MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24a38f571f2a7998676bdf0eae3d7a095cb8e7e55c5b1fac8e49dd1afa582354. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 24a38f571f2a7998676bdf0eae3d7a095cb8e7e55c5b1fac8e49dd1afa582354
SHA3-384 hash: fe0b921daa4977bf7cc78475d994d3f746bc45f1b61cd6bf6ea44b9227fa31250406263d2dbc1edf45f07e0623734117
SHA1 hash: 9c94702b6b329a0ed61e53248894ef704a03d6a2
MD5 hash: 8755e19d9da0cb4e12e593f7fae64d8b
humanhash: minnesota-eleven-gee-stream
File name:Payment confirmation reference.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'120'256 bytes
First seen:2022-05-10 12:53:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:ucK1Afxt7J0nCyHAvcG3rbTsNlQxQDHGWAXnvs+bMAaBv91hULOGeFCu9Y0zI+Fz:HUu2nlgH7Gl3hA/s+gQ
Threatray 17'073 similar samples on MalwareBazaar
TLSH T16E3528983254F9DEC817D171CA685CF4AA207C6AC32B820B50173D9DB97EA83DF119B7
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f26efec4b6c2c00c (24 x AgentTesla, 14 x Loki, 12 x Formbook)
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
250
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Payment confirmation reference.exe
Verdict:
Malicious activity
Analysis date:
2022-05-10 19:59:06 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/a5c5c528-fc7a-41f9-a257-36ed9fe02388

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269427/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.3418.26215.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/627a606eb119a5f609b75ffc/reports/54a6e0fe-385e-4f81-9aea-e697ac08c8bd/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/57af4915-7963-467e-bdab-31602468212b
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/990936
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 623431 Sample: Payment confirmation refere... Startdate: 10/05/2022 Architecture: WINDOWS Score: 100 38 www.morgan555.top 2->38 46 Snort IDS alert for network traffic 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus detection for URL or domain 2->50 52 7 other signatures 2->52 11 Payment confirmation reference.exe 3 2->11         started        signatures3 process4 file5 36 C:\...\Payment confirmation reference.exe.log, ASCII 11->36 dropped 14 Payment confirmation reference.exe 11->14         started        17 Payment confirmation reference.exe 11->17         started        19 Payment confirmation reference.exe 11->19         started        21 Payment confirmation reference.exe 11->21         started        process6 signatures7 64 Modifies the context of a thread in another process (thread injection) 14->64 66 Maps a DLL or memory area into another process 14->66 68 Sample uses process hollowing technique 14->68 70 Queues an APC in another process (thread injection) 14->70 23 explorer.exe 14->23 injected process8 dnsIp9 40 panfletagem.digital 185.225.208.56, 49763, 80 UK2NET-ASGB Germany 23->40 42 www.slabiesplin.quest 37.123.118.150, 49849, 80 UK2NET-ASGB United Kingdom 23->42 44 26 other IPs or domains 23->44 54 System process connects to network (likely due to code injection or exploit) 23->54 27 rundll32.exe 23->27         started        30 autofmt.exe 23->30         started        signatures10 process11 signatures12 56 Self deletion via cmd delete 27->56 58 Modifies the context of a thread in another process (thread injection) 27->58 60 Maps a DLL or memory area into another process 27->60 62 Tries to detect virtualization through RDTSC time measurements 27->62 32 cmd.exe 1 27->32         started        process13 process14 34 conhost.exe 32->34         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/24a38f571f2a7998676bdf0eae3d7a095cb8e7e55c5b1fac8e49dd1afa582354/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2022-05-10 08:58:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
38
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=esry6vy7fj4zqz3l34hk4pl2bfolrz7flrnr7leojhorv6syenka._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
41b4934175cd6e5d2de06bbe30db1c1b258f75545a2e5c9b1e2b20d9fa92f369
Formbook
451ab9846f3c63a6b5f2e25ab5f58bb4180cf414062f52e280bd98eafea81963
Formbook
6fde41cc15fe0b8ca114dfbfed055f687d8d2883c734a7426719bd6a8037b958
Formbook
827c59f47ce022d9a4f2b51678d69f8adc22a960100187d2ed4a8b5bb7cae99c
Formbook
87945ecb2a81ea654a98c72800f03a4202873f30f58212cdec3d6d577be04d4d
Formbook
8fe6d743d2882ef8f20c4b54a16b7086ca29cd852b376d18bd5a49fd445f8a2d
Formbook
e5edd4128bd5a040d8b4a98275e5a3800fb29e7af5c81015ebebe1a1a95ad27b
Formbook
f98336bc1d2a5f5589dbc825b6e7024465848a4bfcb9ec671d6c152899e6fa27
Formbook
+ 17'063 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ceah loader rat suricata
Link:
https://tria.ge/reports/220510-p47j7sbfbq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Blocklisted process makes network request
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
ee57621b9c15ee6a3d3d09ee36ddea4d2f61926c766ebe3b6843364ca76f7cb2
MD5 hash:
16dda87e4ae3551c05550c6a66ba9712
SHA1 hash:
0fede5fc2d9ca3c4277e2442d74d304c3a11968e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/4e60faa5-f6e9-4bec-a5a9-f0e0900beb59/
Parent samples :
7b95105b71a0dbe7c8e10d0c795271c57e16c5425543351d2d7ac74732624b7a
267904ca2a152335c038d59e49f4ff3a0b65731db6ec8642c73b9771c3796def
75009107d25dd61f8aeba35623229311f50cae948f35c5640b03308e97977587
24a38f571f2a7998676bdf0eae3d7a095cb8e7e55c5b1fac8e49dd1afa582354
b3f399ca73ed8649d535aff90391ae6b77d52caa0959038e3d20b15fa6217ba7
bc1b641ded95e09ee28144b98ac38dd352f7a32ae47e9ccb1ea3a7f2e32372e3
9e82eaa621706db6869429ade66b7744466f1f1cdb4dfc9dfdc38da681dbb181
0e4db1ff40da83dd1ec6e134dfd86864f24df29bbc9065158e395cbd63436493
4b24a0fcfe00e88f0c5b7d98ae96e8bc24e8339b0a409973bb242832f7873399
ded54adbb773c24d9e00f2dcd3ee68d1cdf6498bb5992dc80a9a1f24e34a766d
fe1a99788ccba4ee6ddf33995daf4b478ea7306c265974e119876e2a2106b7ee
086e69a04dc6eafaf7121b2cd5dddb48bfc94ec8ea44636e883aa4d8bd3f8f20
SH256 hash:
231997280c4a079ce6e46ee1a6530cd410b655d7242298b78fdd4830555bc47f
MD5 hash:
e5665835f0c1f1753c46bba761a0cb88
SHA1 hash:
98ee22a28e68fc7d20666ca73b5452d8c8d30b8d
Link:
https://www.unpac.me/results/4e60faa5-f6e9-4bec-a5a9-f0e0900beb59/
SH256 hash:
e8779f497601b4263ebb813a25081e07ba40c8b8701d5c74d08df67881a6d3a3
MD5 hash:
b08d379ac2e0b088434bc1d549f8a3e6
SHA1 hash:
92809aebc95986fce61d1e5ae79be3f41275a86b
Link:
https://www.unpac.me/results/4e60faa5-f6e9-4bec-a5a9-f0e0900beb59/
SH256 hash:
0613e41d5671109ec2d7cc15bb28a441f7b65d3493fdef3a0fc63790a745a529
MD5 hash:
bcb7f85e158651a0ad2731e6a1edd401
SHA1 hash:
2a5e80a1800c23b93f7e9e20c64908b9b25ce2f4
Link:
https://www.unpac.me/results/4e60faa5-f6e9-4bec-a5a9-f0e0900beb59/
SH256 hash:
24a38f571f2a7998676bdf0eae3d7a095cb8e7e55c5b1fac8e49dd1afa582354
MD5 hash:
8755e19d9da0cb4e12e593f7fae64d8b
SHA1 hash:
9c94702b6b329a0ed61e53248894ef704a03d6a2
Link:
https://www.unpac.me/results/4e60faa5-f6e9-4bec-a5a9-f0e0900beb59/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/24a38f571f2a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/24a38f571f2a7998676bdf0eae3d7a095cb8e7e55c5b1fac8e49dd1afa582354

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/269427/

Comments