MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19f2101d500dfa2ba71baf220497fe8888667bb7d9c8cf4996087ff67c11d156. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 19f2101d500dfa2ba71baf220497fe8888667bb7d9c8cf4996087ff67c11d156
SHA3-384 hash: e032b5ae3436ea946bc14bb827e0c3a1499712c4fd008c96e77b76726b974ad0a0a033096fd4e11bc9ef0f4084d75324
SHA1 hash: 2c2dce7d34e81dd0329022ec41802ce8296a7ba7
MD5 hash: 02efae6482a081c221d846f386752d3a
humanhash: jig-steak-quebec-yellow
File name:ISSUES INVOICE E-4136 REV.2.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:662'016 bytes
First seen:2021-07-15 08:12:50 UTC
Last seen:2021-07-15 08:13:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:nnvxQWM/i8cO0IoLvWllbXwO24mdTpzfuuwA/jROT36ZiF8NfhSVk:nmW4X0pLvWnbXGdTkuwAdc3kiFK
Threatray 7'101 similar samples on MalwareBazaar
TLSH T10EE4AEAE338435AFC77FD472BAA4AC54FA5068A7270BCD0B418311C9550F9539E85CBE
Reporter cocaman
Tags:exe FormBook INVOICE

Intelligence

File Origin
# of uploads :
2
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ISSUES INVOICE E-4136 REV.2.exe
Verdict:
Malicious activity
Analysis date:
2021-07-15 08:16:16 UTC
Tags:
trojan formbook stealer covid19
Link:
https://app.any.run/tasks/cb6cdf4a-d2c9-4fb4-b256-8aee71808549

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/171894/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.5506.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/be16f786-726b-4ff0-8fdd-57f7b26cd1fd
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/816735
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/19f2101d500dfa2ba71baf220497fe8888667bb7d9c8cf4996087ff67c11d156/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-07-15 06:39:35 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
12 of 46 (26.09%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dhzbahkqbx5cxjy3v4rajf76rcegm65x3hem6smwbb77m7ar2fla._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
41d1ffa0d55a6c7e6758afe11084539691922714455663d641e1be3c8e4d9977
Formbook
602b9e5b584b67abd5573952c8633272e414dd6cde6485b9722cf780d809297a
Formbook
66b02d69d4eff510190fb38504be6dcf9f94d28f14b0569c7d1cd36bfb78983d
Formbook
68fa77befde4e147cc7bc2fb142306a94245adb49c4ccca175f12f29414ce3d1
Formbook
6fac6e1f7f8cdd8cec52b2dd7a23fd434084c7d12ef0f04deaa52794d3612ef7
Formbook
7d803e44c98cd23b971f692182f8d1d508fe82fb0fd6b681e7896c552d88411a
Formbook
8a403d5866d98e6da02683d365c982c0089b338f92d2e2fe7b5ae099dbaa635b
Formbook
a29d5d9dae6f9937c1f0dcf733031f3478d74f326c1913727eb9e65e53c82ab9
Formbook
e47843b7ef3c9825c787ff7fae69cfbd4759a21e81da4e800746af5b7937c45b
Formbook
ebe1f420ea3fcef5b426cf6458d23984e12c4ceb5983571699f60aaa963b159a
Formbook
+ 7'091 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210715-lf1zn7bf8e/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.wwwgraciescottage.com/u9pi/
Unpacked files
SH256 hash:
66f738d9107d8d19daa99d684e5473285116537e0bb3f8089ca32b269eee22a2
MD5 hash:
046399038b945b76e72ba6bb1ccee8a1
SHA1 hash:
3f6ca561723b3d79f4373c60e6c5a17eccbbc947
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/5eb016f8-cbc0-49e4-93b8-ab869ba7abe7/
Parent samples :
66b02d69d4eff510190fb38504be6dcf9f94d28f14b0569c7d1cd36bfb78983d
a29d5d9dae6f9937c1f0dcf733031f3478d74f326c1913727eb9e65e53c82ab9
e47843b7ef3c9825c787ff7fae69cfbd4759a21e81da4e800746af5b7937c45b
8a403d5866d98e6da02683d365c982c0089b338f92d2e2fe7b5ae099dbaa635b
19f2101d500dfa2ba71baf220497fe8888667bb7d9c8cf4996087ff67c11d156
SH256 hash:
3d6e4a7ab874d1ee82d90f8542c0db1e5dd7338a41ef3770ffdef4676384a8c9
MD5 hash:
fbafb3b131fb18bf156fd9d5bfe48c09
SHA1 hash:
cacda9b2b3c8e0a24bb47e0c7feeb136af95f9a9
Link:
https://www.unpac.me/results/5eb016f8-cbc0-49e4-93b8-ab869ba7abe7/
SH256 hash:
f90adcb719228000ddd0e072299a4cd36e0e3d671448b39aa46e499edd4a4ea4
MD5 hash:
6e1125f525f5360d8703b0fe5c2fe585
SHA1 hash:
7c63ae793e381d4a9d41ca9f5520856022e97c0c
Link:
https://www.unpac.me/results/5eb016f8-cbc0-49e4-93b8-ab869ba7abe7/
SH256 hash:
19f2101d500dfa2ba71baf220497fe8888667bb7d9c8cf4996087ff67c11d156
MD5 hash:
02efae6482a081c221d846f386752d3a
SHA1 hash:
2c2dce7d34e81dd0329022ec41802ce8296a7ba7
Link:
https://www.unpac.me/results/5eb016f8-cbc0-49e4-93b8-ab869ba7abe7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.71
Link:
https://yomi.yoroi.company/submissions/19f2101d500dfa2ba71baf220497fe8888667bb7d9c8cf4996087ff67c11d156

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

r00 7914fa795699cf35720b49331c4966c188d5720b59b28692ffac2b94e7317692

Formbook

Executable exe 19f2101d500dfa2ba71baf220497fe8888667bb7d9c8cf4996087ff67c11d156

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 7914fa795699cf35720b49331c4966c188d5720b59b28692ffac2b94e7317692
  
Dropped by
SHA256 2771c9b15d6a7ce670af03b2709545a4553f187098db3ac7616b25aa8067bd1e
Cape
Cape
https://www.capesandbox.com/analysis/171894/

Comments