MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d987cb45df0ba4ef1fd34000c07dfe25332c4b76e087d8719846cedf07cfa5ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d987cb45df0ba4ef1fd34000c07dfe25332c4b76e087d8719846cedf07cfa5ac
SHA3-384 hash: 1d175f83b28d8e808bc88ce848ed3a1d1b3076351389c8aae47e1e294d52baf96bab4053de2fc7916f0a7a248c788c94
SHA1 hash: f17ad97fb9d378219dd0a9d559afbf2b8c2f0a0d
MD5 hash: 619b26271ef861e2a63cdbf09c1e3b10
humanhash: freddie-vegan-vermont-autumn
File name:new order.xlsx.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:783'360 bytes
First seen:2022-07-11 09:57:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 12288:66yu0TYY4shcR0jZ9KxAQ2nBMTKxja1njqOQjnMn44aeHMdyDltxtP/8:ncTX4s2kixKhxQnevj25aqMT
TLSH T1FEF4E0AC3640F8DFC817C9729A64DC54AA3178675B0FE307A41732AD9A2CA97CF151E3
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
245
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
new order.xlsx.exe
Verdict:
Malicious activity
Analysis date:
2022-07-11 19:57:52 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/6c092b1d-5312-4b04-82d6-83b56d230007

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/286144/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.26421.11136.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62cbf4338cb06ef4b09ed1e9/reports/0b32f8ed-a4eb-453b-a93a-00115a805c6a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/28ef5497-1e69-4357-9825-d83b69738992
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1028412
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Uses netstat to query active network connections and open ports
Yara detected AntiVM3
Yara detected FormBook
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 660906 Sample: new order.xlsx.exe Startdate: 11/07/2022 Architecture: WINDOWS Score: 100 34 www.attlog.ltd 2->34 44 Snort IDS alert for network traffic 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 50 13 other signatures 2->50 11 new order.xlsx.exe 3 2->11         started        15 explorer.exe 44 2->15         started        signatures3 process4 file5 32 C:\Users\user\...\new order.xlsx.exe.log, ASCII 11->32 dropped 60 Injects a PE file into a foreign processes 11->60 17 new order.xlsx.exe 11->17         started        signatures6 process7 signatures8 36 Modifies the context of a thread in another process (thread injection) 17->36 38 Maps a DLL or memory area into another process 17->38 40 Sample uses process hollowing technique 17->40 42 Queues an APC in another process (thread injection) 17->42 20 explorer.exe 17->20 injected process9 signatures10 52 Uses netstat to query active network connections and open ports 20->52 23 NETSTAT.EXE 20->23         started        26 autochk.exe 20->26         started        process11 signatures12 54 Modifies the context of a thread in another process (thread injection) 23->54 56 Maps a DLL or memory area into another process 23->56 58 Tries to detect virtualization through RDTSC time measurements 23->58 28 cmd.exe 1 23->28         started        process13 process14 30 conhost.exe 28->30         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d987cb45df0ba4ef1fd34000c07dfe25332c4b76e087d8719846cedf07cfa5ac/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-07-11 05:42:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
25
AV detection:
25 of 41 (60.98%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3gd4wro7boso6h6tiaama7p6euzsys3w4cd5q4myi3hn6b6puwwa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader campaign:f3bq loader persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220711-lzgw7sade3/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System policy modification
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Xloader payload
Formbook
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Unpacked files
SH256 hash:
dfb82cdabeaeaf82380d87c9747a0ab9aa439328ecfde02a045056ef6ece7b95
MD5 hash:
96e806d0d89a19e3c603ca2e9099f57c
SHA1 hash:
0f26f582352a24c1246a76ef58effe3208a2a54b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/a53f8c54-2da1-4a7d-aa5a-cf9cde9fa0de/
Parent samples :
29c2e96c75c881fda4383b8e56db10d74c007d2ffb3cd4c4d3801d30589b0c9e
6124faef534c43b40607b85ffc1798cb3064d7eb2239422d2b35826a6de5e3ee
9ccf3b44a9c52bacececc1273a72a2da8812fe34b1c61afb205fe8249e8b698a
d987cb45df0ba4ef1fd34000c07dfe25332c4b76e087d8719846cedf07cfa5ac
SH256 hash:
44628ffb6a90ef5b7ba68bebd3d632386a65399aa752116997dd849df4f42d37
MD5 hash:
68f69e66f277e7b2a9824abd3054dc7f
SHA1 hash:
6f09980af4e3f222e23976fdb0d1789086547dc6
Link:
https://www.unpac.me/results/a53f8c54-2da1-4a7d-aa5a-cf9cde9fa0de/
SH256 hash:
70bb4f8aa7d0a33f8206f78c845fa2bd686c2a0f2b3bd50cd0b6b887a45398ca
MD5 hash:
30d61a3a3e26c2bca2eb766990132d7c
SHA1 hash:
94f9742d5f21b13f7d8d194fe938193cbb6a0d4d
Link:
https://www.unpac.me/results/a53f8c54-2da1-4a7d-aa5a-cf9cde9fa0de/
SH256 hash:
3b59fe180dd50e3f3d4fdcbdd4e7a2d4e3e1c85ae43cb4f3716c4be41e9ec2ae
MD5 hash:
9ea556e333e216a65aa09c102f36004f
SHA1 hash:
814c07f1dc68bd61840384aac3aa8346d9f8148f
Link:
https://www.unpac.me/results/a53f8c54-2da1-4a7d-aa5a-cf9cde9fa0de/
SH256 hash:
4b6779d3d7d428980581b6d4109b105a9e8fed7639d8786b870ff489528002e0
MD5 hash:
10a294fa2d83b670fa0f86ba9ec6e908
SHA1 hash:
7629c0962b6fc7c5fb098f711b1ee6afa7215be2
Link:
https://www.unpac.me/results/a53f8c54-2da1-4a7d-aa5a-cf9cde9fa0de/
SH256 hash:
c8cffe340318f0da899e7c0e59a0a38eed2030380e6836720e85f53262b6fff1
MD5 hash:
dc0506d8f6978d016591f8cfe6fda22b
SHA1 hash:
37447627acf3ee1ebbcc6e470e535fcfab0bd5cb
Link:
https://www.unpac.me/results/a53f8c54-2da1-4a7d-aa5a-cf9cde9fa0de/
SH256 hash:
d987cb45df0ba4ef1fd34000c07dfe25332c4b76e087d8719846cedf07cfa5ac
MD5 hash:
619b26271ef861e2a63cdbf09c1e3b10
SHA1 hash:
f17ad97fb9d378219dd0a9d559afbf2b8c2f0a0d
Link:
https://www.unpac.me/results/a53f8c54-2da1-4a7d-aa5a-cf9cde9fa0de/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d987cb45df0b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/d987cb45df0ba4ef1fd34000c07dfe25332c4b76e087d8719846cedf07cfa5ac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/286144/

Comments