550/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.71875.14003.7003.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for synchronization primitives
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Reading critical registry keys
Setting browser functions hooks
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/12548/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/624ad98b40ce5db9f4025c81/reports/7e90fa60-9471-4e99-b38b-d1f0058a119a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/54e506cd-ae22-434e-b7e0-2338fd840ac3
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/969972
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Application Executed Non-Executable Extension
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 602463 Sample: BOQ and MEP WORKS.exe Startdate: 04/04/2022 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 8 other signatures 2->53 10 BOQ and MEP WORKS.exe 18 2->10         started        process3 file4 29 C:\Users\user\AppData\Local\Temp\csbps.exe, PE32 10->29 dropped 31 C:\Users\user\AppData\Local\Temp\yumqmfbdf, data 10->31 dropped 13 csbps.exe 10->13         started        process5 signatures6 63 Multi AV Scanner detection for dropped file 13->63 65 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 13->65 67 Tries to detect virtualization through RDTSC time measurements 13->67 69 Injects a PE file into a foreign processes 13->69 16 csbps.exe 13->16         started        process7 signatures8 39 Modifies the context of a thread in another process (thread injection) 16->39 41 Maps a DLL or memory area into another process 16->41 43 Sample uses process hollowing technique 16->43 45 Queues an APC in another process (thread injection) 16->45 19 rundll32.exe 12 16->19         started        23 explorer.exe 16->23 injected process9 dnsIp10 55 System process connects to network (likely due to code injection or exploit) 19->55 57 Modifies the context of a thread in another process (thread injection) 19->57 59 Maps a DLL or memory area into another process 19->59 61 Tries to detect virtualization through RDTSC time measurements 19->61 25 cmd.exe 1 19->25         started        33 www.tackenzied.com 198.54.117.244, 49840, 80 NAMECHEAP-NETUS United States 23->33 35 td-ccm-168-233.wixdns.net 34.117.168.233, 49842, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 23->35 37 8 other IPs or domains 23->37 signatures11 process12 process13 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d301b5b6aa982ba02745d7f75db0cfbb9453cfaf136fc8e334c0592292f6a511/
Threat name:
Win32.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2022-04-04 11:42:06 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
25 of 40 (62.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ma3lnvktav2aj2f273v3mgpxokfht5pcnx4ryzuybmsfexwuuiq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2ed8aeaf73ee1a3caf7eb0be7814868c4100efbe1b021e2d964db3b638dc7f3c
Formbook
308d882a5267dc2b1e74498c052ad6f0ba7e29544f8872600586b9d2dfe798f9
Formbook
51ca9a86ecb638b2805cd27a752159a05d4a3317c11ea43fb0f0cca78601c8dc
Formbook
5b91196649a276f967087fca9bbf4898b38afd3da43294f68b0f934464edfaf1
Formbook
8392408d685d10ddf024a7e4f47976e03a00fd787bd4ee0932766c4b9b278bc0
Formbook
aaa025e66e7edbf2120c46ca3f09420caf7a71ff6c52cd64ff69198b339778ed
Formbook
c652919676cc6f3ea808c6e1023de343d27ed8f72f4f1b94523c4ecfb09bf223
Formbook
d9950b4ee72ba5d966404150d11764c0bd5de8c76f605c615b95428036733472
Formbook
ec575e5cdf3da323c27e65f3042586173ca50ba0682b733a61f0b47f80c3004e
Formbook
+ 14'599 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:dn19 rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220404-ntzwyahfdm/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
75f0e20d3952be0efac0521fd7b76ab9002a8436f66d4ef19c84402706afec38
MD5 hash:
24120c4a50f32c6a057cd17071981fb2
SHA1 hash:
dc0ba6ff6088750fd49d871b3aba2fef486f16aa
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/849b0e00-785a-4687-b05f-5bf836785e26/
Parent samples :
a1844c54e3b36bd69aeeeea0ddd335114f344f20904fcdfcd5a3980328ebf19c
aaa025e66e7edbf2120c46ca3f09420caf7a71ff6c52cd64ff69198b339778ed
d301b5b6aa982ba02745d7f75db0cfbb9453cfaf136fc8e334c0592292f6a511
995ed5a87efc98cfc45cd810d470bb7aa28a8e598da4a27516892bffdc99ac27
SH256 hash:
4e5b81f9de309b0d6d61146dddc36a0279d8fe14551103916258c0def4c9bccd
MD5 hash:
3277f2618e58b9cff5e369a57e565584
SHA1 hash:
3949975209b069fefe727dc3fc8c51433aed1a01
Link:
https://www.unpac.me/results/849b0e00-785a-4687-b05f-5bf836785e26/
SH256 hash:
a8a93e24a2e1116748036529902d803c7f1f313cc978798bd2aa147574527ab9
MD5 hash:
8dc7ed51e67f1a2dc683236279f000ea
SHA1 hash:
f27b0aa89b6a6a61d46371a1658ac67b8a542e4e
Link:
https://www.unpac.me/results/849b0e00-785a-4687-b05f-5bf836785e26/
SH256 hash:
d301b5b6aa982ba02745d7f75db0cfbb9453cfaf136fc8e334c0592292f6a511
MD5 hash:
932f0c194925ccf952c8687d8649c647
SHA1 hash:
08cfce42c071e93dd92cffe68aea11abd0cad556
Link:
https://www.unpac.me/results/849b0e00-785a-4687-b05f-5bf836785e26/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d301b5b6aa98/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d301b5b6aa982ba02745d7f75db0cfbb9453cfaf136fc8e334c0592292f6a511

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 7a0239a35abbffec97c4add7ce6147247095ba18240e3c9b777d9375a6fc70c8

Formbook

Executable exe d301b5b6aa982ba02745d7f75db0cfbb9453cfaf136fc8e334c0592292f6a511

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 7a0239a35abbffec97c4add7ce6147247095ba18240e3c9b777d9375a6fc70c8
Cape
Cape
https://www.capesandbox.com/analysis/260550/

Comments