MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35a2017af959b6e43cb129fc6c18c7e21bc0a1d850b1e74101bbb95d8c5bd3c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35a2017af959b6e43cb129fc6c18c7e21bc0a1d850b1e74101bbb95d8c5bd3c0
SHA3-384 hash: dca2045bd78a90d982a9b8d2cd5f1cd44f08b45d5a9b58e71420e3acdf43f6a32172966a291750a131c3ef34851f0c0c
SHA1 hash: e5c903c9a731c3abfbdb5141d926616bf7b54beb
MD5 hash: 6b5c6aefc470e66a1d12bc56437f48a0
humanhash: california-arkansas-uncle-nevada
File name:REVISED INVOICE.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:621'568 bytes
First seen:2021-07-27 05:55:30 UTC
Last seen:2021-08-10 08:31:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:JtOsBgo0q4wMtAoUL2J5ANhBPTtqmYojYgRULYyo6SA:JtOsBgo0q4wMYhxBqmqgRULYyZ
Threatray 6'870 similar samples on MalwareBazaar
TLSH T1E1D4CFF1193E7B1BF49309BE20B1919319A050E9C879CBE4FB3352A7FF1615B6085B86
Reporter cocaman
Tags:exe FormBook INVOICE

Intelligence

File Origin
# of uploads :
2
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
REVISED INVOICE.exe
Verdict:
Malicious activity
Analysis date:
2021-07-27 05:56:53 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/59f6a19f-4ab1-41fd-9288-02059f145d16

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/174227/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.953-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8c2b8e5f-e91c-4f4f-8ab1-8ee43a5716f3
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/822117
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 454529 Sample: REVISED INVOICE.exe Startdate: 27/07/2021 Architecture: WINDOWS Score: 100 31 www.fabricwarehousebrla.com 2->31 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 7 other signatures 2->45 11 REVISED INVOICE.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\...\REVISED INVOICE.exe.log, ASCII 11->29 dropped 57 Injects a PE file into a foreign processes 11->57 15 REVISED INVOICE.exe 11->15         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 65 Queues an APC in another process (thread injection) 15->65 18 explorer.exe 15->18 injected process9 dnsIp10 33 sascarrental.info 184.168.131.241, 49719, 80 AS-26496-GO-DADDY-COM-LLCUS United States 18->33 35 www.thebartley.com 18->35 37 2 other IPs or domains 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 49 Uses ipconfig to lookup or modify the Windows network settings 18->49 22 ipconfig.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-26 14:21:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gwrac6xzlg3oipfrfh6gyggh4in4bioykcy6oqibxo4v3dc32paa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0726096c82c2c643c7de2ed48533e0a545e71f2294433cd7df473aebe9f17681
Formbook
2ed038df20b8f41a844651ed1c2cdca2ccabac5b7a946ac06a0892f641481973
Formbook
4c0c8cbb0e933f865862852967071eb6908bca3c610d2b14a77149d756db00fe
Formbook
612978b3f26f015bba90e038b5fff1fd337818713e639dfd292e72d3109bc931
Formbook
8943af6c4da94f93c169ef98a7b8393ca92b01753e89ea5503d5740bcc45296d
Formbook
ac4d23b56b2aac65756dafc7d6ff505ba986f40410370ca4c094f0530e399d79
Formbook
c12e7acec0b72dcba1f25a432f95959c20c586ae278418c44f8aa610326fb34f
Formbook
c26154711ca9d9d48de370f242deb560bd0b99a0c8f12a2d1db5d4cd6e25d107
Formbook
dfca1bf3a2bc630e60ee036b0fd5be55b2f2b44e7dc8d2005b86d763bfc7c8ac
Formbook
fb6e849cd3af7e8b0c8143397e62a595a42abbfbbac81f2cdd0b2cb4d18ea543
Formbook
+ 6'860 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/210727-95jtd1fs6x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
CustAttr .NET packer
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.fabricwarehousebrla.com/mjf5/
Unpacked files
SH256 hash:
687a2ac1ccda161bbb4c669880d72acffa2a950833ae53834ba1bb32de2b4c8a
MD5 hash:
a948ee8c46dbfe097f510355ba5d0944
SHA1 hash:
8774e6de3760585df767f8086054c50c6b28ccd1
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/a192c41e-3b18-4c70-9b1d-4850ba110200/
Parent samples :
2ed038df20b8f41a844651ed1c2cdca2ccabac5b7a946ac06a0892f641481973
ac4d23b56b2aac65756dafc7d6ff505ba986f40410370ca4c094f0530e399d79
35a2017af959b6e43cb129fc6c18c7e21bc0a1d850b1e74101bbb95d8c5bd3c0
SH256 hash:
68d341d347ea606e46ab76e673fff63f3ab24b8266d99627a6bda080c33ec79e
MD5 hash:
430673518a9423226c6da89f7ec1f5c7
SHA1 hash:
762fa1aa8b1cd061803b2bd6a96260aa689f63cb
Link:
https://www.unpac.me/results/a192c41e-3b18-4c70-9b1d-4850ba110200/
SH256 hash:
7899d7963b57b2a79d213f2f99489beef917713a32f7efc10e3310c1f5f0580a
MD5 hash:
d56bdaf5ac98ca326b7385689c26b21b
SHA1 hash:
4675c39fe28d6ba2a5143c4f1687fc7f673ef9c7
Link:
https://www.unpac.me/results/a192c41e-3b18-4c70-9b1d-4850ba110200/
SH256 hash:
97d2fa1d01b2f9a2199896e05e0cf60c14a9f41ef2d72e15fbb862b7afa08438
MD5 hash:
68463851c0e6fe7a254c99fae763d454
SHA1 hash:
4587a5371d88c296a0184fe47ee0c5245b187127
Link:
https://www.unpac.me/results/a192c41e-3b18-4c70-9b1d-4850ba110200/
SH256 hash:
35a2017af959b6e43cb129fc6c18c7e21bc0a1d850b1e74101bbb95d8c5bd3c0
MD5 hash:
6b5c6aefc470e66a1d12bc56437f48a0
SHA1 hash:
e5c903c9a731c3abfbdb5141d926616bf7b54beb
Link:
https://www.unpac.me/results/a192c41e-3b18-4c70-9b1d-4850ba110200/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/35a2017af959b6e43cb129fc6c18c7e21bc0a1d850b1e74101bbb95d8c5bd3c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 747e90de3fdc97a7fec4245b0298db8d5b97bded1cf19e4b25fb912797899885

Formbook

Executable exe 35a2017af959b6e43cb129fc6c18c7e21bc0a1d850b1e74101bbb95d8c5bd3c0

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 747e90de3fdc97a7fec4245b0298db8d5b97bded1cf19e4b25fb912797899885
Cape
Cape
https://www.capesandbox.com/analysis/174227/

Comments