MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e678b49addfe3e9fa2c9836bf6d0cc3bed0310f87cdcafd0fce458985c5276c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e678b49addfe3e9fa2c9836bf6d0cc3bed0310f87cdcafd0fce458985c5276c8
SHA3-384 hash: a1e97d4c6423605f786cd62a98f3ad4e23bbcb325bd3ed666e6860f4d3beceabdbf85ca6bd31a9994673a04c782ef5f1
SHA1 hash: bf286575ffb7eb3d774990e4b131c78bf1ac414d
MD5 hash: 2c8181820fd637d080890c6366290ddb
humanhash: delta-gee-tango-item
File name:SecuriteInfo.com.Win64.TrojanX-gen.14754
Download: download sample
Signature FormBook
Create hunting rule
File size:950'784 bytes
First seen:2022-09-13 11:21:45 UTC
Last seen:2022-09-13 12:01:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f8a00b1efc3715d236fb93566315cbcf (2 x ModiLoader, 1 x FormBook)
ssdeep 12288:rKx1eucAcAfIS6GTbL/T5C3DoCHjsG83q/rhf7fvQB4R:rqMKISpTXVuoT3q/lvk4
Threatray 14'255 similar samples on MalwareBazaar
TLSH T1F915AEE1B1F0CB33D053067ECA7772959E39BF654915BC4AA7F43908DF38281282A65B
TrID 84.1% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
4.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.1% (.SCR) Windows screen saver (13101/52/3)
2.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 33d0d89696d8d033 (14 x ModiLoader, 9 x DBatLoader, 6 x Formbook)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
312
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/309716/
Detection(s):
SecuriteInfo.com.Win64.TrojanX-gen.14754.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching cmd.exe command interpreter
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/37554/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger overlay
Link:
https://www.filescan.io/uploads/6320680411830460749b637b/reports/77256f07-5d6f-4a05-91ec-61f715992b40/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2541a366-c868-447f-ae7f-177adb054630
Result
Threat name:
FormBook, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1069430
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Detected FormBook malware
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 701962 Sample: SecuriteInfo.com.Win64.Troj... Startdate: 13/09/2022 Architecture: WINDOWS Score: 100 55 www.enrrocastoneimports.com 2->55 85 Malicious sample detected (through community Yara rule) 2->85 87 Antivirus detection for URL or domain 2->87 89 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->89 91 7 other signatures 2->91 11 SecuriteInfo.com.Win64.TrojanX-gen.14754.exe 1 18 2->11         started        signatures3 process4 dnsIp5 69 ph-files.fe.1drv.com 11->69 71 onedrive.live.com 11->71 73 ghhikg.ph.files.1drv.com 11->73 47 C:\Users\Public\Libraries47xaamcog.exe, PE32 11->47 dropped 49 C:\Users\...49xaamcog.exe:Zone.Identifier, ASCII 11->49 dropped 51 C:\Users\Public\Libraries51xaamcog, data 11->51 dropped 107 Writes to foreign memory regions 11->107 109 Allocates memory in foreign processes 11->109 111 Creates a thread in another existing process (thread injection) 11->111 113 Injects a PE file into a foreign processes 11->113 16 iexpress.exe 11->16         started        file6 signatures7 process8 signatures9 75 Modifies the context of a thread in another process (thread injection) 16->75 77 Maps a DLL or memory area into another process 16->77 79 Sample uses process hollowing technique 16->79 81 2 other signatures 16->81 19 explorer.exe 16->19 injected process10 signatures11 93 Uses ipconfig to lookup or modify the Windows network settings 19->93 22 ipconfig.exe 19->22         started        26 Nxaamcog.exe 14 19->26         started        29 Nxaamcog.exe 14 19->29         started        process12 dnsIp13 43 C:\Users\user\AppData\...\J0Nlogrv.ini, data 22->43 dropped 45 C:\Users\user\AppData\...\J0Nlogri.ini, data 22->45 dropped 95 Detected FormBook malware 22->95 97 Tries to steal Mail credentials (via file / registry access) 22->97 99 Tries to harvest and steal browser information (history, passwords, etc) 22->99 105 3 other signatures 22->105 31 cmd.exe 22->31         started        57 ph-files.fe.1drv.com 26->57 59 onedrive.live.com 26->59 61 ghhikg.ph.files.1drv.com 26->61 101 Multi AV Scanner detection for dropped file 26->101 103 Machine Learning detection for dropped file 26->103 35 BackgroundTransferHost.exe 13 26->35         started        37 iexpress.exe 26->37         started        63 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49750, 49756 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->63 65 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49748, 49755 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->65 67 3 other IPs or domains 29->67 39 iexpress.exe 29->39         started        file14 signatures15 process16 file17 53 C:\Users\user\AppData\Local\Temp\DB1, SQLite 31->53 dropped 83 Tries to harvest and steal browser information (history, passwords, etc) 31->83 41 conhost.exe 31->41         started        signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e678b49addfe3e9fa2c9836bf6d0cc3bed0310f87cdcafd0fce458985c5276c8/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-09-13 11:22:13 UTC
File Type:
PE (Exe)
Extracted files:
44
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4z4ljgw57y7j7iwjqnv7nugmhpwqgehyptok7uh44rmjqxcso3ea._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
065632e2e6db16438d0412022dc7b66858120c1f50a7197708b3f4ef427699d1
FormBook
443fb70e1be9c75e3039b69bb4909d06cced84f1b1f7793396014f0c40e5b9a3
FormBook
478ab1dab077a9bd7820dbfe42f00169c9e72d2198787ef3f422390127e334d4
FormBook
4d47123169619362bf77feb0a764db9f2773f51374eb7a4ec71cc6f9b01d15f6
FormBook
5a2ebb201e3f9c619ad23b0043136c4aca5849f345733c68b9647d102b52b4ff
FormBook
5a4c660c435c40ac3ad3772f22ede545822146ef02bfdcc08921f06689cefdad
FormBook
9b44edc422a53146c9e003fd7da2917f101edd15916260a9d41642b43a278bc3
FormBook
c37e432814907adc06d097b9fc0768543a779157ac2bd9f557ad03b9f8a68806
FormBook
d0346d773a9ca3e5ec04d8b944788cd01c5c929b829a901848d46188c8d47c5b
FormBook
d1e081645509446dbf1a8587799dc544ed342da42a6bc778a3fe39fc9c065ff7
FormBook
+ 14'245 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader campaign:t3c9 persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220913-ngkaqabccr/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Formbook payload
ModiLoader Second Stage
Formbook
ModiLoader, DBatLoader
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/954fe769-9639-4ada-b527-ab766dc8e124
Unpacked files
SH256 hash:
002d54f655cf8f16866c478261daadd51896310839a7e3da98ace9873323c9fc
MD5 hash:
eb295d7d7804e778f9f5ae4783379ccc
SHA1 hash:
d1b9df6113a548dd362fc0cb611c78eef2124f73
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/44bbbb60-b8ce-4453-92ca-aafc8d6c2187/
Parent samples :
e678b49addfe3e9fa2c9836bf6d0cc3bed0310f87cdcafd0fce458985c5276c8
911c27a105a2e71591d12567053d8024f4c15c95ce4f1d67937ef1a3d723c263
7ff888a459a2476f9e3dfcaf8799f30bc24808d103606512503949b3ab818cc4
61d2d7bcb9665785fd5571a546cbad026f349a138e2a32f2dbeed90f5480a0a3
24b237c6dcd5b3f5cb3e687e4fa169fef7bce3f6fe1eb5a89bafd99656dfd353
4272fd59d96204a2d503f3356fe96fed2c6d3bf019c7ef25aacff0e1c36a758a
f3feaf830444cc6786b6d4e06bd4a2aef79519ebe3e336882d410268db96292c
e7f4fdb02b9f0f43c5325e8b0ea8ce07ee78c5aa63ccfb1892b079bbd2400874
c60e8a14abc81ae3f2ffbe04b32240a92b900107e4acc9eb88e43632aee1266c
44e94b15723fb3ee7cf9d710939d7fda2273622f2284e30cfa67d280a206eb62
SH256 hash:
e678b49addfe3e9fa2c9836bf6d0cc3bed0310f87cdcafd0fce458985c5276c8
MD5 hash:
2c8181820fd637d080890c6366290ddb
SHA1 hash:
bf286575ffb7eb3d774990e4b131c78bf1ac414d
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/44bbbb60-b8ce-4453-92ca-aafc8d6c2187/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e678b49addfe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.21
Link:
https://yomi.yoroi.company/submissions/e678b49addfe3e9fa2c9836bf6d0cc3bed0310f87cdcafd0fce458985c5276c8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/309716/

Comments