MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efaaf9e72db8504655c4ae81958252dff7454667d9fd559d1f3a1a4b53a3c8ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: efaaf9e72db8504655c4ae81958252dff7454667d9fd559d1f3a1a4b53a3c8ee
SHA3-384 hash: 98b1c0af5127b7fb81e61a1e3a27243e32e30f7204b7c310a75b875e12b5ebe58742bd9836717089592cf3c5e6cc6d86
SHA1 hash: 93f620ce6e25d9c1cc127afb5e34e2bdc8e3d2ef
MD5 hash: 95ce07a1b02483f47410688e5ea2934d
humanhash: table-ceiling-magazine-ohio
File name:WIKA Instrumentation (M) Sdn Bhd - Request For Inquiry.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:366'561 bytes
First seen:2023-09-14 14:55:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 431 x GuLoader)
ssdeep 6144:/Ya6bjwXuheT5LCik2yLf6hdZSXd81BvIOa+gaqEWQoIldBGKyc44tm3YUW9n:/YJjwEjiktYStoRV/dBb4omM9n
Threatray 56 similar samples on MalwareBazaar
TLSH T10D74231039A5C44AF9A29B353D3E037FBAD59923A6FD47575350439E3850288CB8D3BB
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter TeamDreier
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
265
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
WIKA Instrumentation (M) Sdn Bhd - Request For Inquiry.exe
Verdict:
Suspicious activity
Analysis date:
2023-09-14 14:56:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/825bb145-0f58-4233-a7bb-f204d653cdf1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/448655/
Detection(s):
SecuriteInfo.com.Trojan.Loader.1733.10876.1467.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65031ed8b572d5a2189c187d/reports/3b15d433-dce0-4602-86a9-82365cbdddc8/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/efaaf9e72db8504655c4ae81958252dff7454667d9fd559d1f3a1a4b53a3c8ee
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cb58e622-e258-4cb2-9820-4577079d8b19
Result
Threat name:
FormBook, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1308022
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Uses netstat to query active network connections and open ports
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/efaaf9e72db8504655c4ae81958252dff7454667d9fd559d1f3a1a4b53a3c8ee/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2023-09-13 02:11:25 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
21 of 23 (91.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=56vptzznxbiemvoev2azlass373ukrth3h6vlhi7hinewu5dzdxa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
01b15d113f147c931149f8d1c883bbad3c3752cba08a96855774d21a3bb6e44a
Formbook
19bff37c5b894b30a3522a73a35387fce64f890b94745399c5e72e5bf9c46138
Formbook
39fa589ea526a5070a88ddb3ef7e179f221552e2c90574b4480ac029ac634067
Formbook
8132806c05668768f28af83ccb49438520dcb0ece18326db9698623152f35018
Formbook
8ceceb731a2c09d552835ade18b92d47e10e24cb34cdb4954b1a97905fd10b29
Formbook
a3ac1a13b363264a45374dbc9a485e19f80d71cefa4f3cb72a902d46c667330a
Formbook
c7d4fd24bc684b1d6132f8435cba9c9120df5a08dee714985e94ef4caae17a72
Formbook
f93a11630922fd15cbee49f2d7b94a2e9ba7805c333ec30088b46435455027d5
Formbook
+ 46 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230914-sahwjacf9z/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Unpacked files
SH256 hash:
f38c4143349a1a617139994fb6e837335940bd0569c8847522827f56f8fc28d5
MD5 hash:
d2db398dd6a25e145beaab720a5df5aa
SHA1 hash:
d087a7a4b753b5d9487b7235c3a6e8aa3f758817
Link:
https://www.unpac.me/results/fb0da3e5-c014-438c-a13a-9e21d38c3464/
SH256 hash:
ba8739824484e070b0892ef96c891ca58ef87e42f1954ee173e1dd998e9bf690
MD5 hash:
97be8c2f6b17aeaee1cd75d326ee69c5
SHA1 hash:
1208db7b74c61c649cab726db79e29832fbd6f6e
Link:
https://www.unpac.me/results/fb0da3e5-c014-438c-a13a-9e21d38c3464/
SH256 hash:
de06e69338bdaa71d9d999851c44f1069f2c47990b7c20cd32f762ecc7a8091a
MD5 hash:
4d219d0ea2cd9465adb8ea03838c8668
SHA1 hash:
af5972ed81849221ef982ad5737da4075dc2a477
Link:
https://www.unpac.me/results/fb0da3e5-c014-438c-a13a-9e21d38c3464/
SH256 hash:
efaaf9e72db8504655c4ae81958252dff7454667d9fd559d1f3a1a4b53a3c8ee
MD5 hash:
95ce07a1b02483f47410688e5ea2934d
SHA1 hash:
93f620ce6e25d9c1cc127afb5e34e2bdc8e3d2ef
Link:
https://www.unpac.me/results/fb0da3e5-c014-438c-a13a-9e21d38c3464/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/efaaf9e72db8504655c4ae81958252dff7454667d9fd559d1f3a1a4b53a3c8ee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe efaaf9e72db8504655c4ae81958252dff7454667d9fd559d1f3a1a4b53a3c8ee

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/448655/

Comments