MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24dd23ff5571c43d67c500e87d63530a4de6dccd8ca27122178d5c410e195611. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 24dd23ff5571c43d67c500e87d63530a4de6dccd8ca27122178d5c410e195611
SHA3-384 hash: 975df331e23bc461412b9fa5736032df620e11cc3879d51ae17f252ab4142bc8065360747e851d81b4d7d653d942e327
SHA1 hash: 39adbb18c882c079da7fb272e722acb5f0d8a18f
MD5 hash: be66cc0476f986aa3710dc0718b773dc
humanhash: wisconsin-august-sink-sweet
File name:Factura_834.pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:244'495 bytes
First seen:2022-04-19 08:11:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:8Qq+KvEOcxYWEgXfZTxjTXALwEsEb80oVxLaf/E21:TnhBEgtFr9wbeLafF1
Threatray 15'037 similar samples on MalwareBazaar
TLSH T1A834128BFBD05877CD6A06B00D32D736DAB3BA58A5210E2B5F512F6716201C3CD3D1AA
TrID 92.9% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter proxylife
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
280
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/264547/
Detection(s):
PUA.Win.Packer.NspackDotnetNor-2
Create hunting rule

PUA.Win.Packer.NspackDotnetNor-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/625e6edcffe27d511909594d/reports/2fd9ca91-301d-4784-840d-fc13e113078a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5daf95da-491b-474b-a0bc-f08a37491c40
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/978694
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Uses netsh to modify the Windows network and firewall settings
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 611181 Sample: Factura_834.pdf.exe Startdate: 19/04/2022 Architecture: WINDOWS Score: 100 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Yara detected FormBook 2->49 51 4 other signatures 2->51 11 Factura_834.pdf.exe 18 2->11         started        process3 file4 33 C:\Users\user\AppData\Local\...\mdfjrni.exe, PE32 11->33 dropped 14 mdfjrni.exe 11->14         started        process5 signatures6 61 Multi AV Scanner detection for dropped file 14->61 63 Tries to detect virtualization through RDTSC time measurements 14->63 17 mdfjrni.exe 14->17         started        process7 signatures8 37 Modifies the context of a thread in another process (thread injection) 17->37 39 Maps a DLL or memory area into another process 17->39 41 Sample uses process hollowing technique 17->41 43 Queues an APC in another process (thread injection) 17->43 20 explorer.exe 17->20 injected process9 signatures10 53 Uses netsh to modify the Windows network and firewall settings 20->53 23 netsh.exe 20->23         started        process11 signatures12 55 Modifies the context of a thread in another process (thread injection) 23->55 57 Maps a DLL or memory area into another process 23->57 59 Tries to detect virtualization through RDTSC time measurements 23->59 26 explorer.exe 2 151 23->26         started        29 cmd.exe 1 23->29         started        process13 dnsIp14 35 192.168.2.1 unknown unknown 26->35 31 conhost.exe 29->31         started        process15
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/24dd23ff5571c43d67c500e87d63530a4de6dccd8ca27122178d5c410e195611/
Threat name:
Win32.Trojan.NSISInject
Create hunting rule
Status:
Malicious
First seen:
2022-04-19 08:12:14 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
26 of 36 (72.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=etosh72vohcd2z6faduh2y2tbjg6nxgnrsrhciqxrvoecdqzkyiq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
308d882a5267dc2b1e74498c052ad6f0ba7e29544f8872600586b9d2dfe798f9
Formbook
4d11816de1a6429b0fa2f9754f7e51e45a6afb350ddd5b806974b629e8fc6fc3
Formbook
573340e7db5b08254ff95f02f3f2ecc9b24db1f8cb35d75dcffe71d6b35d74fe
Formbook
67db5982545c91192a7c4fcaa3cbe5324de3e69faa1af275b05926d80eda889d
Formbook
6cfa56b0dad5efbc0695eb8322efc57b979611bf187919c95b2ec1d47648f2c0
Formbook
c6d0861ae7de13673ba678e5460d94433a6a873d461015070cc95fe174015991
Formbook
c767db1d9bb5f369f3a2d395412c98f71de29cf829800a2494a2c0dec8e4a57f
Formbook
d07fe0d534c8cff1f0f104f5036d547fbf837671f3de78f00a88caf0cd5e4451
Formbook
d9950b4ee72ba5d966404150d11764c0bd5de8c76f605c615b95428036733472
Formbook
f9ec408f51f4e31dbe8977db554dcda8e58e0f89eda485b361026b379f69eb6d
Formbook
+ 15'027 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:gb10 rat spyware stealer trojan
Link:
https://tria.ge/reports/220419-j3tztsdhg5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
Unpacked files
SH256 hash:
ca1d17c24d4f504c3675bc7558934300932e414866767ba2445111e758916b06
MD5 hash:
ae071e8fb7f43c197b2cde3300bd1f20
SHA1 hash:
1ade5730656f57fb4db360e9741de26df5faad96
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/1c511f83-4a3a-480f-8b73-d558c1b21bae/
Parent samples :
da71d9fb0819e03f746b90c5a210b4abae34e92fff2ca83bbc3165c516530faa
24dd23ff5571c43d67c500e87d63530a4de6dccd8ca27122178d5c410e195611
ae780be61afe538f90e40159595af388df5a27131b650c229f9eaf5e362f21a1
SH256 hash:
8bcd5a9ed5c80e95576f56c9c362fbd71cb05d7f16986a2c8c4e0e9b5d6c7dbe
MD5 hash:
7f8378e758eb6c258c008439bdfd3d27
SHA1 hash:
88afc7310ed3ffb124041d180e3b6285f86cd90d
Link:
https://www.unpac.me/results/1c511f83-4a3a-480f-8b73-d558c1b21bae/
SH256 hash:
24dd23ff5571c43d67c500e87d63530a4de6dccd8ca27122178d5c410e195611
MD5 hash:
be66cc0476f986aa3710dc0718b773dc
SHA1 hash:
39adbb18c882c079da7fb272e722acb5f0d8a18f
Link:
https://www.unpac.me/results/1c511f83-4a3a-480f-8b73-d558c1b21bae/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.18
Link:
https://yomi.yoroi.company/submissions/24dd23ff5571c43d67c500e87d63530a4de6dccd8ca27122178d5c410e195611

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/264547/

Comments