MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 daf7f2c5a8bd9f58da492ae3596ac4a15fe9138c5faa3673fa1be55f8d4157cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: daf7f2c5a8bd9f58da492ae3596ac4a15fe9138c5faa3673fa1be55f8d4157cb
SHA3-384 hash: 1f2097cc6e52c85baf8c86b4edf48dd935d5b0ca5ef1e6e21c57caadab678871a52ff090771a0b2ec31777179f857ff7
SHA1 hash: 404a97a89aaf52cf0f03980163349be5f63179f4
MD5 hash: 6f8a683ef4d06952e5bbd602a4bee26e
humanhash: six-aspen-network-asparagus
File name:Narudžba za 26.04.2023..exe
Download: download sample
Signature Formbook
Create hunting rule
File size:671'744 bytes
First seen:2023-04-26 08:45:55 UTC
Last seen:2023-05-13 22:53:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:mDZldyXjWhEghtv61ctTQFYhS5gmA0aIt:mDlzEgjiM8Y0glVI
Threatray 1'347 similar samples on MalwareBazaar
TLSH T1D9E48B04E3E45698F2A68AF15A7441E467613F59E92CC19C3CF0FE2D68732D06252FEE
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 2609090e0e2e2608 (16 x Formbook, 2 x AgentTesla)
Reporter pr0xylife
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
265
Origin country :
KR KR
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Narudžba za 26.04.2023..exe
Verdict:
Malicious activity
Analysis date:
2023-04-26 08:49:15 UTC
Tags:
formbook xloader trojan stealer
Link:
https://app.any.run/tasks/f8624fc6-3b21-4482-a003-43a307feaa50

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/385036/
Detection(s):
Win.Packed.Formbook-9993883-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Creating a file
Launching a process
Sending a custom TCP request
Creating a process from a recently created file
Creating a service
Loading a system driver
Changing a file
Launching cmd.exe command interpreter
Searching for synchronization primitives
Setting browser functions hooks
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Enabling autorun for a service
Blocking the User Account Control
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm packed
Link:
https://www.filescan.io/uploads/6448e4cc8615b5d32a532537/reports/9335242c-7ec1-49cc-beed-bfb0335a1272/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/daf7f2c5a8bd9f58da492ae3596ac4a15fe9138c5faa3673fa1be55f8d4157cb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a156337b-96a6-401f-8faa-213f853f640c
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1221342
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Disables UAC (registry)
Drops PE files with benign system names
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sigma detected: Schedule system process
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 854291 Sample: Narud#U017eba_za_26.04.2023..exe Startdate: 26/04/2023 Architecture: WINDOWS Score: 100 104 Snort IDS alert for network traffic 2->104 106 Found malware configuration 2->106 108 Malicious sample detected (through community Yara rule) 2->108 110 11 other signatures 2->110 12 Narud#U017eba_za_26.04.2023..exe 1 5 2->12         started        16 svchost.exe 3 2->16         started        18 svchost.exe 4 2->18         started        20 4 other processes 2->20 process3 file4 88 C:\Users\user\AppData\Roaming\svchost.exe, PE32+ 12->88 dropped 90 C:\...90arud#U017eba_za_26.04.2023..exe.log, CSV 12->90 dropped 136 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->136 138 Drops PE files with benign system names 12->138 22 cmd.exe 1 12->22         started        24 cmd.exe 1 12->24         started        140 Multi AV Scanner detection for dropped file 16->140 142 Machine Learning detection for dropped file 16->142 144 Writes to foreign memory regions 16->144 27 CasPol.exe 16->27         started        29 powershell.exe 16->29         started        92 C:\Windows\Temp\xq3cqnsr.inf, Windows 18->92 dropped 146 Adds a directory exclusion to Windows Defender 18->146 148 Injects a PE file into a foreign processes 18->148 31 CasPol.exe 18->31         started        33 powershell.exe 18->33         started        35 cmstp.exe 18->35         started        94 C:\Windows\Temp\2l4e53xe.inf, Windows 20->94 dropped 37 CasPol.exe 20->37         started        39 7 other processes 20->39 signatures5 process6 signatures7 41 svchost.exe 5 5 22->41         started        45 conhost.exe 22->45         started        47 timeout.exe 1 22->47         started        114 Uses schtasks.exe or at.exe to add and modify task schedules 24->114 49 conhost.exe 24->49         started        51 schtasks.exe 1 24->51         started        53 conhost.exe 29->53         started        116 Modifies the context of a thread in another process (thread injection) 31->116 118 Maps a DLL or memory area into another process 31->118 120 Sample uses process hollowing technique 31->120 55 conhost.exe 33->55         started        57 conhost.exe 39->57         started        59 conhost.exe 39->59         started        process8 file9 86 C:\Users\user\AppData\Local\Temp\?????.sys, Unknown 41->86 dropped 128 Writes to foreign memory regions 41->128 130 Adds a directory exclusion to Windows Defender 41->130 132 Disables UAC (registry) 41->132 134 2 other signatures 41->134 61 CasPol.exe 41->61         started        64 powershell.exe 41->64         started        signatures10 process11 signatures12 150 Modifies the context of a thread in another process (thread injection) 61->150 152 Maps a DLL or memory area into another process 61->152 154 Sample uses process hollowing technique 61->154 156 2 other signatures 61->156 66 explorer.exe 61->66 injected 70 conhost.exe 64->70         started        process13 dnsIp14 96 www.boilerwarewhouse.com 103.224.182.242, 49696, 80 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 66->96 98 www.bothpawsforward.com 66->98 100 bothpawsforward.com 34.102.136.180, 49697, 80 GOOGLEUS United States 66->100 112 System process connects to network (likely due to code injection or exploit) 66->112 72 svchost.exe 66->72         started        75 colorcpl.exe 66->75         started        77 raserver.exe 66->77         started        79 3 other processes 66->79 signatures15 process16 signatures17 122 Modifies the context of a thread in another process (thread injection) 72->122 124 Maps a DLL or memory area into another process 72->124 126 Tries to detect virtualization through RDTSC time measurements 72->126 81 cmd.exe 72->81         started        process18 signatures19 102 Tries to detect virtualization through RDTSC time measurements 81->102 84 conhost.exe 81->84         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/daf7f2c5a8bd9f58da492ae3596ac4a15fe9138c5faa3673fa1be55f8d4157cb/
Threat name:
Win64.Trojan.Tedy
Create hunting rule
Status:
Malicious
First seen:
2023-04-26 08:46:08 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
12
AV detection:
8 of 37 (21.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3l37frnixwpvrwsjflrvs2weufp6se4ml6vdm472dpsv7dkbk7fq._file
Verdict:
malicious
Similar samples:
4fe523babbfae3a14393d7b07afbbfc13be4f5084dba9588adb38913b3527c36
Formbook
66bdde9f427859cc6b7cc1ff67bdf9d93ff8b0d7bc226185cb2195c746e28a0a
Formbook
67ffb10d7ef8cc9b49ef3ad7affcd7f865391cac2cdbad7ae1d259ec6a4a0cb8
Formbook
b4deb473da425d45200dfa7d62eb24fa218d21969cd2483ffbedd04f61e374e9
Formbook
bac6488f76da4691540401614bc665dfc5bec8d875cb26e72870c65ac43fe268
Formbook
bbea7541f726c2ecb8eebbc87f6f52b50db57a836571ae9b0f1fd91dfb653b48
Formbook
bc8560177aa43a687207e68c27c1c9378eb6fff83e61d279641c9256d79ea055
Formbook
d26b936b2d61001819fc4e99a224224d35edd9fd716bfe7bc5dbd431f584150e
Formbook
e2dbdd45e11e2b7e32caef9e2f4365d05e63eaf13724bea2ed842a503adb802f
Formbook
e5b432be651f1c2e2d10923fa2e07f21d3ccbb98a1238d04a8b8a6f801b19fae
Formbook
+ 1'337 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:v4ps evasion persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/230426-kpajpsab6t/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Windows security modification
Looks for VMWare Tools registry key
Sets service image path in registry
Formbook payload
Looks for VirtualBox Guest Additions in registry
Formbook
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
daf7f2c5a8bd9f58da492ae3596ac4a15fe9138c5faa3673fa1be55f8d4157cb
MD5 hash:
6f8a683ef4d06952e5bbd602a4bee26e
SHA1 hash:
404a97a89aaf52cf0f03980163349be5f63179f4
Link:
https://www.unpac.me/results/4631f6b3-ea9a-4afd-a9fa-9bf99007899d/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/385036/

Comments