MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7b8bf0586fce4959c56025ce1d0d4b7ca84a5b7f3d94645d0762ca522de89f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d7b8bf0586fce4959c56025ce1d0d4b7ca84a5b7f3d94645d0762ca522de89f6
SHA3-384 hash: 3abe832ce89bc0bc9ebbb67f7628d816be3b4b6129e2bd27b50b8908c00b5ae1e78d893085a9da7e7df09cd50e657e18
SHA1 hash: 642baf13e67a8766b1da7ccf34ba418b4db792e1
MD5 hash: ce597c19b3ef7694c895c78022407908
humanhash: thirteen-single-lake-paris
File name:ce597c19b3ef7694c895c78022407908
Download: download sample
Signature Formbook
Create hunting rule
File size:837'632 bytes
First seen:2021-11-29 20:49:17 UTC
Last seen:2021-11-29 22:38:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 28ea44d33dd8d4a3ebec7dee5814718e (4 x Formbook)
ssdeep 12288:PE2tc7FE6c/ItF8iQ6/JRJA6sAeYP+ToBWFZCXesFdUyo2XM:PE2K79bHQ76QeOC7UD2X
Threatray 11'771 similar samples on MalwareBazaar
TLSH T14C05AF22B6A28437E03217306D67426C5D39FE502E3460857BE63F8CDE76B52BA355B3
File icon (PE):PE icon
dhash icon 7cf6b6aa8ed8e8f4 (4 x Formbook)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PURCHASE ORDER HECTRO.xlsx
Verdict:
Malicious activity
Analysis date:
2021-11-29 19:04:30 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/fd2de4c1-f793-4359-94ae-09f99e54d355

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.57961.16695.10237.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching the default Windows debugger (dwwin.exe)
Launching a process
Searching for the window
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger
Link:
https://www.filescan.io/uploads/61a53cffc4c5314148224740/reports/c2ce9057-a3ec-4bd2-ab7b-c1449043cbf0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/40028b20-b604-499a-b597-3358f864c38b
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/898275
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 530750 Sample: pV56YJ3AtY Startdate: 29/11/2021 Architecture: WINDOWS Score: 100 57 Multi AV Scanner detection for domain / URL 2->57 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 3 other signatures 2->63 9 Vfbfhnqe.exe 15 2->9         started        13 Vfbfhnqe.exe 15 2->13         started        15 pV56YJ3AtY.exe 1 17 2->15         started        process3 dnsIp4 43 onedrive.live.com 9->43 53 2 other IPs or domains 9->53 73 Multi AV Scanner detection for dropped file 9->73 75 Writes to foreign memory regions 9->75 77 Allocates memory in foreign processes 9->77 18 mobsync.exe 9->18         started        45 onedrive.live.com 13->45 55 2 other IPs or domains 13->55 79 Creates a thread in another existing process (thread injection) 13->79 81 Injects a PE file into a foreign processes 13->81 21 mobsync.exe 13->21         started        47 onedrive.live.com 15->47 49 g0v5qg.am.files.1drv.com 15->49 51 am-files.fe.1drv.com 15->51 39 C:\Users\user\Contacts\Vfbfhnqe.exe, PE32 15->39 dropped 41 C:\Users\...\Vfbfhnqe.exe:Zone.Identifier, ASCII 15->41 dropped 23 WerFault.exe 23 9 15->23         started        26 DpiScaling.exe 15->26         started        file5 signatures6 process7 file8 65 Modifies the context of a thread in another process (thread injection) 18->65 67 Maps a DLL or memory area into another process 18->67 69 Sample uses process hollowing technique 18->69 71 2 other signatures 18->71 28 explorer.exe 18->28 injected 37 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 23->37 dropped signatures9 process10 process11 30 help.exe 28->30         started        33 cmstp.exe 28->33         started        signatures12 83 Modifies the context of a thread in another process (thread injection) 30->83 85 Maps a DLL or memory area into another process 30->85 87 Tries to detect virtualization through RDTSC time measurements 30->87 35 explorer.exe 132 30->35         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d7b8bf0586fce4959c56025ce1d0d4b7ca84a5b7f3d94645d0762ca522de89f6/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-11-29 15:48:06 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1ba605473b6fc3b244f25a8838e41a642dbf9566d347d3ea084e96bbe88aebde
Formbook
1e5bb5e00fddfcc62c8bfe71b46a4c8c6c22986c7a51931d16b8ddc465170d72
Formbook
2863a8690acd578ea41d8ef458f493c7bab50c34d8d6fd668f8ef56d429094de
Formbook
3490cb5fd9a372722f95ed69c41e23d5cd274ce6b3c024ec1731962a380409d6
Formbook
46e51f41840a1a08e695f8b5dbd03efd3b3f7071edc00d9e916a73a02d8176a1
Formbook
6967bdb48b95df3cf797ec06e2f38f20932cca68f2ce8a6cb5b2ee3071826d09
Formbook
728b23f75c1140a1763dd7c75083f2ae57afeb6ffa3d7b33a9ba1b4904c4566d
Formbook
a67796ab32ba225ab871923548c5b98147a848edeffb72089724d6131d20dc0c
Formbook
bc42c1e528e70d0f4152e78278ed1a0e4bacf4cab8bb21da9ea8f99a48676355
Formbook
d72799be34725e6cc9665e17895075ad8c5aa22835440abb4a342a202426379c
Formbook
+ 11'761 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ht08 loader persistence rat
Link:
https://tria.ge/reports/211129-zmlarafgd2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Blocklisted process makes network request
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.septemberstockevent200.com/ht08/
Unpacked files
SH256 hash:
cda1fb3ce0326122d0abf53308bc8ba2b326c65169d63ae110f5e73eccc90859
MD5 hash:
7432a460a6b170f5bfdfdf9533935736
SHA1 hash:
39d488df741e5700ab264573a582d7aafa303745
Link:
https://www.unpac.me/results/81bae7b5-b055-46e1-8863-9e3b343d0b62/
SH256 hash:
d7b8bf0586fce4959c56025ce1d0d4b7ca84a5b7f3d94645d0762ca522de89f6
MD5 hash:
ce597c19b3ef7694c895c78022407908
SHA1 hash:
642baf13e67a8766b1da7ccf34ba418b4db792e1
Link:
https://www.unpac.me/results/81bae7b5-b055-46e1-8863-9e3b343d0b62/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/d7b8bf0586fce4959c56025ce1d0d4b7ca84a5b7f3d94645d0762ca522de89f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe d7b8bf0586fce4959c56025ce1d0d4b7ca84a5b7f3d94645d0762ca522de89f6

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1833498/

Comments


Avatar
zbet commented on 2021-11-29 20:49:20 UTC

url : hxxp://107.173.229.132/9900/vbc.exe