MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dbe703a0b4d7694e0d05d6a1f5f8c8bbae4a8d6b5acba1238da5b2f523fa9565. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dbe703a0b4d7694e0d05d6a1f5f8c8bbae4a8d6b5acba1238da5b2f523fa9565
SHA3-384 hash: 0916969921060c628d7be882169361349e21bc144a006d68a6d18bf1a76ceef6dbb04a8a65c142c073bbfba48f49f210
SHA1 hash: 9982908b8dcddd6ef44d80e0f6491ad87b80e53d
MD5 hash: e5d9db9823fb854169e25fceca42e804
humanhash: tennessee-alabama-bakerloo-fish
File name:DOC209272621615.PDF.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:701'952 bytes
First seen:2021-12-01 14:35:54 UTC
Last seen:2021-12-06 14:54:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash dd63229d7f836c6d43eb2d74e621d69e (3 x Formbook)
ssdeep 12288:4e7bzFk/k/JOcISOgk3CTMI5a5+a1nWO4YghWxdESUyo2XMw:4sOsRkSOgk3ClO+EWO4YQOESUD2Xx
Threatray 11'341 similar samples on MalwareBazaar
TLSH T11AE47D17F2E0BDBFD01256748C7AA3E85925BE303E289C867AE43E0D1EBC6817517197
File icon (PE):PE icon
dhash icon b670390284e2da70 (14 x Formbook, 3 x RemcosRAT, 3 x AveMariaRAT)
Reporter TeamDreier
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DOC209272621615.PDF.exe
Verdict:
Malicious activity
Analysis date:
2021-12-01 15:01:52 UTC
Tags:
installer trojan formbook stealer
Link:
https://app.any.run/tasks/ad80c6cf-5fc5-4eba-924b-2b350df0dd3e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/210350/
Detection(s):
SecuriteInfo.com.Variant.Zusy.408932.1984.818.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Searching for synchronization primitives
Launching cmd.exe command interpreter
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/446/overview
Behaviour
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger
Link:
https://www.filescan.io/uploads/61a7885986bf67e7121d7a1b/reports/aeafe4af-533d-42bd-9d83-69e0ced9b044/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a02780e5-f385-423e-a9fe-4b2c0cc4ce35
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/899498
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 532011 Sample: DOC209272621615.PDF.exe Startdate: 01/12/2021 Architecture: WINDOWS Score: 100 52 www.tourbox.xyz 2->52 54 www.jsboyat.com 2->54 56 tourbox.xyz 2->56 84 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->84 86 Malicious sample detected (through community Yara rule) 2->86 88 Multi AV Scanner detection for submitted file 2->88 90 6 other signatures 2->90 11 Wkklnmcz.exe 13 2->11         started        15 DOC209272621615.PDF.exe 1 17 2->15         started        signatures3 process4 dnsIp5 106 Multi AV Scanner detection for dropped file 11->106 108 Contains functionality to inject threads in other processes 11->108 110 Contains functionality to inject code into remote processes 11->110 112 4 other signatures 11->112 18 logagent.exe 11->18         started        66 cdn.discordapp.com 162.159.129.233, 443, 49750, 49751 CLOUDFLARENETUS United States 15->66 48 C:\Users\user\Contacts\Wkklnmcz.exe, PE32 15->48 dropped 50 C:\Users\...\Wkklnmcz.exe:Zone.Identifier, ASCII 15->50 dropped 21 logagent.exe 15->21         started        23 WerFault.exe 23 9 15->23         started        file6 signatures7 process8 dnsIp9 74 Modifies the context of a thread in another process (thread injection) 18->74 76 Maps a DLL or memory area into another process 18->76 78 Sample uses process hollowing technique 18->78 80 Queues an APC in another process (thread injection) 18->80 26 explorer.exe 18->26 injected 82 Tries to detect virtualization through RDTSC time measurements 21->82 58 192.168.2.1 unknown unknown 23->58 signatures10 process11 dnsIp12 60 198.54.117.217, 49840, 80 NAMECHEAP-NETUS United States 26->60 62 www.neema.xyz 86.105.245.69, 49841, 80 TRANSIP-ASAmsterdamtheNetherlandsNL Netherlands 26->62 64 25 other IPs or domains 26->64 100 System process connects to network (likely due to code injection or exploit) 26->100 102 Performs DNS queries to domains with low reputation 26->102 30 Wkklnmcz.exe 13 26->30         started        34 rundll32.exe 12 26->34         started        36 colorcpl.exe 26->36         started        signatures13 process14 dnsIp15 68 162.159.130.233, 443, 49757 CLOUDFLARENETUS United States 30->68 70 cdn.discordapp.com 30->70 114 Writes to foreign memory regions 30->114 116 Allocates memory in foreign processes 30->116 118 Creates a thread in another existing process (thread injection) 30->118 120 Injects a PE file into a foreign processes 30->120 38 mobsync.exe 30->38         started        72 www.era636.com 34->72 122 System process connects to network (likely due to code injection or exploit) 34->122 124 Modifies the context of a thread in another process (thread injection) 34->124 126 Maps a DLL or memory area into another process 34->126 128 Tries to detect virtualization through RDTSC time measurements 34->128 41 cmd.exe 1 34->41         started        signatures16 process17 signatures18 92 Modifies the context of a thread in another process (thread injection) 38->92 94 Maps a DLL or memory area into another process 38->94 96 Sample uses process hollowing technique 38->96 98 Tries to detect virtualization through RDTSC time measurements 38->98 43 WWAHost.exe 38->43         started        46 conhost.exe 41->46         started        process19 signatures20 104 Tries to detect virtualization through RDTSC time measurements 43->104
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dbe703a0b4d7694e0d05d6a1f5f8c8bbae4a8d6b5acba1238da5b2f523fa9565/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-12-01 05:33:58 UTC
File Type:
PE (Exe)
Extracted files:
96
AV detection:
19 of 43 (44.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ptqhifu25uu4dif22q7l6gixoxevdllllf2ci4nuwzpki72svsq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
42df3a16fea8171aa66fc7856671ef94f20245a3bd98787a7070ee8b690430d2
Formbook
8fb0895d475560584335f48db057beb1840bbf685f180f46c53eb8aa8d8ec676
Formbook
9c558e9f026119bab2580c1e38533870d351b1e01e65341427194504e2cdf490
Formbook
d72799be34725e6cc9665e17895075ad8c5aa22835440abb4a342a202426379c
Formbook
f79690a1d55d2a07ff407ca6a7e74dfc8097d9c63d6fa59adc2e03c73d39290b
Formbook
f857f10f0537c3e73d9d180b473bffb3bc43aeec4bf3c71a3b37c66bf199926c
Formbook
fbaf103427e20432a3dcf19733b5f447bb6f0b2e5c700c76df55c2d977d080ae
Formbook
fc791a24b4250988196f8c8b174d778e0ed1f4ea2a3c8601b25ab4431df56f08
Formbook
+ 11'331 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:pvxz loader persistence rat suricata
Link:
https://tria.ge/reports/211201-rylrnachhr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.finetipster.com/pvxz/
Unpacked files
SH256 hash:
cda1fb3ce0326122d0abf53308bc8ba2b326c65169d63ae110f5e73eccc90859
MD5 hash:
7432a460a6b170f5bfdfdf9533935736
SHA1 hash:
39d488df741e5700ab264573a582d7aafa303745
Link:
https://www.unpac.me/results/39446c26-87dc-429f-8553-bc64d72164c0/
SH256 hash:
dbe703a0b4d7694e0d05d6a1f5f8c8bbae4a8d6b5acba1238da5b2f523fa9565
MD5 hash:
e5d9db9823fb854169e25fceca42e804
SHA1 hash:
9982908b8dcddd6ef44d80e0f6491ad87b80e53d
Link:
https://www.unpac.me/results/39446c26-87dc-429f-8553-bc64d72164c0/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/dbe703a0b4d7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dbe703a0b4d7694e0d05d6a1f5f8c8bbae4a8d6b5acba1238da5b2f523fa9565

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe dbe703a0b4d7694e0d05d6a1f5f8c8bbae4a8d6b5acba1238da5b2f523fa9565

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/210350/

Comments