MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d48e76a16a20d4af37091f9dea89ce3fa2341e273a3898ac1b8b398c2a5793d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d48e76a16a20d4af37091f9dea89ce3fa2341e273a3898ac1b8b398c2a5793d5
SHA3-384 hash: 0d894826e87123c5f4bd63641d0504a3ab4e9da961342a071a32b11c5d84ec59276e9e4240bd01960a3720ec1a80bd0b
SHA1 hash: 6fd6b3e765c4e2d6c262e48f3da8040f2f72e41c
MD5 hash: 6b3d6565f98f00436cf229258a5ac2c8
humanhash: romeo-cup-network-california
File name:BANK DETAILS CORRECTIONS.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:691'712 bytes
First seen:2024-03-18 13:17:08 UTC
Last seen:2024-03-18 15:29:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:EsJTENl3j9cLW29yuRN0wC3RHyGCRcB66IvtBlai0y8Ui31zO:txENlT2620eC4NRvvBlalqiFzO
Threatray 29 similar samples on MalwareBazaar
TLSH T158E42310E6CE8AA0D7BC7FF148A086B8037176256474DB3B6A48E5CDAB757EC475202F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
323
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d48e76a16a20d4af37091f9dea89ce3fa2341e273a3898ac1b8b398c2a5793d5.exe
Verdict:
Malicious activity
Analysis date:
2024-03-18 13:54:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/30448c4e-5ec0-4393-be13-8ce3418affeb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65f83f140ef6f5eba494b6e6/reports/fedb7095-a668-4866-9c2a-a93f3984f73a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d48e76a16a20d4af37091f9dea89ce3fa2341e273a3898ac1b8b398c2a5793d5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MSIL Injector
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0e3bf989-c598-4e1f-9439-e452af514ad9
Result
Threat name:
FormBook, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1411001
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1411001 Sample: BANK DETAILS CORRECTIONS.exe Startdate: 18/03/2024 Architecture: WINDOWS Score: 100 64 www.nikazo.xyz 2->64 66 xiaoyue.zhuangkou.com 2->66 68 19 other IPs or domains 2->68 72 Snort IDS alert for network traffic 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 Antivirus detection for URL or domain 2->76 80 11 other signatures 2->80 10 BANK DETAILS CORRECTIONS.exe 7 2->10         started        14 fcLfLlfpmjf.exe 5 2->14         started        signatures3 78 Performs DNS queries to domains with low reputation 64->78 process4 file5 54 C:\Users\user\AppData\...\fcLfLlfpmjf.exe, PE32 10->54 dropped 56 C:\Users\user\AppData\Local\...\tmpB1A6.tmp, XML 10->56 dropped 84 Adds a directory exclusion to Windows Defender 10->84 86 Injects a PE file into a foreign processes 10->86 16 BANK DETAILS CORRECTIONS.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        23 schtasks.exe 1 10->23         started        88 Multi AV Scanner detection for dropped file 14->88 90 Machine Learning detection for dropped file 14->90 25 fcLfLlfpmjf.exe 14->25         started        27 schtasks.exe 1 14->27         started        signatures6 process7 signatures8 70 Maps a DLL or memory area into another process 16->70 29 EnKifmZDGZ.exe 16->29 injected 31 WmiPrvSE.exe 19->31         started        33 conhost.exe 19->33         started        35 conhost.exe 21->35         started        37 conhost.exe 23->37         started        39 EnKifmZDGZ.exe 25->39 injected 42 conhost.exe 27->42         started        process9 signatures10 44 sdiagnhost.exe 13 29->44         started        82 Maps a DLL or memory area into another process 39->82 47 sdiagnhost.exe 39->47         started        process11 signatures12 92 Tries to steal Mail credentials (via file / registry access) 44->92 94 Tries to harvest and steal browser information (history, passwords, etc) 44->94 96 Writes to foreign memory regions 44->96 98 3 other signatures 44->98 49 EnKifmZDGZ.exe 44->49 injected 52 firefox.exe 44->52         started        process13 dnsIp14 58 www.mgn.icu 49.0.230.183, 49733, 49734, 49735 YOKOUNANET-MN-AS-APYOKOZUNANETLLCMN Mongolia 49->58 60 xiaoyue.zhuangkou.com 47.76.88.64, 49716, 49717, 49718 VODAFONE-TRANSIT-ASVodafoneNZLtdNZ United States 49->60 62 12 other IPs or domains 49->62
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d48e76a16a20d4af37091f9dea89ce3fa2341e273a3898ac1b8b398c2a5793d5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d48e76a16a20d4af37091f9dea89ce3fa2341e273a3898ac1b8b398c2a5793d5/
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2024-03-12 10:36:35 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2shhnilkedkk6nyjd6o6vcooh6rdihrhhi4jrla3rm4yyksxspkq._file
Verdict:
malicious
Similar samples:
614ae605266b9829b5577ebd8562f5fadb2ef82337597d32e54c8ace9f1ea25c
Formbook
b3dd3ec805692dca3ce544068053b8d4e85521265dd4a1392ecf0d47b2814c66
Formbook
d028e3b4d6ebc62c3c23bdb8d7e09f1dc85acda7547f9dea476ea8e3023e81f2
Formbook
dfa384f6136c43639f6c66766ca81c245e65a70fcf92015656b1cd7a579a3647
Formbook
e54350487bda76835619ccc44ff79db38db5183f544efbf33159cfd707bcdb75
Formbook
+ 19 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240318-qjyl8shf32/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
700ad263bdf1005cc0ab34ea3970718449d73d6ece4ea3abf2c8e359afa8546d
MD5 hash:
055924e1d510113797959067518da959
SHA1 hash:
e6db3335c3cc1a1bb6308255a82dfadd76af5d18
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/85033e8d-03a3-413e-9a7e-010137b054c3/
SH256 hash:
ad7067c73fc2bd6baae8454d7ced8214d8b45a05475edec4f7191c2a769a03fd
MD5 hash:
66a1568c85a47c65fb078881d20c005c
SHA1 hash:
e1ec1d2e8b017b4c2b0330c704c65195b6e09a05
Link:
https://www.unpac.me/results/85033e8d-03a3-413e-9a7e-010137b054c3/
SH256 hash:
06a1ae787e808d6287de314be8bec64ef2e0d3bc1bf2ea71ae268c7b8fb19e2d
MD5 hash:
91b39e533d48f5fa25ac604da90b3d8d
SHA1 hash:
f5dadf1e8fcbe64609e4cd78a27e2810f7a6e69e
Link:
https://www.unpac.me/results/85033e8d-03a3-413e-9a7e-010137b054c3/
SH256 hash:
c8c1020fe926cc1851b73c1915ad32e2fc393dccb402782aca8f4ea6379ba84d
MD5 hash:
ef7cf89d9ec52b18a8f5b6ee49820f46
SHA1 hash:
dcf9cb9bb3f72ca4b3cc0c00b27bd9ce10b554bb
Link:
https://www.unpac.me/results/85033e8d-03a3-413e-9a7e-010137b054c3/
SH256 hash:
c10c9b0882bac6f788f48b4dabe3291b14e639e650f2b9fcb0bc174ac92ae02b
MD5 hash:
7c7fb6daa78beb69128991ff893143ed
SHA1 hash:
c01bb99984b12b84129db80eae1d5d8341a358e2
Link:
https://www.unpac.me/results/85033e8d-03a3-413e-9a7e-010137b054c3/
SH256 hash:
2e37ba7f8875bbf5b4d744e4a3ebec0789b9e24b91c1cff2c45507832ae00fce
MD5 hash:
5e96ebcaea2d715cb3128b7833e68100
SHA1 hash:
62fe93c9a3a48aae3573aa824abebe83fa4e7b6c
Link:
https://www.unpac.me/results/85033e8d-03a3-413e-9a7e-010137b054c3/
SH256 hash:
34dc7aec21c39c33cb71c22d184263f9827c8b306bd4872ceb949bc06d066834
MD5 hash:
c28d8777604112e38dfadf06316e0e8a
SHA1 hash:
f35074db4d957989dd4ae9c0287411b5f373d2af
Link:
https://www.unpac.me/results/85033e8d-03a3-413e-9a7e-010137b054c3/
SH256 hash:
b78fb64a198e76c8b753592ecb2184470301ac7aa77794e62a93644fe31b3e4d
MD5 hash:
f7f830e316ccf51b1263f0a224423d79
SHA1 hash:
cefa8eeed92c16b2b9817032bb24cadf256aad66
Link:
https://www.unpac.me/results/85033e8d-03a3-413e-9a7e-010137b054c3/
SH256 hash:
f1565d880941dd6bb9606d3f3e90fe53cb2a95e343593dcf46a74e7544685a72
MD5 hash:
992a9a6d6505ecf3df67c40d55a00701
SHA1 hash:
c72b0eec6162574b66b0a3d6f5072a01361dd260
Link:
https://www.unpac.me/results/85033e8d-03a3-413e-9a7e-010137b054c3/
SH256 hash:
e5d2d0bb66f425cf10098c1fb29d6117b0069bc038e3492f9228f5efc9a33f38
MD5 hash:
91a81079e444ebc87ad279931d4984d0
SHA1 hash:
80740fe0a56c3e9c91348aa49708273814cff49d
Link:
https://www.unpac.me/results/85033e8d-03a3-413e-9a7e-010137b054c3/
SH256 hash:
0eae33b82e9b61bfaf9d44425f266d4307d51c7a64a72d0273550b93e0a46338
MD5 hash:
7e966e8841b1e1b9f7fd9affeba54d4b
SHA1 hash:
71baa25500e4d96fdaebd997d10193c7a079bd46
Link:
https://www.unpac.me/results/85033e8d-03a3-413e-9a7e-010137b054c3/
SH256 hash:
9eb8a1a2d0f415c6d46f09382ee0e329213afc35611af3ef3df42ae0399d36dd
MD5 hash:
a1d93a3ac161f790bf6bbe13a028d4be
SHA1 hash:
29ec92fd064b56b86df0b43963d04885ef918d24
Link:
https://www.unpac.me/results/85033e8d-03a3-413e-9a7e-010137b054c3/
SH256 hash:
d48e76a16a20d4af37091f9dea89ce3fa2341e273a3898ac1b8b398c2a5793d5
MD5 hash:
6b3d6565f98f00436cf229258a5ac2c8
SHA1 hash:
6fd6b3e765c4e2d6c262e48f3da8040f2f72e41c
Link:
https://www.unpac.me/results/85033e8d-03a3-413e-9a7e-010137b054c3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d48e76a16a20/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d48e76a16a20d4af37091f9dea89ce3fa2341e273a3898ac1b8b398c2a5793d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Formbook
Create hunting rule
Author:kevoreilly
Description:Formbook Payload
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/formbook-adopts-cab-less-approach
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe d48e76a16a20d4af37091f9dea89ce3fa2341e273a3898ac1b8b398c2a5793d5

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments