MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1200bb8db6fa441d0e9a752853cdc84841988a5e75510813d648153402e31955. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	1200bb8db6fa441d0e9a752853cdc84841988a5e75510813d648153402e31955
SHA3-384 hash:	1837d9fb9c9a84314cce9f9d2bc497dfa413cf7da7d0e42e2e6cfa216b64678f10d344817bcbe6c825d4f5854b9c2e2d
SHA1 hash:	7bd621b88efc4cfac171fbf72e702a6943c84b87
MD5 hash:	9138ee31b973eb6b1eed3cbce7b2bd8e
humanhash:	delaware-sweet-delta-batman
File name:	Payment Advice.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	621'568 bytes
First seen:	2022-12-28 19:10:33 UTC
Last seen:	2022-12-28 20:43:00 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:fBMPrkQL6MI2t2ykZmXW5KePzn2va6T93xpTUApktnUX/deL:bIyZye7n2ZrpTUSktnJ
TLSH	T119D4124C35B80760DCA887B9E2B1455483F5E525AA26DF8E1EC770CB0A927CD4E4BB37
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	daa298d6d6b8a294 (4 x Formbook, 3 x AgentTesla, 1 x Loki)
Reporter	adrian__luca
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

175

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Payment Advice.exe

Verdict:

Suspicious activity

Analysis date:

2022-12-28 19:12:45 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/45ae8d03-6538-467e-a0ee-46854ab21d7e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.64393746.1247.23585.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Launching a process

Unauthorized injection to a system process

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63ac94ca40e878e30420cb45/reports/4dd8c003-9719-4165-afed-2834d046cf4f/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5c5e37d9-66f0-4129-87f6-10ef99042dbe

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1142226

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1200bb8db6fa441d0e9a752853cdc84841988a5e75510813d648153402e31955/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-12-20 08:27:33 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cialxdnw7jcb2du2ouufhtoijbazrcs6oviqqe6wjaktiaxddfkq._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/221228-xvxyeabd27/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Checks computer location settings

Loads dropped DLL

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/f06ec8b1-8551-4c23-a9b7-d00766cc9860

Unpacked files

SH256 hash:

c9aa4c9150f58234fd5feff9142434e919e36aec267f208cfc16d6ca3d42a96d

MD5 hash:

30ff67b5489bc8364a0e2e5b5035cd68

SHA1 hash:

76cdc482ce820f5889429653f76f20f8f022de84

Detections:

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/f481c27f-76c8-45bb-8e64-fa80299289a6/

Parent samples :

1e127318c1ce80a94092d002caa752b9e4a8c0ad1c8c86953389ba05b9b24eb2
74f7661ce543ece586c81b95a2ee3174ca65e17369a90bb6522aa1cd34524754
0c99ac0f354ca12ab65c083c65b5d82ee242f9dbc2e5bdc8d9354959d655af52
0dd1d1a74f49a15f9b7dcfc7890060807198b74b835cb17f60886a0f2c9c1376
1200bb8db6fa441d0e9a752853cdc84841988a5e75510813d648153402e31955
9d1ee961410bd91109f256fa8d0976d53e2c317e8ef55ad244063adf7865afe1
f9ffa58b5dd142b4f6e87a1c7fb8915a1d2054c5ffeda62eab078c8f5b1ef644
8e994310a20708fa820e03c6fb82e0b73c55cd0dc0c703bb0e44d4ed67c30567
61977941b6ece2c52ebec3b2d38b4e3f4b1d4713bd6b3ddb0f0405351e2adce7

SH256 hash:

44025022362169baa09442690969ab14bfc9dbd65b2cab6f6c963aa247706391

MD5 hash:

e0fc6615a88b2a263cb9e418abcbb612

SHA1 hash:

b774b2590170b49031a85b2873a80127392e0fab

Link:

https://www.unpac.me/results/f481c27f-76c8-45bb-8e64-fa80299289a6/

SH256 hash:

fc6485350cf55dc14ecbfd9b91b7a9979f61023b4104101e9f351caa6c73abaa

MD5 hash:

6c3fdb2b5d93cf814ea1b6ca05a0efcf

SHA1 hash:

f8ae5f9fa1c9b6b0e47b2f0873d2ee3373e0ebf5

Link:

https://www.unpac.me/results/f481c27f-76c8-45bb-8e64-fa80299289a6/

SH256 hash:

6c7ed4d512126371eb08c10838818e8b9fe5dd72898bd32d5552fe2df3568cc4

MD5 hash:

0e1d16b23bf1075ad1ae20cfa29948da

SHA1 hash:

823c2df0cddcfbb8cae5e7641eb6837eaa5c56c1

Link:

https://www.unpac.me/results/f481c27f-76c8-45bb-8e64-fa80299289a6/

SH256 hash:

5a31bdbcc0d2e6c3cba5f8592a62a1f9229115eb73dfff0ce539f484830e56b8

MD5 hash:

b602679261b9c63615ae674cc445bf6f

SHA1 hash:

6d533b0d89742a0f962efffeb73faf56a051620d

Link:

https://www.unpac.me/results/f481c27f-76c8-45bb-8e64-fa80299289a6/

SH256 hash:

ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747

MD5 hash:

89ac57478044c57c7195943116a521e0

SHA1 hash:

1ff2bafeed795423e3538d810bda8e1e3fcdcfa5

Link:

https://www.unpac.me/results/f481c27f-76c8-45bb-8e64-fa80299289a6/

SH256 hash:

1200bb8db6fa441d0e9a752853cdc84841988a5e75510813d648153402e31955

MD5 hash:

9138ee31b973eb6b1eed3cbce7b2bd8e

SHA1 hash:

7bd621b88efc4cfac171fbf72e702a6943c84b87

Link:

https://www.unpac.me/results/f481c27f-76c8-45bb-8e64-fa80299289a6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/1200bb8db6fa441d0e9a752853cdc84841988a5e75510813d648153402e31955

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 1200bb8db6fa441d0e9a752853cdc84841988a5e75510813d648153402e31955

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample