MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3adaa1111196714a172b66f0deb9013f5b86c1671a7d126b69703d64e358f624. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3adaa1111196714a172b66f0deb9013f5b86c1671a7d126b69703d64e358f624
SHA3-384 hash: a368302d7ff6f666222d6c54ce01875b187709b6c94bfe88f209983165aa3e1098eafe60b3397bbb04a3152ac721f2b0
SHA1 hash: 8da17dacc87338c630430071efe7850ef34c0184
MD5 hash: 0c377447f098f43601e8c21609c41e1c
humanhash: vermont-whiskey-ink-cold
File name:Payment Advice.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:233'921 bytes
First seen:2021-08-09 05:10:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ca24a8fe7300d3915643d0e4fbc5d1cd (5 x Loki, 4 x Formbook, 2 x SnakeKeylogger)
ssdeep 3072:/6HGteVUP/qOu43gC4S9HbJhElye1x8JtVTrrTlznlAPOwJFnS1mekUZPPRkTRKF:/dQOJu4wC3tfVSQnl6JFnom3UtPSTRSL
Threatray 7'591 similar samples on MalwareBazaar
TLSH T1A6341286ED91C272EB7227F45FB868B739FF4B454B5662F3075C32029A91D81313E489
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
185
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment Advice.exe
Verdict:
Malicious activity
Analysis date:
2021-08-09 05:11:43 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/27a39d46-fa3a-4443-81cd-f0181a568a79

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/177371/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.15268.18591.32269.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Launching cmd.exe command interpreter
DNS request
Connection attempt
Sending an HTTP GET request
Sending a UDP request
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/78fd599e-8555-4166-bcea-4162c9184896
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/829153
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 461586 Sample: Payment Advice.exe Startdate: 09/08/2021 Architecture: WINDOWS Score: 100 30 www.javacoffeebeans.com 2->30 32 javacoffeebeans.com 2->32 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 9 other signatures 2->46 11 Payment Advice.exe 1 2->11         started        signatures3 process4 signatures5 58 Maps a DLL or memory area into another process 11->58 14 Payment Advice.exe 11->14         started        17 conhost.exe 11->17         started        process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 14->60 62 Maps a DLL or memory area into another process 14->62 64 Queues an APC in another process (thread injection) 14->64 19 explorer.exe 14->19 injected process8 dnsIp9 34 abbyrosemusic.com 192.0.78.25, 49733, 80 AUTOMATTICUS United States 19->34 36 odessawildliferemoval.com 107.180.41.236, 49744, 80 AS-26496-GO-DADDY-COM-LLCUS United States 19->36 38 15 other IPs or domains 19->38 48 System process connects to network (likely due to code injection or exploit) 19->48 50 Performs DNS queries to domains with low reputation 19->50 23 chkdsk.exe 19->23         started        signatures10 process11 signatures12 52 Modifies the context of a thread in another process (thread injection) 23->52 54 Maps a DLL or memory area into another process 23->54 56 Tries to detect virtualization through RDTSC time measurements 23->56 26 cmd.exe 1 23->26         started        process13 process14 28 conhost.exe 26->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3adaa1111196714a172b66f0deb9013f5b86c1671a7d126b69703d64e358f624/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-08-09 05:11:04 UTC
AV detection:
24 of 46 (52.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hlnkceirszyuufzlm3yn5oibh5nynqlhdj6re23joa6wjy2y6ysa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0c6823e63b28799c28145805bc2c143c67a52698e4af497070b9da8439d6b327
Formbook
1dc173b24c0b503a394568e4a1fff7887dd739cc287e529f25b173dbfea4010b
Formbook
224ddfe0908d9cc2833a8f0f4c28f8a95ba1975cc0e8da5434a8ce17df54f972
Formbook
4796e12d5a33b3b717b0ddc65286b9de7479e86bc91cc0bdb843722a5b62951b
Formbook
6d308c2e93c341ef11c0b14420e158fd650c637190a4daedf003ec091e703a85
Formbook
6f1507120710fd267c7d2b6aa1d63cec192e4eb904675f260a8e2e18ebfc4b99
Formbook
7a34064785bd677a927fa90988d9001aed285762f230d0fe08db7b2ca89ce987
Formbook
e7e775fb123a80ae7c57fa23883b060b3b333c4831d5272015c4751736bf2626
Formbook
+ 7'581 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ieqo loader rat suricata
Link:
https://tria.ge/reports/210809-ddq1cbzegs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.rukreditpay.com/ieqo/
Unpacked files
SH256 hash:
e5c497c0770b119a72919ef46dceef93eebd149e56788727ed959ae3234ba509
MD5 hash:
fa55c6e1e9ed49ba1879e5762cce8f25
SHA1 hash:
f7912e1863797e3365ab1a2df01415a4659a037e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/5b91f170-5f31-417b-8810-78209e5a2aec/
Parent samples :
3adaa1111196714a172b66f0deb9013f5b86c1671a7d126b69703d64e358f624
7fd75617ee39e8ed51f7e118f0aa46b83916dbf0d1d769e088c3fca7a4c0014f
SH256 hash:
a60e2cc96c2adb9e0dbcc72114314b423cd8dc6ac3270946b0d4fff0c7f58ae0
MD5 hash:
79d52f634709d7b6b1dfb64ce731dc87
SHA1 hash:
7414291566f3dc4c59b2d675823087329ac88f4c
Link:
https://www.unpac.me/results/5b91f170-5f31-417b-8810-78209e5a2aec/
SH256 hash:
3adaa1111196714a172b66f0deb9013f5b86c1671a7d126b69703d64e358f624
MD5 hash:
0c377447f098f43601e8c21609c41e1c
SHA1 hash:
8da17dacc87338c630430071efe7850ef34c0184
Link:
https://www.unpac.me/results/5b91f170-5f31-417b-8810-78209e5a2aec/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.13
Link:
https://yomi.yoroi.company/submissions/3adaa1111196714a172b66f0deb9013f5b86c1671a7d126b69703d64e358f624

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 3adaa1111196714a172b66f0deb9013f5b86c1671a7d126b69703d64e358f624

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/177371/

Comments