MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8487ecaafff72cace4e090aba52aa5c20b18a1627b1abf96f3591de054eb887. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d8487ecaafff72cace4e090aba52aa5c20b18a1627b1abf96f3591de054eb887
SHA3-384 hash: f20bc1e052a2e295c829ff663b5eb4fc3905f9ee1ea0208e4d0d750fced43be774f438893bf885f8857d35882ef68b3b
SHA1 hash: 3af04294110dda183196c64e0136bf001c1da11e
MD5 hash: 34770feca03adae9358a2f4f2d32b34d
humanhash: social-nitrogen-sixteen-idaho
File name:banka odemesi.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:222'658 bytes
First seen:2022-06-06 12:22:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 55f3dfd13c0557d3e32bcbc604441dd3 (124 x Formbook, 18 x Loki, 13 x AgentTesla)
ssdeep 6144:qGs4xUWNPP0Z5r/oKSwSgxvVdxkSogtrf9k:lxlP0Z5rQ+1egtr1k
Threatray 13'386 similar samples on MalwareBazaar
TLSH T15924129E9AC1F6F7F34284B046B5977FF37B92444423298B4F21BF686E19641CE0E05A
TrID 92.9% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter malwarelabnet
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
315
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
banka odemesi.exe
Verdict:
Malicious activity
Analysis date:
2022-06-06 12:29:00 UTC
Tags:
installer formbook trojan stealer
Link:
https://app.any.run/tasks/e432f9a1-d7d3-4550-91f4-6079000b8a29

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/277022/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.10544.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/629df1bf8e867832d9de0e5d/reports/1eca5859-a2e4-49bf-9c21-b4593108da04/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c4e357cc-00fd-4b76-841d-6e54955abc54
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1007338
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 639833 Sample: banka odemesi.exe Startdate: 06/06/2022 Architecture: WINDOWS Score: 100 49 Multi AV Scanner detection for domain / URL 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 5 other signatures 2->55 11 banka odemesi.exe 19 2->11         started        process3 file4 33 C:\Users\user\AppData\Local\...\nzehnpzo.exe, PE32 11->33 dropped 14 nzehnpzo.exe 1 11->14         started        process5 signatures6 65 Antivirus detection for dropped file 14->65 67 Multi AV Scanner detection for dropped file 14->67 69 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 14->69 71 2 other signatures 14->71 17 nzehnpzo.exe 14->17         started        20 conhost.exe 14->20         started        process7 signatures8 41 Modifies the context of a thread in another process (thread injection) 17->41 43 Maps a DLL or memory area into another process 17->43 45 Sample uses process hollowing technique 17->45 47 Queues an APC in another process (thread injection) 17->47 22 explorer.exe 17->22 injected process9 dnsIp10 35 www.hopefortodayrecovery.com 22->35 37 www.eluawastudio.com 22->37 39 eluawastudio.com 34.102.136.180, 49757, 80 GOOGLEUS United States 22->39 57 System process connects to network (likely due to code injection or exploit) 22->57 26 systray.exe 22->26         started        signatures11 process12 signatures13 59 Modifies the context of a thread in another process (thread injection) 26->59 61 Maps a DLL or memory area into another process 26->61 63 Tries to detect virtualization through RDTSC time measurements 26->63 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d8487ecaafff72cace4e090aba52aa5c20b18a1627b1abf96f3591de054eb887/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-06-06 10:30:43 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
25 of 41 (60.98%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3beh5svp75zmvtsobefluuvklqqldcqwe6y2x6lpgwi54bkoxcdq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
84b0888a5a6938795c26a681435c52a25c16fe2d1e6230112df171024c8767df
Formbook
8829d775e9c9bdf19ce4254b7d7e50121274ed3d42b5778fc9ca2536b53bd091
Formbook
cd52f05e91405de2802b080e908010337ed3a73c6a37f9c1c9a10a97622d5305
Formbook
fb958fde2068ea3f3cb5df440bd6f8cac47afef36ab98024153138ca9a982a5e
Formbook
fd41933f53e4d9c08e9c7c17f22206bf6599dc9f912be87e2c09bb05a10013a5
Formbook
ffef17006deb4162478ac760be4d4479f3e145523f1433f0146818b105acad0c
Formbook
+ 13'376 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:mh76 rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220606-pkfx5scdcn/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
5d04bfd247bbd9d2811602837a8ec5223eaf3fb68cd888dc1c2177f4e3aaee96
MD5 hash:
0913e273e8c280aece8f855fc6fd9563
SHA1 hash:
b33abe8bc272b5eea19d63d1693715e999e9dbbd
Link:
https://www.unpac.me/results/07742025-1364-4225-81aa-3a36e8b3f354/
SH256 hash:
d8487ecaafff72cace4e090aba52aa5c20b18a1627b1abf96f3591de054eb887
MD5 hash:
34770feca03adae9358a2f4f2d32b34d
SHA1 hash:
3af04294110dda183196c64e0136bf001c1da11e
Link:
https://www.unpac.me/results/07742025-1364-4225-81aa-3a36e8b3f354/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d8487ecaafff/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/d8487ecaafff72cace4e090aba52aa5c20b18a1627b1abf96f3591de054eb887

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/277022/

Comments