MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d3e01fb6e4f61f482bf3bc2628b5141a896284973eaa50c35bdb929a5aa541b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d3e01fb6e4f61f482bf3bc2628b5141a896284973eaa50c35bdb929a5aa541b
SHA3-384 hash: 66bd8a00ed6029a2a0fba9ff8b773db0d299bf28385531e9aa1426f23b4b95505ec2b96482f4333d6a6345bbfa367d2c
SHA1 hash: 585b40551ce2be9fb371d2492521b2e70ba716c3
MD5 hash: f5115553d0433a580295205d6c8637d1
humanhash: july-eleven-kansas-hamper
File name:Betalingsbekræftelse.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'520'640 bytes
First seen:2021-04-14 06:21:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:Tcxo5hfo5hYs/TVe2IN5L2op5Oq1/jfuZsxDqCzuaeF/YyzrNA7stTcCPwn45PN:Te/TVel7L2OTjWZsxDqCSaeZDEsNcCPw
Threatray 19 similar samples on MalwareBazaar
TLSH 0665123237A8A793E17E563818B201C502F6FD147562DA4F3CF4B48E2AB17524762B6F
Reporter TeamDreier
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Betalingsbekræftelse.exe
Verdict:
Malicious activity
Analysis date:
2021-04-14 06:26:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4491df9c-6f48-489c-ae7d-4ac608c5a2fc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/134031/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.646-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a process from a recently created file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/674972
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 386427 Sample: Betalingsbekr#U00e6ftelse.exe Startdate: 14/04/2021 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 7 other signatures 2->57 10 Betalingsbekr#U00e6ftelse.exe 7 2->10         started        process3 file4 39 C:\Users\user\AppData\Local\...\tmp5A04.tmp, XML 10->39 dropped 41 C:\Users\user\AppData\...\BTJeCaKkmhLe.exe, PE32 10->41 dropped 67 Uses schtasks.exe or at.exe to add and modify task schedules 10->67 14 RegSvcs.exe 6 10->14         started        18 schtasks.exe 1 10->18         started        signatures5 process6 file7 43 C:\Users\user\AppData\Roaming\suSwVklf.exe, PE32 14->43 dropped 77 Tries to detect virtualization through RDTSC time measurements 14->77 79 Injects a PE file into a foreign processes 14->79 20 RegSvcs.exe 14->20         started        23 schtasks.exe 1 14->23         started        25 conhost.exe 18->25         started        signatures8 process9 signatures10 59 Modifies the context of a thread in another process (thread injection) 20->59 61 Maps a DLL or memory area into another process 20->61 63 Sample uses process hollowing technique 20->63 65 Queues an APC in another process (thread injection) 20->65 27 svchost.exe 20->27         started        30 explorer.exe 20->30 injected 33 conhost.exe 23->33         started        process11 dnsIp12 69 Modifies the context of a thread in another process (thread injection) 27->69 71 Maps a DLL or memory area into another process 27->71 73 Tries to detect virtualization through RDTSC time measurements 27->73 35 cmd.exe 1 27->35         started        45 www.shessosophisticated.com 209.99.40.222, 49730, 80 CONFLUENCE-NETWORK-INCVG United States 30->45 47 www.virtualappraisals.online 30->47 49 virtualappraisals.online 34.102.136.180, 49735, 80 GOOGLEUS United States 30->49 75 System process connects to network (likely due to code injection or exploit) 30->75 signatures13 process14 process15 37 conhost.exe 35->37         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1d3e01fb6e4f61f482bf3bc2628b5141a896284973eaa50c35bdb929a5aa541b/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-04-14 05:15:43 UTC
AV detection:
3 of 47 (6.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=du7ad63oj5q7jav7hpbgfc2rigujmkcjopvkkdbvxw4stjnkkqnq._file
Verdict:
unknown
Similar samples:
0726eef18a27b6e019baa87d12d004efc1e0fb42169acedb5a56fee6d39d8946
Formbook
1cf2c4b90a84ce31c99a4b74ed546b17b2332a868f75293f237ea0bb0a5835c4
Formbook
40377adc190ad001ea80a3e8bbc32aedc3bf77bcc8954baa1808bd8ae9c322a0
Formbook
4ac0c7eebfc249cfcc200ff60ee5b1f2d7e4d6fb45544961f5ba7a7650f43a7f
Formbook
5501a072a478f1b6c6045154d4b3e5c102c5da98041f503d80b8a2b50bb6b85b
Formbook
5ef4f1d59492644372e4de91586798adb788432987848730694be8db0f968008
Formbook
69b433882a0be8350987589222a1b677cb948d1efea4e523b878a778bad33d4a
Formbook
6d13e70c1d1771bcbaedb34b5d89ea697d09cc78b3ed1a972def7dfd8a8f9325
Formbook
c4bd358aa9e15948a2713549f109f65124e5911aefa709e921da094aac16a163
Formbook
f3bb0f029466577eb6ae2f65253d518335a8d4b7862454445d32a8339499614d
Formbook
+ 9 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210414-kdtlax7pnn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
5e0f3da625a479a5e7e807b5f09c889d95474139410b312ba3a39bcb05976729
MD5 hash:
3d20c2ea9ac04e1707f853bb1780bc18
SHA1 hash:
805e90b023eb92d44bbe11daefce6edbe872cb74
Link:
https://www.unpac.me/results/d1e2921a-d380-4d80-9bca-797ee28543b1/
SH256 hash:
1d3e01fb6e4f61f482bf3bc2628b5141a896284973eaa50c35bdb929a5aa541b
MD5 hash:
f5115553d0433a580295205d6c8637d1
SHA1 hash:
585b40551ce2be9fb371d2492521b2e70ba716c3
Link:
https://www.unpac.me/results/d1e2921a-d380-4d80-9bca-797ee28543b1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/1d3e01fb6e4f61f482bf3bc2628b5141a896284973eaa50c35bdb929a5aa541b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/134031/

Comments