MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1950034453da28649135d35016d5ab7ee791cd4bbbc1e4a72f7c56ce3aa9dd9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1950034453da28649135d35016d5ab7ee791cd4bbbc1e4a72f7c56ce3aa9dd9a
SHA3-384 hash: 9967264d3ee696d17d4c846554728d4fda455048a31417a164c9d94e81593523360da705705a3ec59b98f8bdc71241d8
SHA1 hash: 5f3a4a6fe93590cc459c873767c9e292dce7496e
MD5 hash: 5b35cd229afdd0871dfcdbe9ee903406
humanhash: snake-delaware-sixteen-carbon
File name:satın alma emri pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:715'264 bytes
First seen:2023-05-22 05:24:31 UTC
Last seen:2023-05-22 10:32:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:DTpx0YPX/NqPsn41wERBpGkf2cFOKaOofgPIOqCj04+g1W:DTcHPsn41wcMk+WOtgPI1c+
Threatray 2'988 similar samples on MalwareBazaar
TLSH T139E4F1D126988C15E5AB5FB94AA3E23443B96C90EF27C34D68F42D8B7C56B813B017C7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 224472b2a0c04280 (13 x AgentTesla, 10 x Formbook, 8 x Loki)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
254
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
satın alma emri pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-05-22 05:25:06 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/39c31b24-dc8a-4267-aa1d-656d50d3a891

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.28450.269.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a file
Searching for synchronization primitives
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/646afcaf2e1bd944cb4ab117/reports/4f4319ac-303c-4130-b019-ff3d9d3cbc3f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/1950034453da28649135d35016d5ab7ee791cd4bbbc1e4a72f7c56ce3aa9dd9a
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/94df2efd-a632-4fcc-9576-eeaa7e1dce25
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1239316
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 872309 Sample: sat#U0131n_alma_emri_pdf.exe Startdate: 22/05/2023 Architecture: WINDOWS Score: 100 65 www.adicozy.com 2->65 77 Snort IDS alert for network traffic 2->77 79 Found malware configuration 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 9 other signatures 2->83 11 sat#U0131n_alma_emri_pdf.exe 7 2->11         started        15 fLgUSgFvp.exe 5 2->15         started        signatures3 process4 file5 51 C:\Users\user\AppData\Roaming\fLgUSgFvp.exe, PE32 11->51 dropped 53 C:\Users\...\fLgUSgFvp.exe:Zone.Identifier, ASCII 11->53 dropped 55 C:\Users\user\AppData\Local\...\tmpEA5B.tmp, XML 11->55 dropped 57 C:\Users\...\sat#U0131n_alma_emri_pdf.exe.log, ASCII 11->57 dropped 91 Uses schtasks.exe or at.exe to add and modify task schedules 11->91 93 Adds a directory exclusion to Windows Defender 11->93 17 RegSvcs.exe 11->17         started        20 powershell.exe 21 11->20         started        22 schtasks.exe 1 11->22         started        95 Multi AV Scanner detection for dropped file 15->95 97 Machine Learning detection for dropped file 15->97 24 RegSvcs.exe 15->24         started        26 schtasks.exe 1 15->26         started        28 RegSvcs.exe 15->28         started        30 RegSvcs.exe 15->30         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 17->67 69 Maps a DLL or memory area into another process 17->69 71 Sample uses process hollowing technique 17->71 73 2 other signatures 17->73 32 explorer.exe 4 1 17->32 injected 36 conhost.exe 20->36         started        38 conhost.exe 22->38         started        40 conhost.exe 26->40         started        process9 dnsIp10 59 www.subbs.net 104.233.160.120, 49695, 80 PEGTECHINCUS United States 32->59 61 www.solardance.net 32->61 63 www.capitalonequicksilvercard.com 32->63 75 System process connects to network (likely due to code injection or exploit) 32->75 42 chkdsk.exe 32->42         started        45 control.exe 32->45         started        signatures11 process12 signatures13 85 Modifies the context of a thread in another process (thread injection) 42->85 87 Maps a DLL or memory area into another process 42->87 89 Tries to detect virtualization through RDTSC time measurements 42->89 47 cmd.exe 1 42->47         started        process14 process15 49 conhost.exe 47->49         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1950034453da28649135d35016d5ab7ee791cd4bbbc1e4a72f7c56ce3aa9dd9a/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-05-22 02:45:46 UTC
AV detection:
8 of 37 (21.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dfiagrct3iugjejv2nibnvnlp3tzdtklxpa6jjzpprlm4ovj3wna._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
02b060c393fbc76a082ef0411f28e2be60bce1af80ea2df91f003e9b8a762b88
Formbook
04a56a61c1ee4f2b5710672cc9d7564086746e99d1e1ea32baf845c5be3758ce
Formbook
2484f3b9e112f39471b0375d98ac190b4ffe3e29a295bcecdb8fd7b71af0094b
Formbook
291f9c211eed167fbf4b31411d79c7447a09b29dd2308dceacacc3fe31fa2364
Formbook
70d1125e7b5eeec17ca0248a72e7ea949bb78364928423d5ec062bd4e7eb825a
Formbook
a1a882d7abefdec8678649330339a2f080a777450da1be5110b88e81a8ea38cc
Formbook
a8982b67f297cc68ff3f3de02cc7b60d51c8b4a3db85971ce4f73149fe67b6ee
Formbook
e014baadd84bece77f1f8366ea528671bf0bd70fcee974fe1a262bb0ec0a2565
Formbook
fee8045c209d9fb37c073f9c19ff9fcdbb3556d8d8ff99292c45196d7ddac076
Formbook
+ 2'978 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:md05 rat spyware stealer trojan
Link:
https://tria.ge/reports/230522-f4ae2aha8w/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook payload
Formbook
Unpacked files
SH256 hash:
5d2f53b5972e96a7645fcf3bcb9b595a2f274d4154523b6052a3264b04409a50
MD5 hash:
18a503def10488a85c8db746566b294a
SHA1 hash:
1372f1ac63e6a80bc86695070b1a577846527729
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/960c817e-bb0a-461b-bf6c-c346704654b8/
Parent samples :
fee8045c209d9fb37c073f9c19ff9fcdbb3556d8d8ff99292c45196d7ddac076
1950034453da28649135d35016d5ab7ee791cd4bbbc1e4a72f7c56ce3aa9dd9a
312e247299af8e8376125bc4c6b43a6fd88315939b29ae507c5eea62fc26f567
da9ce816092043ded7f22e3368f1beaa75577190bdab4da16936d7c1bf774e84
423562e381586b1c4169d9c3c00014ef14c69bc546897a47ad7a301ac6c7c3c1
b2c1a9091f518029dbac23fab825be576244e2b8d07a82fea5b93778072dd6c7
SH256 hash:
4c7ce432433fc3a8b0a33d558e0041d3f1c222224c5e61f33104d990a534c7a4
MD5 hash:
e8d756b4e2de5a67446e0b1b80e1bb99
SHA1 hash:
b664448f87ac044a16706d35e5d76538ba79508a
Link:
https://www.unpac.me/results/960c817e-bb0a-461b-bf6c-c346704654b8/
SH256 hash:
0c81ed08269b984c567d4f7f0271ee8c525dd07c682710d6e34dc3aba6316fbe
MD5 hash:
a8f9c3cb44cb86670a967a14cb7b3d89
SHA1 hash:
b286c0af5f5cc854e683720549be422509211915
Link:
https://www.unpac.me/results/960c817e-bb0a-461b-bf6c-c346704654b8/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/960c817e-bb0a-461b-bf6c-c346704654b8/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
9bfb46da52bdd00ab4a4fa00a60562b859dd168bfb1565b4186b8bda967ae676
MD5 hash:
d9cfcc96db4c466d2a9ab414da900a13
SHA1 hash:
86f2960eb068ee1a38974a9e5638c9cd406299d7
Link:
https://www.unpac.me/results/960c817e-bb0a-461b-bf6c-c346704654b8/
SH256 hash:
1950034453da28649135d35016d5ab7ee791cd4bbbc1e4a72f7c56ce3aa9dd9a
MD5 hash:
5b35cd229afdd0871dfcdbe9ee903406
SHA1 hash:
5f3a4a6fe93590cc459c873767c9e292dce7496e
Link:
https://www.unpac.me/results/960c817e-bb0a-461b-bf6c-c346704654b8/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1950034453da/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/1950034453da28649135d35016d5ab7ee791cd4bbbc1e4a72f7c56ce3aa9dd9a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 1950034453da28649135d35016d5ab7ee791cd4bbbc1e4a72f7c56ce3aa9dd9a

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments