MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b31323173493f6a6bd5e7eee14ea280bd08d0d8a6edc5834a36354629f5ce9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b31323173493f6a6bd5e7eee14ea280bd08d0d8a6edc5834a36354629f5ce9d
SHA3-384 hash: 171cb8285aaf32716179ce3f41966322855fdfa1c7853ba2b5b8b5cbd9b1cc5ed4d466ff3cf74a53bcbb1d1f05d7a7f4
SHA1 hash: 2e0c7dfece45a8a5bf25a4a7f0ed8ee816b19e93
MD5 hash: 0a86481c8d4a9a475ac3bf5790b83101
humanhash: fish-edward-pizza-magnesium
File name:Proforma Invoice.exe
Download: download sample
File size:454'889 bytes
First seen:2022-04-25 09:04:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (719 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 12288:kNtfGiBBak3SXdjD6D73K+2AOGLYj1seB:kNtfGotC36D73KARUj1seB
Threatray 24 similar samples on MalwareBazaar
TLSH T1A6A41271A595F0D3E9131B7128BC75331AB6BD0BC0F846668F50FB5A35BE3829A193C2
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 86e0c0c2cce8f0f0
Reporter madjack_red
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
248
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/266282/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Launching a process
Using the Windows Management Instrumentation requests
Reading critical registry keys
Moving a file to the %AppData% subdirectory
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/62666443fac433a7cc8529c9/reports/c67995e2-3b40-42b0-81bb-8528ed034b68/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Spectre
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cd58bef0-9c9f-4bca-966d-19a2ee2ec8ef
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/982284
Signature
Executable has a suspicious name (potential lure to open the executable)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes or reads registry keys via WMI
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 614771 Sample: Proforma Invoice.exe Startdate: 25/04/2022 Architecture: WINDOWS Score: 92 71 Multi AV Scanner detection for submitted file 2->71 73 Executable has a suspicious name (potential lure to open the executable) 2->73 75 Machine Learning detection for sample 2->75 77 2 other signatures 2->77 9 Proforma Invoice.exe 18 2->9         started        process3 file4 51 C:\Users\user\AppData\Local\...\jelcihdms.exe, PE32 9->51 dropped 12 jelcihdms.exe 9->12         started        process5 signatures6 85 Multi AV Scanner detection for dropped file 12->85 87 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 12->87 89 Injects a PE file into a foreign processes 12->89 15 jelcihdms.exe 20 12->15         started        process7 dnsIp8 69 evanescingunsatanicallychrysal.com 179.43.142.190, 49692, 49693, 49698 PLI-ASCH Panama 15->69 47 C:\Users\user\AppData\Roaming\...\dzbg.exe, PE32 15->47 dropped 49 C:\Users\user\AppData\Local\...\dzbg[1].exe, PE32 15->49 dropped 19 cmd.exe 2 15->19         started        21 cmd.exe 1 15->21         started        23 cmd.exe 1 15->23         started        25 11 other processes 15->25 file9 process10 process11 27 systeminfo.exe 1 1 19->27         started        43 2 other processes 19->43 30 dzbg.exe 8 21->30         started        33 conhost.exe 21->33         started        35 dzbg.exe 8 23->35         started        37 conhost.exe 23->37         started        39 7za.exe 2 25->39         started        41 7za.exe 2 25->41         started        45 19 other processes 25->45 file12 79 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 27->79 81 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 27->81 83 Writes or reads registry keys via WMI 27->83 53 C:\Users\user\AppData\Roaming\...\zip.exe, PE32 30->53 dropped 55 C:\Users\user\AppData\Roaming\...\nircmdc.exe, PE32 30->55 dropped 57 C:\Users\user\AppData\...\PsInfo64.exe, PE32+ 30->57 dropped 65 4 other files (none is malicious) 30->65 dropped 59 C:\Users\user\AppData\...\vcruntime140.dll, PE32 35->59 dropped 61 C:\Users\user\AppData\Roaming\...\sqlite3.dll, PE32 35->61 dropped 63 C:\Users\user\AppData\...\softokn3.dll, PE32 35->63 dropped 67 4 other files (none is malicious) 35->67 dropped signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1b31323173493f6a6bd5e7eee14ea280bd08d0d8a6edc5834a36354629f5ce9d/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-04-24 23:53:05 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dmytemltje7wu26v47xoctvcqc6qrugyu3w4la2kgy2umkpvz2oq._file
Verdict:
malicious
Similar samples:
2395406485367f123c11e0ad5b8a1ce58638921fb7e7acfdd06e341135b2d8df
530e60117af681ba636ba03254c06041e865afa3f9cf1596ced6d59d58bdb1b8
584c144d09b76173e49dcdf517526d26ef26959e447734612343d03d25145f5e
717dfc6fa41b8517420dfef7b8685f5ae3fe4754806229a6e794fec562e5deff
747bff52167a03f0db2458b3a67b8ea292044dafe4dd921f0c6613b7030987a1
8737889b676e5b9fc9511cb9f2bb692032e944739d8d77e4cece07395014f16c
8dca2819e4395eb497f4246dc808a5efb1cd805a70825bda636240facd8dd66c
+ 14 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer upx
Link:
https://tria.ge/reports/220425-k16raagacl/
Behaviour
Checks processor information in registry
Gathers system information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks installed software on the system
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
54590edde7bb761444b216f05cfb4c128d01e82961b0c9e7ec40d72a5e8ad952
MD5 hash:
fa42d5ecd6c3c8fe54cf506ee8f7d2a2
SHA1 hash:
d8a6f737521a8957c0bd059c790fb63741f4a9d9
Detections:
win_spectre_auto
Create hunting rule
Link:
https://www.unpac.me/results/c43a40f7-6676-4a77-816d-6a95bc9c8240/
SH256 hash:
f6ee60866b12948ad461e971d957aeaf4d03063e220f67c37bfc5441733d3d42
MD5 hash:
058d3b0e2fbce1f34288ded2829316de
SHA1 hash:
2642e7e74535e88db00984c3464bef77e50ab301
Link:
https://www.unpac.me/results/c43a40f7-6676-4a77-816d-6a95bc9c8240/
SH256 hash:
06b56a16355a5be1070a0ddc9e5bc4ce55932ea68da506e23d3257be03ee4558
MD5 hash:
1795a3b02c08f1d6ad5835a312d54607
SHA1 hash:
7fac8b801fc017a06a1c75320e06f26cd98efe06
Link:
https://www.unpac.me/results/c43a40f7-6676-4a77-816d-6a95bc9c8240/
SH256 hash:
1b31323173493f6a6bd5e7eee14ea280bd08d0d8a6edc5834a36354629f5ce9d
MD5 hash:
0a86481c8d4a9a475ac3bf5790b83101
SHA1 hash:
2e0c7dfece45a8a5bf25a4a7f0ed8ee816b19e93
Link:
https://www.unpac.me/results/c43a40f7-6676-4a77-816d-6a95bc9c8240/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1b31323173493f6a6bd5e7eee14ea280bd08d0d8a6edc5834a36354629f5ce9d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb2
Create hunting rule
Rule name:pdb2
Create hunting rule
Rule name:win_spectre_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.spectre.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/266282/

Comments