MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 234d944f1c4d9dcb90a6797dc13bf50fa2290da2230d134ee70bc4b7c4143ab8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 234d944f1c4d9dcb90a6797dc13bf50fa2290da2230d134ee70bc4b7c4143ab8
SHA3-384 hash: 0dbc400dcb273d0f9170a5ab1787761636ce3b711669c9f56a8d99af63978aa9fde79d180253f5ef80fd17a24d1c08c5
SHA1 hash: cc89138f906776cc8ceb6135753bd1bfdc423846
MD5 hash: 915102405b44b4eb490450935905b4c5
humanhash: potato-delta-grey-sodium
File name:BANK DETAILS-26012022-971332pdf.gz.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:239'616 bytes
First seen:2022-01-28 07:32:41 UTC
Last seen:2022-01-28 10:06:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 768:F1TIYUch/ZnAsONTZHl7M8+YG9M+mTHJbpUZB2ktlfL8ZkjQzKfj91L9F15:oCAsgPEMlTfUZll4yeKb91Lb
Threatray 12'901 similar samples on MalwareBazaar
TLSH T15034A057BA0C939EDB58CBF535BE463117A1AF6314E09D2CB8C0FE6D46B262C22405E7
File icon (PE):PE icon
dhash icon 6ccccc9cc4d8e8f4 (41 x Formbook, 34 x AgentTesla, 3 x AveMariaRAT)
Reporter cocaman
Tags:exe FormBook INVOICE

Intelligence

File Origin
# of uploads :
2
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/224879/
Detection(s):
SecuriteInfo.com.Trojan.DownloaderNET.292.26633.22956.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching a process
Searching for synchronization primitives
Launching cmd.exe command interpreter
Reading critical registry keys
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe obfuscated replace.exe
Link:
https://www.filescan.io/uploads/61f39c3620a5f4d327d89fed/reports/6c618511-a220-4687-8941-9e5618c6cf6d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0bdfa556-6f4f-4190-8ef8-307ad44dc9c6
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/929495
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 561970 Sample: BANK DETAILS-26012022-97133... Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 29 www.elektropanjur.com 2->29 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 6 other signatures 2->45 11 BANK DETAILS-26012022-971332pdf.gz.exe 14 2 2->11         started        signatures3 process4 dnsIp5 37 transfer.sh 144.76.136.153, 443, 49736, 49740 HETZNER-ASDE Germany 11->37 57 Writes to foreign memory regions 11->57 59 Allocates memory in foreign processes 11->59 61 Injects a PE file into a foreign processes 11->61 15 aspnet_compiler.exe 11->15         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 2 other signatures 15->69 18 explorer.exe 15->18 injected process9 dnsIp10 31 www.glenndcp.com 164.155.212.161, 49782, 80 IKGUL-26484US South Africa 18->31 33 imaginativeprint.com 92.205.0.95, 49809, 80 GD-EMEA-DC-SXB1DE Germany 18->33 35 13 other IPs or domains 18->35 47 System process connects to network (likely due to code injection or exploit) 18->47 49 Uses netsh to modify the Windows network and firewall settings 18->49 22 netsh.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/234d944f1c4d9dcb90a6797dc13bf50fa2290da2230d134ee70bc4b7c4143ab8/
Threat name:
ByteCode-MSIL.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2022-01-27 04:33:24 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
15
AV detection:
17 of 41 (41.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=engzity4jwo4xefgpf64co7vb6rcsdncemgrgtxhbpclprauhk4a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
40c96d51be2ae8a3360f39a25e522304df5999e05d99eeeeffb79fdc8fbbfd62
Formbook
438844112d1161774efd0548c7398ead40d3b61423b9c0329d994dc54a681bde
Formbook
6d722da095632d50aa49b4749a4e7db323889aee6fad1ecc2c5dd999e63c645e
Formbook
75e51d5e7662ad2c7ee23822ebf5246ce2d3257734ef87883f57bbcffe13c5d2
Formbook
b24fe0dd0ec4d61ac6903f6579d59dcffd17d0e002c96803a551aa3ab17367ef
Formbook
c9cdf462a12dc6e78757b7f1b3ad4fd9139cafd0b1e81d67d3d0141e2b09137e
Formbook
d277fc7f7001598fc7730b3bfec96ce2749f616d64fe20bcd403a599b1bc7c2c
Formbook
f75fa96a8fe88dc2fffd64208705d26fb980db33afff6b872f34e1f9034e0363
Formbook
fa5511f4b07ca39be9b04bee49a2b103cf827a207d316d4d41bad9cede43c9bc
Formbook
+ 12'891 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:be4o loader rat
Link:
https://tria.ge/reports/220128-jdjgsshfg2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
234d944f1c4d9dcb90a6797dc13bf50fa2290da2230d134ee70bc4b7c4143ab8
MD5 hash:
915102405b44b4eb490450935905b4c5
SHA1 hash:
cc89138f906776cc8ceb6135753bd1bfdc423846
Link:
https://www.unpac.me/results/3177a659-a7ba-4d8a-a595-99194e1ec729/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/234d944f1c4d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.73
Link:
https://yomi.yoroi.company/submissions/234d944f1c4d9dcb90a6797dc13bf50fa2290da2230d134ee70bc4b7c4143ab8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz dacada6f63feabf79c83fb521deb881c687ddb4d3902f3b7e98762d746d993d7

Formbook

Executable exe 234d944f1c4d9dcb90a6797dc13bf50fa2290da2230d134ee70bc4b7c4143ab8

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 dacada6f63feabf79c83fb521deb881c687ddb4d3902f3b7e98762d746d993d7
Cape
Cape
https://www.capesandbox.com/analysis/224879/

Comments