MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38a56ce38b1cb566debbc01c73ff14492c8e4d60b39be2801f13a21cbefe6084. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 38a56ce38b1cb566debbc01c73ff14492c8e4d60b39be2801f13a21cbefe6084
SHA3-384 hash: ad84dd61e74eeb08d23f9a190009ebd47e8e50736c022e28dde65957a08402cc0a32876007a46fdda3bc89e4b4eab738
SHA1 hash: 519bc5160029904d61d276e50bc65b7cd0239d97
MD5 hash: b1dfa25f6efd1cb015e40cd2bababa4f
humanhash: green-item-sierra-black
File name:Invoice.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:517'120 bytes
First seen:2021-05-31 11:16:38 UTC
Last seen:2021-05-31 12:16:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9bd109b374a50b864840939f0b3be3f1 (1 x Formbook)
ssdeep 6144:708gzHYi8c+iaU1OLV0plrozNSwNC0v/LTbq7d09O0zDVtshp+J6aAqOG+8hDos8:7zlpc+/Lq9OSwQOW7SOsDVt1AqOj8Cr
Threatray 5'567 similar samples on MalwareBazaar
TLSH 80B4021AA594CCBEE4300933DC54A8714C6F2E1E69EACF63B3997359B9B41C0DE26713
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Invoice.exe
Verdict:
Malicious activity
Analysis date:
2021-05-31 11:22:17 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/410aa77c-f52a-42e2-8787-a26e2ac404b3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/163434/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37007999.6624.26346.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Launching cmd.exe command interpreter
DNS request
Sending an HTTP GET request
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/794650
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/38a56ce38b1cb566debbc01c73ff14492c8e4d60b39be2801f13a21cbefe6084/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-05-31 01:06:26 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hcswzy4lds2wnxv3yaohh7yujewi4tlawon6faa7corbzpx6mcca._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0128dcf3bcd255f622b36968f61b8b69efcddd6c3913c0694d75e1ec81bea378
Formbook
3c94599cada17b9fae62316e54a1d69db7c475223721a5a57abe8774a2b5da74
Formbook
40628d32ef0746f397d0d41b839530eae24d249dd2f414450a8d9dda03741d10
Formbook
6bb8fa14bf9c650a67541ffedff2e3f1c055454b90489653c95aa39284d7eb92
Formbook
7e88f1c425154e6fff6d031aaaa4d8bb4c8ff131e429f44310fd936bfc08b357
Formbook
8bd8e7edfd64f242eec8ebeaf0a473152c0f52de8f0318f8bcacf98326e0405a
Formbook
95eedb3eaf98ec12d5f66609278d43f94e1f635420d413ee0672bbf9434aafa4
Formbook
9c2725c92b6d2ab8d0a3d786358751d8a449fd8bfd02adce7e80bd5e07714d93
Formbook
b2c2371d92995eb349a4d6be53af3c42798af56b94f59adf1d765d2905fd5871
Formbook
f44eaa70bc3a335aafde0dda80080dad479d50a2551784992fc863cf21e466a5
Formbook
+ 5'557 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210531-78dye36gte/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.arihantpoly.com/jogt/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/38a56ce38b1cb566debbc01c73ff14492c8e4d60b39be2801f13a21cbefe6084

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 38a56ce38b1cb566debbc01c73ff14492c8e4d60b39be2801f13a21cbefe6084

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/163434/

Comments