MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe367e5f3b5894117d3b699784bc5da3cb4083608c94879895b279b2bc2f32a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe367e5f3b5894117d3b699784bc5da3cb4083608c94879895b279b2bc2f32a4
SHA3-384 hash: e1d114ddaba0dbdf5f3000974cc84662866b470a6510be7a6893ada96c23314d560dd0502d311e092c7439f9fcd69938
SHA1 hash: def0fd8f7d18fd2f6141b020b2f858c5e6297378
MD5 hash: c0de473c3065a05fe9c0582005bbff37
humanhash: avocado-low-kansas-utah
File name:Se adjunta la factura proforma..exe
Download: download sample
Signature Formbook
Create hunting rule
File size:727'552 bytes
First seen:2021-11-26 13:03:57 UTC
Last seen:2021-12-06 14:55:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash eb3e9d8cf19100c077e1fdd127bcd369 (3 x Formbook, 1 x BitRAT)
ssdeep 12288:g6Hvy5le1KrvnEWkPpgiVymUqmCRb3seJ1B8fDfwUCm0gRS+:g6PWleMvnEW0pgiJUUx3zJ1Ba7cH
Threatray 9'883 similar samples on MalwareBazaar
TLSH T159F46D41E6E24873C1372B758D999DE8A9257E252D24D48B67E33F088F7C3D0A724B87
File icon (PE):PE icon
dhash icon 342c6c9c97cc6493 (3 x Formbook, 1 x BitRAT)
Reporter TeamDreier
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Se adjunta la factura proforma..exe
Verdict:
Malicious activity
Analysis date:
2021-11-26 13:24:42 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/9dd5de6a-fc65-4924-94db-daa5d62773df

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Searching for synchronization primitives
Launching cmd.exe command interpreter
Setting browser functions hooks
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger packed
Link:
https://www.filescan.io/uploads/61a0db4df36138de3f3efb9c/reports/2f238228-f77c-4a1a-850f-cac0a3756e79/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7abcb5fc-b4bf-45f3-addc-dc14695b77af
Result
Threat name:
DBatLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/896732
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 529206 Sample: Se adjunta la factura profo... Startdate: 26/11/2021 Architecture: WINDOWS Score: 100 46 www.topei-products.com 2->46 74 Found malware configuration 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 5 other signatures 2->80 11 Se adjunta la factura proforma..exe 1 18 2->11         started        signatures3 process4 dnsIp5 56 cdn.discordapp.com 162.159.133.233, 443, 49749, 49750 CLOUDFLARENETUS United States 11->56 42 C:\Users\Public\Libraries\...\Iuglxmcm.exe, PE32 11->42 dropped 44 C:\Users\...\Iuglxmcm.exe:Zone.Identifier, ASCII 11->44 dropped 100 Writes to foreign memory regions 11->100 102 Allocates memory in foreign processes 11->102 104 Creates a thread in another existing process (thread injection) 11->104 106 Injects a PE file into a foreign processes 11->106 16 mobsync.exe 11->16         started        file6 signatures7 process8 signatures9 58 Modifies the context of a thread in another process (thread injection) 16->58 60 Maps a DLL or memory area into another process 16->60 62 Sample uses process hollowing technique 16->62 64 2 other signatures 16->64 19 explorer.exe 2 16->19 injected process10 dnsIp11 48 www.malibuclassix.com 212.32.237.91, 49820, 80 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 19->48 82 System process connects to network (likely due to code injection or exploit) 19->82 23 Iuglxmcm.exe 13 19->23         started        27 Iuglxmcm.exe 13 19->27         started        29 msiexec.exe 19->29         started        31 2 other processes 19->31 signatures12 process13 dnsIp14 50 cdn.discordapp.com 23->50 84 Multi AV Scanner detection for dropped file 23->84 86 Writes to foreign memory regions 23->86 88 Allocates memory in foreign processes 23->88 33 logagent.exe 23->33         started        52 162.159.134.233, 443, 49754 CLOUDFLARENETUS United States 27->52 54 cdn.discordapp.com 27->54 90 Creates a thread in another existing process (thread injection) 27->90 92 Injects a PE file into a foreign processes 27->92 36 mobsync.exe 27->36         started        94 Modifies the context of a thread in another process (thread injection) 29->94 96 Maps a DLL or memory area into another process 29->96 38 cmd.exe 1 29->38         started        98 Tries to detect virtualization through RDTSC time measurements 31->98 signatures15 process16 signatures17 66 Modifies the context of a thread in another process (thread injection) 33->66 68 Maps a DLL or memory area into another process 33->68 70 Sample uses process hollowing technique 33->70 72 Tries to detect virtualization through RDTSC time measurements 33->72 40 conhost.exe 38->40         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fe367e5f3b5894117d3b699784bc5da3cb4083608c94879895b279b2bc2f32a4/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2021-11-23 12:31:58 UTC
File Type:
PE (Exe)
Extracted files:
41
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7y3h4xz3lckbc7j3nglyjpc5upfuba3arskipgevwj43fpbpgksa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0e18df1488198f73ac693eac37584967930540fcaaeca8403f4d8fa2c1126bcd
Formbook
1f472784494710200607f381849c6e3ea4f09f2ded2e84a1734ab5fdbd25d1de
Formbook
1fcc50813abb7385e0655f566a7def176171060614e8d691c1394776156f19a5
Formbook
48667ddc42d9eadc23dddc65f60f0de6e58afb6857953f282f7b02c115e9eed4
Formbook
4b376277cce9c1e365afb51b78046354176a443b45bb6bc123a3ea69710c6c65
Formbook
df2cd1e31e0ca0bb7210ee5382d2c1927d558920827e15843e0faf4010a03e94
Formbook
fe6bd626fd98e3c0e4a2c350e5d927398e22e7731e7c2e1f31bc02181735c4e0
Formbook
+ 9'873 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:bc3s persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/211126-qaywmscdel/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.topei-products.com/bc3s/
Unpacked files
SH256 hash:
c0d655ca0862ee8f069564e3e7fcb17d930e0c877a31e749f4ad1b73a38e855a
MD5 hash:
7f01373693adbbd15ca15fff811a2c1a
SHA1 hash:
bf4ef40f0feaf42aeac4767ff93bfe83e1f0c89d
Detections:
win_temple_loader_w0
Create hunting rule
Link:
https://www.unpac.me/results/d4b13401-2ccd-4f1e-8d77-d7f77c948c93/
Parent samples :
bfbe11d6ffb3c82c59ac2cf85176583ff2ea5449d926584a59181286611f48f3
22e4c6c1d3eb1e8a93d2b36b152ef39cff53bc933ff80153057788fadf6615db
839d28f4d38455750ddf9ddffdd57d0cc6ee009714f407a8698e65e96eb9fa71
9bfd468b402317eb1dc711af78f4340d855cbf234a4736188283a6fa6f8d3cb2
2863a8690acd578ea41d8ef458f493c7bab50c34d8d6fd668f8ef56d429094de
41469a749da51e8aa7e1ea159041bf74f712dd4f23f076188f547ee0c0f7933f
413e8df7f149aa643aaa1ef70e953ab2112827b652f1cf05b6420ed6a119962d
34443c2f4cf165f96c3eaffb93f2a7b3628ebed8ed119b3ef2ad3e5dc450e0a0
fe367e5f3b5894117d3b699784bc5da3cb4083608c94879895b279b2bc2f32a4
SH256 hash:
fe367e5f3b5894117d3b699784bc5da3cb4083608c94879895b279b2bc2f32a4
MD5 hash:
c0de473c3065a05fe9c0582005bbff37
SHA1 hash:
def0fd8f7d18fd2f6141b020b2f858c5e6297378
Link:
https://www.unpac.me/results/d4b13401-2ccd-4f1e-8d77-d7f77c948c93/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/fe367e5f3b58/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fe367e5f3b5894117d3b699784bc5da3cb4083608c94879895b279b2bc2f32a4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe fe367e5f3b5894117d3b699784bc5da3cb4083608c94879895b279b2bc2f32a4

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments