MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ae9215ce8e02834033615ac911c0b82abcc6809f95cb8b6cfbd1fdd96ab4bea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ae9215ce8e02834033615ac911c0b82abcc6809f95cb8b6cfbd1fdd96ab4bea
SHA3-384 hash: 5b8a467ed2195da7cb44bb7b92d0d5efe713873c1fa879ce2f20c964c61aa20ebebd2c011ef6a788d4531df98d3845da
SHA1 hash: 424c0b1e76c31a9f41ff32c178a52db36b3a3cab
MD5 hash: b59e497d16b16ed90b9d34c9b62de610
humanhash: mike-mexico-pasta-connecticut
File name:payment advice_0009890.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:644'096 bytes
First seen:2022-07-04 10:53:09 UTC
Last seen:2022-07-04 12:01:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:fkmguAeYrHOuK92OQn0ZUbBKUIKKWitbAUqcV3SNFCq4T2:Mjquo2dnRBKU7TiBSctkN4T2
TLSH T1D9D4F11EFFA5DE12DAAC1637C0D6503843B0994EA222D71B358C12991E137B7F9C678B
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
255
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.39647.21889.14154.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62c2c7086ee6df015bb8c438/reports/207119db-79de-4ebd-8c1e-67a44348ba22/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bc5efead-051f-4146-ad52-7760f6be960d
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1024123
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 656613 Sample: payment advice_0009890.exe Startdate: 04/07/2022 Architecture: WINDOWS Score: 100 33 www.skyvision.education 2->33 35 www.officialcruisingducks.com 2->35 37 skyvision.education 2->37 45 Snort IDS alert for network traffic 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for URL or domain 2->49 51 10 other signatures 2->51 11 payment advice_0009890.exe 3 2->11         started        signatures3 process4 file5 31 C:\Users\...\payment advice_0009890.exe.log, ASCII 11->31 dropped 65 Injects a PE file into a foreign processes 11->65 15 payment advice_0009890.exe 11->15         started        18 payment advice_0009890.exe 11->18         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 Queues an APC in another process (thread injection) 15->73 20 explorer.exe 15->20 injected process9 dnsIp10 39 www.penguinflys.com 172.80.98.79, 49812, 80 ESITEDUS United States 20->39 41 www.triple2ranch.com 209.99.64.33, 49837, 80 CONFLUENCE-NETWORK-INCVG United States 20->41 43 5 other IPs or domains 20->43 53 System process connects to network (likely due to code injection or exploit) 20->53 55 Performs DNS queries to domains with low reputation 20->55 57 Uses netstat to query active network connections and open ports 20->57 24 NETSTAT.EXE 20->24         started        signatures11 process12 signatures13 59 Modifies the context of a thread in another process (thread injection) 24->59 61 Maps a DLL or memory area into another process 24->61 63 Tries to detect virtualization through RDTSC time measurements 24->63 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0ae9215ce8e02834033615ac911c0b82abcc6809f95cb8b6cfbd1fdd96ab4bea/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-07-04 06:38:54 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bluscxhi4audiazwcwwjchalqkv4y2aj7folrnwpxup53fvljpva._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader campaign:o3t8 loader persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220704-mzjapsgfgk/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Deletes itself
Reads user/profile data of web browsers
Xloader Payload
Formbook
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Unpacked files
SH256 hash:
bde4440629847215fff45e301f11d3dfb1e4c8482bbbcd973963d547a538e8b9
MD5 hash:
09c7fd3b97e1346ef68417cf50d79e7c
SHA1 hash:
c690a62de49ef4517750d35b49807df9223eed4f
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/5e6742ef-a462-4ad1-8fa4-bfc7c27e1e17/
Parent samples :
628754b1e41101dabbd271cf25b161ea16873104ba6d3419314a8363b9a2e302
6a0dcd556658a1a64e9716c8ceccfab36406c8400e08f7b253d30de9ee13d0b8
0ae9215ce8e02834033615ac911c0b82abcc6809f95cb8b6cfbd1fdd96ab4bea
2a07b7a4dcebfe797400edbed8626749e59a8e8b729718202099a85b26db07ab
SH256 hash:
dee19d255c3a02e530efde75732b8bee7466463a2b152e4c5743739d58f96e36
MD5 hash:
c94d2231a7ee664cf047e5644a0d0ca3
SHA1 hash:
99db190cfaa01bc3382e31aec66552041aa2287b
Link:
https://www.unpac.me/results/5e6742ef-a462-4ad1-8fa4-bfc7c27e1e17/
SH256 hash:
70bb4f8aa7d0a33f8206f78c845fa2bd686c2a0f2b3bd50cd0b6b887a45398ca
MD5 hash:
30d61a3a3e26c2bca2eb766990132d7c
SHA1 hash:
94f9742d5f21b13f7d8d194fe938193cbb6a0d4d
Link:
https://www.unpac.me/results/5e6742ef-a462-4ad1-8fa4-bfc7c27e1e17/
SH256 hash:
3b59fe180dd50e3f3d4fdcbdd4e7a2d4e3e1c85ae43cb4f3716c4be41e9ec2ae
MD5 hash:
9ea556e333e216a65aa09c102f36004f
SHA1 hash:
814c07f1dc68bd61840384aac3aa8346d9f8148f
Link:
https://www.unpac.me/results/5e6742ef-a462-4ad1-8fa4-bfc7c27e1e17/
SH256 hash:
1f197738a49e383d6421df70967722fdf1856dbd52c84669af41ba262e9d755d
MD5 hash:
2e0df1b658792434889a7f51c3a5845d
SHA1 hash:
5c133860ba13fb4ce5a0a80fa1df96b828e1c4f1
Link:
https://www.unpac.me/results/5e6742ef-a462-4ad1-8fa4-bfc7c27e1e17/
SH256 hash:
fc374cefd9a873a69b6166cdcf943ee3c233da44ed4a04a699c53996d97a4f2a
MD5 hash:
89ec9111862297850f872a8f9a891083
SHA1 hash:
0736726c8be2c2269dab333eda4483c995d69bdf
Link:
https://www.unpac.me/results/5e6742ef-a462-4ad1-8fa4-bfc7c27e1e17/
SH256 hash:
0ae9215ce8e02834033615ac911c0b82abcc6809f95cb8b6cfbd1fdd96ab4bea
MD5 hash:
b59e497d16b16ed90b9d34c9b62de610
SHA1 hash:
424c0b1e76c31a9f41ff32c178a52db36b3a3cab
Link:
https://www.unpac.me/results/5e6742ef-a462-4ad1-8fa4-bfc7c27e1e17/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0ae9215ce8e0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 0ae9215ce8e02834033615ac911c0b82abcc6809f95cb8b6cfbd1fdd96ab4bea

(this sample)

  
Dropped by
Formbook
  
Delivery method
Distributed via e-mail attachment

Comments