MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17c1d72767fb09f83c78e95a4e3f0bc7ed2db219774cc1e55b0391e2604a8362. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 17c1d72767fb09f83c78e95a4e3f0bc7ed2db219774cc1e55b0391e2604a8362
SHA3-384 hash: a26e5d6a6a665e6eb0c27702fdecd1dc0504c2d33ec6400dbef2300c2a7a92e63be865c94a7abce9413b01b6850643eb
SHA1 hash: 9841730061ae158e59c039269c75b1bcbdab92d4
MD5 hash: e3e7121fb24c058d0c68ee554fe0f530
humanhash: football-florida-lactose-timing
File name:INVOICE for Order PIEX310113978.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:857'600 bytes
First seen:2021-04-07 11:20:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:wk33bbjQehAmJFWhyOvu26/irEaW0iUuyq8a9:w0rZA2xO226/kBuw
Threatray 163 similar samples on MalwareBazaar
TLSH DE05F055ED805AD4CE2D93305E7BC87907237D7AA4B4450C20E97F773BBBAA3002AB56
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: cayman.com
Sending IP: 103.153.183.156
From: <gerdautradingvistra.co@cayman.com>
Subject: Re: PROFORMA INVOICE for Order No : PIEX310113978
Attachment: INVOICE for Order PIEX310113978.rar (contains "INVOICE for Order PIEX310113978.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
152
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INVOICE for Order PIEX310113978.exe
Verdict:
No threats detected
Analysis date:
2021-04-07 11:57:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2b5e3351-9cdd-452a-b191-bacd818926cd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/132838/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.12302.32010.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a service
Deleting a recently created file
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/668599
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 383229 Sample: INVOICE for Order PIEX31011... Startdate: 07/04/2021 Architecture: WINDOWS Score: 100 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 13 other signatures 2->48 10 INVOICE for Order PIEX310113978.exe 4 2->10         started        process3 file4 34 C:\...\INVOICE for Order PIEX310113978.exe, PE32 10->34 dropped 36 INVOICE for Order ...exe:Zone.Identifier, ASCII 10->36 dropped 38 INVOICE for Order PIEX310113978.exe.log, ASCII 10->38 dropped 40 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 10->40 dropped 50 Writes to foreign memory regions 10->50 52 Injects a PE file into a foreign processes 10->52 14 INVOICE for Order PIEX310113978.exe 10->14         started        17 AdvancedRun.exe 1 10->17         started        19 AdvancedRun.exe 1 10->19         started        signatures5 process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 14->60 62 Maps a DLL or memory area into another process 14->62 64 Sample uses process hollowing technique 14->64 66 Queues an APC in another process (thread injection) 14->66 21 explorer.exe 14->21 injected 23 AdvancedRun.exe 17->23         started        25 AdvancedRun.exe 19->25         started        process8 process9 27 wlanext.exe 21->27         started        signatures10 54 Modifies the context of a thread in another process (thread injection) 27->54 56 Maps a DLL or memory area into another process 27->56 58 Tries to detect virtualization through RDTSC time measurements 27->58 30 cmd.exe 1 27->30         started        process11 process12 32 conhost.exe 30->32         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/17c1d72767fb09f83c78e95a4e3f0bc7ed2db219774cc1e55b0391e2604a8362/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-04-07 10:34:08 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c7a5oj3h7me7qpdy5fne4pyly7ws3mqzo5gmdzk3aoi6eyckqnra._file
Verdict:
malicious
Similar samples:
0aaa10495fff6567ec8ecb5fa1ea118ad1b1230c77db540c0dd7cb6f1d26f6fb
Formbook
1a2beaadeb5f9bc79af30c8a9e458bff69d4b481b305451afe68d0f1a9074da1
Formbook
2084b62c05ac13dfa48fde86f237473d35f3f169c030b829ceb49f3005b6451c
Formbook
2ecba20721fa9432e4e407b62f815f12b6fee820b5b348547175c36a274c7f16
Formbook
3afef4ab289c49f347ed065f4d272cec7ea413b5c84fb4c2e6aa9adad2716db6
Formbook
7cece5ca77b93ef7c41219923e3c080c99bffcca2141cde0acc72dc17daa6211
Formbook
9e6fdb6456dfaf737767adb44ebdb84910cec8be91a12c2b7a37c84b5aed6104
Formbook
bcfcc5a278671fbe1b5f5f27c6d61921add83e57a0c61f80a165455b3fe0875a
Formbook
da2d92f0b457ef9553ed1043f410926daa39f4a8605e1725fd547428c59ce023
Formbook
e889d6dd8614cb0a6ff70e130c651068e04dce0f1694f7a16251e304d35d27d2
Formbook
+ 153 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210407-w9d7pkj6q6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Nirsoft
Formbook
Malware Config
C2 Extraction:
http://www.discorddeno.land/suod/
Unpacked files
SH256 hash:
09ebf0166c4fbd1a764750dc5caefbdbb9c57f9c702b2f2a12118959984280b5
MD5 hash:
d57cec310d5485ec3ff57164b99beebe
SHA1 hash:
2bf11e3cfbaba9fdd0509ef8b1c6b3968bd513ab
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/35a39baf-b28d-4638-a612-e19c648be5eb/
SH256 hash:
b813a0bc8ea198256059f459dcb3e23bcb34fc3438ec8d762bc3f763c755c3f4
MD5 hash:
12a71b46f4a2604ff0461c34e68eaf0d
SHA1 hash:
c2781c0aec1da16cca561f81d87d0b285dbf7e9f
Link:
https://www.unpac.me/results/35a39baf-b28d-4638-a612-e19c648be5eb/
SH256 hash:
3da80bd8e18bf2ef5e28f5e2e0d2095b0d4e65391800ce18f9a18859d7beb220
MD5 hash:
5dbed7594d4c8d71c1882692e6776bf0
SHA1 hash:
8552a2f2afca501945fe57c1875970b6f777f709
Link:
https://www.unpac.me/results/35a39baf-b28d-4638-a612-e19c648be5eb/
SH256 hash:
72ebfe27f2e7a4131f98a1eb38b9a7331de1f424a5e3073464dbb7bc8c6334e4
MD5 hash:
a123101bd517ecc6b1555e8fa60b1de9
SHA1 hash:
1504de13775de42681e03297d45a3cc52974f55f
Link:
https://www.unpac.me/results/35a39baf-b28d-4638-a612-e19c648be5eb/
SH256 hash:
17c1d72767fb09f83c78e95a4e3f0bc7ed2db219774cc1e55b0391e2604a8362
MD5 hash:
e3e7121fb24c058d0c68ee554fe0f530
SHA1 hash:
9841730061ae158e59c039269c75b1bcbdab92d4
Link:
https://www.unpac.me/results/35a39baf-b28d-4638-a612-e19c648be5eb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/17c1d72767fb09f83c78e95a4e3f0bc7ed2db219774cc1e55b0391e2604a8362

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar a7318a6230ca32e4641e37deaac455e514524fabc67ca51afa3c7f1abfd5e825

Formbook

Executable exe 17c1d72767fb09f83c78e95a4e3f0bc7ed2db219774cc1e55b0391e2604a8362

(this sample)

  
Dropped by
MD5 1ac4a8eadca18d6143427c16c19a5471
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/132838/
  
Dropped by
SHA256 a7318a6230ca32e4641e37deaac455e514524fabc67ca51afa3c7f1abfd5e825

Comments