MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efb10cca23c4ed132ed9e516dee40bb2906696b91983947507cd05cb9561f6b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: efb10cca23c4ed132ed9e516dee40bb2906696b91983947507cd05cb9561f6b3
SHA3-384 hash: ed0a7f1c276ca259da0cc58a41c8443cce740a8bb4ab5e2f760734e6bc4b9e3c6c4068c3efd259134d67050297c34e8a
SHA1 hash: 2cdc9f81881cb3bfb7a825bb7c8608922a5ee311
MD5 hash: 7241c4a2af9e08ca229912f6c95c72fe
humanhash: maine-may-ohio-quebec
File name:7241c4a2af9e08ca229912f6c95c72fe.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:487'158 bytes
First seen:2022-09-30 10:29:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (389 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 6144:lTouKrWBEu3/Z2lpGDHU3ykJ1tC/vOpBjhttFujz1rp/nkQ060AtH15Wc0:lToPWBv/cpGrU3y8tGvo18X/XZn5X0
Threatray 17'741 similar samples on MalwareBazaar
TLSH T153A4E102BEC19472D4B319365A397B21A97DBA201F79CEDF63D04A2DDA315C0E7317A2
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
243
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/315118/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Launching the default Windows debugger (dwwin.exe)
Reading critical registry keys
Launching a process
Sending a custom TCP request
DNS request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/40173/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/6336c52bdace43a378f3c6ca/reports/7489408c-dc34-42f2-97d7-d7aaeb48224e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/fd724e7d-8076-4b20-99c0-ea220672f3c5
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1080839
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Early bird code injection technique detected
Found hidden mapped module (file has been removed from disk)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 713391 Sample: B3Z58b78Nk.exe Startdate: 30/09/2022 Architecture: WINDOWS Score: 100 59 www.devtime.xyz 2->59 77 Malicious sample detected (through community Yara rule) 2->77 79 Antivirus detection for dropped file 2->79 81 Multi AV Scanner detection for dropped file 2->81 83 5 other signatures 2->83 11 B3Z58b78Nk.exe 10 2->11         started        signatures3 process4 file5 49 C:\Users\user\AppData\...\fuwusylazeffuo.exe, PE32 11->49 dropped 14 fuwusylazeffuo.exe 1 3 11->14         started        process6 file7 55 C:\Users\user\AppData\...\avyvaajyo.exe, PE32 14->55 dropped 57 C:\Users\user\AppData\Local\Temp\58C0.tmp, PE32 14->57 dropped 113 Antivirus detection for dropped file 14->113 115 Multi AV Scanner detection for dropped file 14->115 117 Machine Learning detection for dropped file 14->117 119 Found hidden mapped module (file has been removed from disk) 14->119 18 fuwusylazeffuo.exe 14->18         started        21 WerFault.exe 23 9 14->21         started        signatures8 process9 signatures10 69 Modifies the context of a thread in another process (thread injection) 18->69 71 Maps a DLL or memory area into another process 18->71 73 Sample uses process hollowing technique 18->73 75 Queues an APC in another process (thread injection) 18->75 23 explorer.exe 18->23 injected process11 dnsIp12 61 www.geataspid.xyz 109.123.121.243, 49704, 80 UK2NET-ASGB United Kingdom 23->61 63 www.scupstate4sale.com 154.89.126.83, 80 COMING-ASABCDEGROUPCOMPANYLIMITEDHK Seychelles 23->63 65 www.taranis2.online 23->65 91 System process connects to network (likely due to code injection or exploit) 23->91 93 Early bird code injection technique detected 23->93 95 Performs DNS queries to domains with low reputation 23->95 27 avyvaajyo.exe 1 23->27         started        31 cmmon32.exe 13 23->31         started        34 avyvaajyo.exe 1 23->34         started        36 2 other processes 23->36 signatures13 process14 dnsIp15 51 C:\Users\user\AppData\Local\Temp\F1B4.tmp, PE32 27->51 dropped 97 Antivirus detection for dropped file 27->97 99 Multi AV Scanner detection for dropped file 27->99 101 Machine Learning detection for dropped file 27->101 103 Found hidden mapped module (file has been removed from disk) 27->103 38 avyvaajyo.exe 27->38         started        41 WerFault.exe 10 27->41         started        67 www.scupstate4sale.com 31->67 105 Tries to steal Mail credentials (via file / registry access) 31->105 107 Tries to harvest and steal browser information (history, passwords, etc) 31->107 109 Modifies the context of a thread in another process (thread injection) 31->109 111 Maps a DLL or memory area into another process 31->111 53 C:\Users\user\AppData\Local\Temp\5832.tmp, PE32 34->53 dropped 43 avyvaajyo.exe 34->43         started        45 WerFault.exe 10 34->45         started        47 help.exe 34->47         started        file16 signatures17 process18 signatures19 85 Modifies the context of a thread in another process (thread injection) 38->85 87 Maps a DLL or memory area into another process 38->87 89 Sample uses process hollowing technique 38->89
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/efb10cca23c4ed132ed9e516dee40bb2906696b91983947507cd05cb9561f6b3/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2022-09-29 23:16:45 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=56yqzsrdytwrglwz4uln5zalwkignfvzdgbzi5ihzuc4xflb62zq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
24dbe688a855d9f0c1db91574e24837ab537b63a2e69c8a55240b14f151e5ed2
Formbook
28ef8e19f33ee91bd8cd2e0fcbc9b9cf328313c543f65aaeb116646916e99fb0
Formbook
3752b7276189f276a42e2ee99480c513f8a57554991644a98c7460671ec9d3c8
Formbook
4994e7acf451ce7d8abdccb79cce806011f09bd49a811fcd2689f32a51fdee09
Formbook
4cece430fe47c584014f22676866c0b4328d878aae3856b544bc11a9ae308b90
Formbook
6939b365fed5470febfa5bfb06794a72edef3148a88e2e35ec754ae2c6860bad
Formbook
74866c9e39b3fc10fa60155dad5cfb2e6b98c8d938349584ff6c358bf69c8482
Formbook
afac7896cf21983233c533eeaec870610856969d98218b0ffdfa11c6f57a8420
Formbook
c500fecde8b41e100ed5bcfdaf6b6047e4e1958e69c693869772147316bea289
Formbook
c5f31d9d3c1a204926f1a87c5873b01ba37153af5e55594ac5037091d56026ac
Formbook
+ 17'731 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader campaign:u8ow loader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220930-mjs5zaebem/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Formbook
Xloader
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/136c7122-46e7-4fc5-a245-86c681128cf5
Unpacked files
SH256 hash:
f91cddf70f61fcd51664b166aa02d94df8b57ce45028ff12cb187a994334ae0c
MD5 hash:
e7a7f5427f7cd4b1d68b01d276e9078b
SHA1 hash:
bdb59dd0f04d4a4a48ac4b016553126b9f5ba17a
Detections:
XLoader
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/8924b599-30b2-4455-8645-0653854722fa/
SH256 hash:
ff821e285da8c69105815df6e9f2bd04ad88ebcc6b881f59e9592e5bd62e25c1
MD5 hash:
ce262c598fed05331ed24e0d44fab549
SHA1 hash:
855a97836d6c47e7a4f6e9d702ac75adec755ea9
Link:
https://www.unpac.me/results/8924b599-30b2-4455-8645-0653854722fa/
SH256 hash:
efb10cca23c4ed132ed9e516dee40bb2906696b91983947507cd05cb9561f6b3
MD5 hash:
7241c4a2af9e08ca229912f6c95c72fe
SHA1 hash:
2cdc9f81881cb3bfb7a825bb7c8608922a5ee311
Link:
https://www.unpac.me/results/8924b599-30b2-4455-8645-0653854722fa/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/efb10cca23c4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/efb10cca23c4ed132ed9e516dee40bb2906696b91983947507cd05cb9561f6b3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:RansomwareTest8
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe efb10cca23c4ed132ed9e516dee40bb2906696b91983947507cd05cb9561f6b3

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/315118/
  
URLhaus
https://urlhaus.abuse.ch/url/2323680/
  
Delivery method
Distributed via web download

Comments