MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eae13c9aa0b286157c56819381b92a4a6d8e2607f553e7b71539b1959f2cd7a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eae13c9aa0b286157c56819381b92a4a6d8e2607f553e7b71539b1959f2cd7a2
SHA3-384 hash: 4c8f17fe90bfb3dfbd11c88c1385eb68138422c9575f5b64e3141f23bf3bf8c088a9ab5182adc5e664057bd612192096
SHA1 hash: c67345e48bb9f87f748c9ced05548ab963ab671a
MD5 hash: 4c19c9aafec134ba6b6ccbe8b4b54cf4
humanhash: connecticut-hydrogen-don-solar
File name:Noua lista de comenzi.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:944'128 bytes
First seen:2022-08-25 11:01:27 UTC
Last seen:2022-08-26 09:51:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2f81b5c9269910375af465608d2f2ff2 (3 x RemcosRAT, 3 x Formbook, 2 x DBatLoader)
ssdeep 12288:AJUHQf66vLY0QWoYa5RsDDVQdDPf+rKU5IT7greRccA/s/rsGvRcZoYto:AsoUQin8uerHqRcv/sHsoIo
Threatray 18'258 similar samples on MalwareBazaar
TLSH T161158D12A392C83FD6372634CC17965DAC1D7E106A34A44E6BD52D087B763E2262F6CF
TrID 61.1% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
24.1% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
10.7% (.OCX) Windows ActiveX control (116521/4/18)
1.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.2% (.SCR) Windows screen saver (13101/52/3)
File icon (PE):PE icon
dhash icon ecdce4c48c9ce4c4 (14 x RemcosRAT, 9 x DBatLoader, 5 x Formbook)
Reporter pr0xylife
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
337
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Noua lista de comenzi.exe
Verdict:
Suspicious activity
Analysis date:
2022-08-25 11:05:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/10d34afc-1e94-436f-a55d-272fa6a6be92

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/301126/
Detection(s):
SecuriteInfo.com.Variant.Zusy.436143.17787.27254.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a process with a hidden window
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching cmd.exe command interpreter
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/30051/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger overlay shell32.dll
Link:
https://www.filescan.io/uploads/6307570ab6f2a6ec1d636c82/reports/844c7d4a-be18-4956-8e18-3fce5c47e35b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d094c741-43ac-4422-97c3-a2bd90de9450
Result
Threat name:
FormBook, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1057632
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Detected FormBook malware
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 690145 Sample: Noua lista de comenzi.exe Startdate: 25/08/2022 Architecture: WINDOWS Score: 100 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus detection for URL or domain 2->45 47 Yara detected UAC Bypass using ComputerDefaults 2->47 49 6 other signatures 2->49 10 Noua lista de comenzi.exe 1 17 2->10         started        process3 dnsIp4 37 ph-files.fe.1drv.com 10->37 39 onedrive.live.com 10->39 41 ghhlkg.ph.files.1drv.com 10->41 33 C:\Users\Public\Libraries\Xidlepzdb.exe, PE32 10->33 dropped 35 C:\Users\...\Xidlepzdb.exe:Zone.Identifier, ASCII 10->35 dropped 61 Writes to foreign memory regions 10->61 63 Allocates memory in foreign processes 10->63 65 Creates a thread in another existing process (thread injection) 10->65 67 Injects a PE file into a foreign processes 10->67 15 iexpress.exe 10->15         started        file5 signatures6 process7 signatures8 69 Modifies the context of a thread in another process (thread injection) 15->69 71 Maps a DLL or memory area into another process 15->71 73 Sample uses process hollowing technique 15->73 75 2 other signatures 15->75 18 explorer.exe 15->18 injected process9 process10 20 systray.exe 18 18->20         started        file11 29 C:\Users\user\AppData\...\50Mlogrv.ini, data 20->29 dropped 31 C:\Users\user\AppData\...\50Mlogri.ini, data 20->31 dropped 51 Detected FormBook malware 20->51 53 Tries to steal Mail credentials (via file / registry access) 20->53 55 Tries to harvest and steal browser information (history, passwords, etc) 20->55 57 3 other signatures 20->57 24 cmd.exe 2 20->24         started        signatures12 process13 signatures14 59 Tries to harvest and steal browser information (history, passwords, etc) 24->59 27 conhost.exe 24->27         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eae13c9aa0b286157c56819381b92a4a6d8e2607f553e7b71539b1959f2cd7a2/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-08-25 07:34:34 UTC
File Type:
PE (Exe)
Extracted files:
70
AV detection:
21 of 25 (84.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5lqtzgvawkdbk7cwqgjydojkjjwy4jqh6vj6pnyvhgyzlhzm26ra._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0b47bc9f845c854c4a1e74c6a19be7911b9f0ca2f587fc72aab2eda5ff8e8937
FormBook
2defdb22d90cba25a226f423fb2001fe8613dff78dbeb7af00dd37dd35ae992d
FormBook
47796a46d5c191e29988d2d657332b3d7f9f5278b3951049e98f80a2b0c11d5e
FormBook
5c60ec93028885f6319a52ad6ae0d4eaa08cec6a82cf8c7c62d7a060341a77a8
FormBook
6b8b620534b94530ba467af917e0365640b83b1edd8a39eaa00ebf441e2e34c0
FormBook
7e07af5d89e050c9a7e922455409518919f863f52e9cd4fa042532db10e1d269
FormBook
8b52c0ca8e1117f7be2e09a6ed854c4a7131d1f0950fcabd665999b96e254bf9
FormBook
917e03484856f0980f2150822a231e0f73e3cef3f074ea1644dcbd1082590399
FormBook
d7891c230103e0424c00cb31edfe25873433c901bd999772d9ab9013ba1e1da0
FormBook
+ 18'248 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader campaign:3nop persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220825-m45z9schd8/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Reads user/profile data of web browsers
Formbook payload
Formbook
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
53619866fb7adb9f5dcbed0dce75932a74830dc02351a6b6c819e9701a13ada1
MD5 hash:
38a86eff48873c72ca4d72f191a56f63
SHA1 hash:
25e96f601aa827d3b1ab70b0fdc67d0c15023b73
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/f88305bb-c8a5-4381-91be-bdd8f49400ba/
Parent samples :
e9f4a7f5f39ac0ea1fc287c5d9521667d3eca8344b2e60fe26f9f795d7f53a8d
2e86f98ee2dc99164970b21058123fda31af9feb290e14646c3a6f49525f2fcc
5968fd5908c38e76d8f57fbfe06bfc87956d15b778eaa637816e1630fb3eb7c4
b725d730c210274c7cc33fa90c06467cf9e3416a9d214e060e14f323d31aa3c7
6620f97090422729f9d69268a68b76cc854f81cd97c25f3463315344ba3d639e
eae13c9aa0b286157c56819381b92a4a6d8e2607f553e7b71539b1959f2cd7a2
efa8f5c281c591960f2a8f508f278b1541de0c308f4039432307de4e0f25627c
aa4a3cf409c65c84e33841c92533d1781a01cd5b1b5ba372e0b3d4c333a8f5fe
d9d5ed4a3733ad8d8edcdd4a4e36f965f3ad5b0b0bb38b54acd9091ee99ff7cf
9e6da348b123ec110ed3d923198f378f6398a6e1f87d3a440340c5ab479e6912
ad2c3ee8225bffd3052bb7d77be8e73b14731a65d420a08bac8cd72f979300b9
22c7ed8874209dd96c59fbc16dd829802729f9fa34c09cce41f6f64704af7578
SH256 hash:
eae13c9aa0b286157c56819381b92a4a6d8e2607f553e7b71539b1959f2cd7a2
MD5 hash:
4c19c9aafec134ba6b6ccbe8b4b54cf4
SHA1 hash:
c67345e48bb9f87f748c9ced05548ab963ab671a
Link:
https://www.unpac.me/results/f88305bb-c8a5-4381-91be-bdd8f49400ba/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/eae13c9aa0b2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eae13c9aa0b286157c56819381b92a4a6d8e2607f553e7b71539b1959f2cd7a2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:malware_Formbook_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/301126/

Comments