MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1999253e5409121ca9810f0a75358043ed34c6fbd8444423cd01f935a51ad64d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1999253e5409121ca9810f0a75358043ed34c6fbd8444423cd01f935a51ad64d
SHA3-384 hash: f63680bb44c84e11218813a0b6a496e879a5c2006d40832aa3b7b247ecd080a594eb55161fea420da190e95532325aca
SHA1 hash: e9605644fb200cd50d9d5f8a3d39fbfa89308fa5
MD5 hash: fd5c685c4de8d3edc46137f732c64e32
humanhash: six-pennsylvania-carbon-ceiling
File name:INVOICE.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:702'976 bytes
First seen:2021-09-28 16:21:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:nzCez6Ni+hBr7IUAapmjI5RZC2YcKHpU0svdfvCf:nmNi+hBr8UA0mjKZaVJL08
Threatray 9'703 similar samples on MalwareBazaar
TLSH T1E9E4AEDA1EB453CBFB5E01F8F5793B8813BA9028E597F2C2DA05B0B351367644920DE6
Reporter GovCERT_CH
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
1
# of downloads :
169
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INVOICE.exe
Verdict:
Malicious activity
Analysis date:
2021-09-28 16:25:40 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/0fe12c1f-1349-4ed8-946e-ed120c172dd1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/192679/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1048-1.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Scr.Malcodegdn30.14006.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/7b26ca8e-893c-49dc-9cdb-0192dce945ba
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/860041
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 492474 Sample: INVOICE.exe Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 34 www.musicbusiness365.com 2->34 36 musicbusiness365.com 2->36 38 www.xinxiangzl.com 2->38 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 7 other signatures 2->48 11 INVOICE.exe 3 2->11         started        signatures3 process4 signatures5 58 Tries to detect virtualization through RDTSC time measurements 11->58 14 INVOICE.exe 11->14         started        process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 14->60 62 Maps a DLL or memory area into another process 14->62 64 Sample uses process hollowing technique 14->64 66 Queues an APC in another process (thread injection) 14->66 17 explorer.exe 14->17 injected process8 dnsIp9 28 www.shyy-life.com 173.231.37.96, 49794, 80 WEBNXUS United States 17->28 30 www.aedifice.group 203.170.80.253, 49799, 80 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU Australia 17->30 32 14 other IPs or domains 17->32 40 System process connects to network (likely due to code injection or exploit) 17->40 21 control.exe 17->21         started        signatures10 process11 signatures12 50 Self deletion via cmd delete 21->50 52 Modifies the context of a thread in another process (thread injection) 21->52 54 Maps a DLL or memory area into another process 21->54 56 Tries to detect virtualization through RDTSC time measurements 21->56 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1999253e5409121ca9810f0a75358043ed34c6fbd8444423cd01f935a51ad64d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-28 16:45:43 UTC
AV detection:
14 of 45 (31.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dgmskpsubejbzkmbb4fhknmaipwtjrx33bceii6nah4tlji22zgq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
115716164b2092df207c750d11a2b4ce05bee204b7f21f1f62d93a5b7d78afa1
Formbook
2eb844b531f53a22bd20a919fda7cb483283c2e0cfc9968bca6b0c8792be580c
Formbook
2fc82f206abb0d6d6b4d7a916be93b408ab78f848531917b3968b066a5a31023
Formbook
3ac2da7ec8b0c46550c9b85707c4743ea4cacbb5bb6ee0fd159792f3978e3ad3
Formbook
5e27b2f6ec7f0387f6c380ac26eb924fcc732601c43ed7c400c42ae82fb0de57
Formbook
695b006f3b83048d47ea1fcae9d7cbacac8f82b4f3d2908ca20f06788e8b3b92
Formbook
699ac8f16c67cda47a80657cce69cbb8b42d711a9e4609ad6a8ff2ed84119b01
Formbook
9748d96e1143a06277d9cc3e9398d366fe3fa21c4316b8134462c42a0020fe87
Formbook
cf3038247c7a2a5779f655fdf594bdad56b22d198b6edb1c3197b84d9c4f153a
Formbook
e16cb828cc6368d7e7a1312eded1e218c31ebc325f37b13bd612c464b84afb79
Formbook
+ 9'693 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:avqp loader rat suricata
Link:
https://tria.ge/reports/210928-tvfscacdfq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.chantaldesign.space/avqp/
Unpacked files
SH256 hash:
4dda4c463678a9077039a016ee92dee4850e9085119b0f5287412ae767934530
MD5 hash:
26b2b49c03f9fd70c6faa33b859b448e
SHA1 hash:
536873fd20ef507d16f5fba94b4f9344c7345414
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/5ea1c673-ef2f-44c0-9cbc-bb636a6d6ca4/
SH256 hash:
f5583119b9b43fe8dcc83f3383afdf87629b5aa225e45d755ce1f4ff810f5c30
MD5 hash:
c4e4f50bbdebe5979aa4caba6ae989e1
SHA1 hash:
ec39d0b33aeae94054906e723bd634f29d3ade49
Link:
https://www.unpac.me/results/5ea1c673-ef2f-44c0-9cbc-bb636a6d6ca4/
SH256 hash:
19f6518e802be68606918651983f7a7f307921c6927295a628ac497b082c92d6
MD5 hash:
b8c06cbe149d9a108ccbf0f97d3c409c
SHA1 hash:
487df427d78d899ed7be44acd272afc51ad1d68d
Link:
https://www.unpac.me/results/5ea1c673-ef2f-44c0-9cbc-bb636a6d6ca4/
SH256 hash:
6a671abf66304301602b4afd0902840bc3915455cffc58d8916eaa693abe33ec
MD5 hash:
681eca96e4e7b513317178dc7065ef39
SHA1 hash:
24af82015bc57d125f1ccb759840118b2283d1dc
Link:
https://www.unpac.me/results/5ea1c673-ef2f-44c0-9cbc-bb636a6d6ca4/
SH256 hash:
1999253e5409121ca9810f0a75358043ed34c6fbd8444423cd01f935a51ad64d
MD5 hash:
fd5c685c4de8d3edc46137f732c64e32
SHA1 hash:
e9605644fb200cd50d9d5f8a3d39fbfa89308fa5
Link:
https://www.unpac.me/results/5ea1c673-ef2f-44c0-9cbc-bb636a6d6ca4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/1999253e5409121ca9810f0a75358043ed34c6fbd8444423cd01f935a51ad64d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 1999253e5409121ca9810f0a75358043ed34c6fbd8444423cd01f935a51ad64d

(this sample)

  
Dropped by
xloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/192679/

Comments