MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2558ad56322f3be1bcc074599d4f1dad5b9a7ce800d023d79560d30b0f619f50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2558ad56322f3be1bcc074599d4f1dad5b9a7ce800d023d79560d30b0f619f50
SHA3-384 hash: ff2eb81e32183356bc50c7fe2e8e5ced1b954cde7a644553d52af98b2af5025a465ec9b4530ac0a5be0708fc257b50a1
SHA1 hash: 30f4db0650fe07e56b71cfc8d5f8bc7419dd4eb0
MD5 hash: ff59a39aef3085e0e82a34f3a44be0ec
humanhash: failed-diet-kilo-mirror
File name:pago SWIFT PDF.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:910'336 bytes
First seen:2021-07-08 11:39:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:cd/ddQr6NsBDD/F08SxyeHUvlwp5+hN1e9wrWuB+OZRCE2lQ8XE9Y5:cdVd26NiY0cC/e+v+OZyu80q5
Threatray 6'416 similar samples on MalwareBazaar
TLSH T139159E7660768F92EEBFC7385731251C4FE9B277D34BF6782C95608904C4F844AA2A27
Reporter malwarelabnet
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
1
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
pago SWIFT PDF.exe
Verdict:
Malicious activity
Analysis date:
2021-07-08 11:42:29 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/36005a08-735b-46f7-b900-da4594e6a610

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170426/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.908-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/42335a07-3574-45bb-9f9e-886751f013d9
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813443
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Process Start Without DLL
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 445854 Sample: pago SWIFT PDF.exe Startdate: 08/07/2021 Architecture: WINDOWS Score: 100 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Multi AV Scanner detection for dropped file 2->52 54 7 other signatures 2->54 10 pago SWIFT PDF.exe 7 2->10         started        process3 file4 34 C:\Users\user\AppData\Roaming\dVQzzHf.exe, PE32 10->34 dropped 36 C:\Users\user\...\dVQzzHf.exe:Zone.Identifier, ASCII 10->36 dropped 38 C:\Users\user\AppData\Local\...\tmp91AA.tmp, XML 10->38 dropped 40 C:\Users\user\...\pago SWIFT PDF.exe.log, ASCII 10->40 dropped 60 Writes to foreign memory regions 10->60 62 Injects a PE file into a foreign processes 10->62 14 RegSvcs.exe 10->14         started        17 RegSvcs.exe 10->17         started        19 schtasks.exe 1 10->19         started        signatures5 process6 signatures7 70 Modifies the context of a thread in another process (thread injection) 14->70 72 Maps a DLL or memory area into another process 14->72 74 Sample uses process hollowing technique 14->74 76 Queues an APC in another process (thread injection) 14->76 21 explorer.exe 14->21 injected 78 Tries to detect virtualization through RDTSC time measurements 17->78 25 conhost.exe 19->25         started        process8 dnsIp9 42 www.healthtexasmedicare.com 104.21.93.95, 49765, 80 CLOUDFLARENETUS United States 21->42 44 www.856379713.xyz 103.88.34.80, 80 CHINATELECOM-ZHEJIANG-NINGBO-IDCNINGBOZHEJIANGProvince China 21->44 46 6 other IPs or domains 21->46 56 System process connects to network (likely due to code injection or exploit) 21->56 58 Performs DNS queries to domains with low reputation 21->58 27 wlanext.exe 21->27         started        signatures10 process11 signatures12 64 Modifies the context of a thread in another process (thread injection) 27->64 66 Maps a DLL or memory area into another process 27->66 68 Tries to detect virtualization through RDTSC time measurements 27->68 30 cmd.exe 1 27->30         started        process13 process14 32 conhost.exe 30->32         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2558ad56322f3be1bcc074599d4f1dad5b9a7ce800d023d79560d30b0f619f50/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-06 21:32:52 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=evmk2vrsf456dpgaormz2ty5vvnzu7hiadichv4vmdjqwd3bt5ia._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1432f0240c91b7439722df807e35ef9b4cc9b126f3e5d42cedb27b28751118d7
Formbook
16f669b8657b76f78a71e28f4b475856eddccfd143f2128275212b338aca8620
Formbook
1ba55b6d19b202f0a3fa11a7122a210ed0041074bf30fc754bbc87c1a793304b
Formbook
72ea41f7ce02b41072d1dce424f9e4a2a7c9e414c1038d26a11f685a3371473e
Formbook
872d03fd7d4748230a0e84593f7a29c36f70a5c711ed4a4dc2c11a9d9774d06a
Formbook
8e02514cd7c554f82c268372fde4ccb486088c40957182201920bf805ed72b02
Formbook
8ea636d851faf7ce0769fbbe7856659d0eb6638353df90e0c93f461ac3a932be
Formbook
a0a24af1d7eaf3c0066b417f3f631327af37f5e1e3ee8f79019bade1f700ef69
Formbook
a173731d16e9140be26ee0a16e6416109b684b71a3523a3c4b85cf101bcd3b1e
Formbook
df22601db1675ce639bc8efe21534f7371050ae9637f6cdf38bc23ae6c18efdf
Formbook
+ 6'406 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210708-121c6s7jne/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.recareerrecruiter.com/w56m/
Unpacked files
SH256 hash:
dcb835c1161010d6bc74d93bb5d13628b947c65976563cfcd688b152125ec735
MD5 hash:
44dd39404ad66587023e849fbf3ec2ff
SHA1 hash:
c7ff8c56aa6620bf2e82bc266d77c4a30933f72b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/6a306eab-665c-420a-8722-8626e2eb0109/
Parent samples :
0ad43fd8a30f20f600092744496b9008b6293f1c845a567d8b9ad9b9537e16cf
2558ad56322f3be1bcc074599d4f1dad5b9a7ce800d023d79560d30b0f619f50
45abf01202d5b9993c5d873917cb8f943ed0c479628b62f0bd1e0453c385597c
0843599494471ac72b515fc33ea317ed0b384257ff9cb2de7e93a657f9e89878
ccad88cfcaf9a2b65b29af3fe6b85559efe3ffcf032ada3919cfa656eef60e54
5131b99eca49a0694073f43f58543781fd6adecc63a0cd643a50686b4d3e001a
5e4a7a05fd61a82f8bccc6a21dfbcfe91310e4051a0fc7f2c358037a223e193d
SH256 hash:
13e158f5a2c4c6454db32d040d0b4a34de16f2092724efecfce7ee66a65fb0f5
MD5 hash:
51e49f32eadfb6e1d44f692ca5f3aa12
SHA1 hash:
f8a46259ed63ad389e00e6a515c980206fc77069
Link:
https://www.unpac.me/results/6a306eab-665c-420a-8722-8626e2eb0109/
SH256 hash:
5209992fd1f96cd1959efb5e1afa71f5c9ae2ab4430e258fe9d0ec915098d110
MD5 hash:
257ca10e5cbb2f8bdf0ae6f3e900e11e
SHA1 hash:
9d25ee80dbe3bbce5ab4479912c5e21b19b6aeec
Link:
https://www.unpac.me/results/6a306eab-665c-420a-8722-8626e2eb0109/
SH256 hash:
c9d729ae010cae9848efd34bbf215978904e35a92a5409b09a24d8c7ad9ee156
MD5 hash:
a4c539030168a69887d77ac5b22b0751
SHA1 hash:
62703f295c5bff04d5dcea3e69d5d5c7e4ec027a
Link:
https://www.unpac.me/results/6a306eab-665c-420a-8722-8626e2eb0109/
SH256 hash:
2558ad56322f3be1bcc074599d4f1dad5b9a7ce800d023d79560d30b0f619f50
MD5 hash:
ff59a39aef3085e0e82a34f3a44be0ec
SHA1 hash:
30f4db0650fe07e56b71cfc8d5f8bc7419dd4eb0
Link:
https://www.unpac.me/results/6a306eab-665c-420a-8722-8626e2eb0109/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/2558ad56322f3be1bcc074599d4f1dad5b9a7ce800d023d79560d30b0f619f50

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/170426/

Comments