MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 402c82df5bcd852868c74eb4d801ac2d33c9361a942eb56020614afe147eab21. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 402c82df5bcd852868c74eb4d801ac2d33c9361a942eb56020614afe147eab21
SHA3-384 hash: fe9420779929df62332d42208ff3be70dd307d25ce478de265089dc68f7afd60dcb553e2ccf0042f1decda4810919944
SHA1 hash: 2af2f0f379d5a11ffa6655ac8bae2a247d0bfca8
MD5 hash: 325dac8db7e6fce3d01316c693799e04
humanhash: artist-august-river-beryllium
File name:Invoice.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'166'848 bytes
First seen:2023-03-03 16:36:16 UTC
Last seen:2023-03-03 18:32:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:kq0c4+2CblkbVdb3/hW6kl0fNzA9vDZ4oocVVHbcJLc:kqF4+Vhkbvb3ZW6pNUv4AVHbALc
Threatray 2'260 similar samples on MalwareBazaar
TLSH T1E245872809FD0EF28571F1FD9FE4E753BE808CE6AA049D9982834B89551395720AFD3D
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 0060696971696000 (10 x AgentTesla, 3 x Loki, 3 x Formbook)
Reporter cocaman
Tags:exe FormBook INVOICE

Intelligence

File Origin
# of uploads :
2
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Invoice.exe
Verdict:
Malicious activity
Analysis date:
2023-03-03 16:38:19 UTC
Tags:
stealer formbook trojan
Link:
https://app.any.run/tasks/e0660a83-30ec-442a-83b0-d50883d783da

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/371485/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64022230bbedb8176ff279b8/reports/80dab650-0170-42ad-97a7-6c1b1e3ed3d3/overview
Verdict:
Malicious
Labled as:
MSIL/GenKryptik_AGeneric.QY trojan
Link:
https://www.hybrid-analysis.com/sample/402c82df5bcd852868c74eb4d801ac2d33c9361a942eb56020614afe147eab21
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2fdec355-ef60-4a04-b803-538d4b22304e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1186698
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 819575 Sample: Invoice.exe Startdate: 03/03/2023 Architecture: WINDOWS Score: 100 31 www.hewqe.com 2->31 35 Snort IDS alert for network traffic 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for URL or domain 2->39 41 4 other signatures 2->41 9 Invoice.exe 3 2->9         started        signatures3 process4 file5 23 C:\Users\user\AppData\...\Invoice.exe.log, ASCII 9->23 dropped 51 Writes to foreign memory regions 9->51 53 Allocates memory in foreign processes 9->53 55 Injects a PE file into a foreign processes 9->55 13 MSBuild.exe 9->13         started        signatures6 process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 13->57 59 Maps a DLL or memory area into another process 13->59 61 Sample uses process hollowing technique 13->61 63 Queues an APC in another process (thread injection) 13->63 16 explorer.exe 1 1 13->16 injected process9 dnsIp10 25 www.stevenallon.com 103.75.46.165, 49705, 49706, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK Hong Kong 16->25 27 www.twowicked.com 54.38.220.85, 49701, 80 OVHFR France 16->27 29 11 other IPs or domains 16->29 33 System process connects to network (likely due to code injection or exploit) 16->33 20 cmmon32.exe 13 16->20         started        signatures11 process12 signatures13 43 Tries to steal Mail credentials (via file / registry access) 20->43 45 Tries to harvest and steal browser information (history, passwords, etc) 20->45 47 Modifies the context of a thread in another process (thread injection) 20->47 49 Maps a DLL or memory area into another process 20->49
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/402c82df5bcd852868c74eb4d801ac2d33c9361a942eb56020614afe147eab21/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2023-03-03 10:37:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
19 of 25 (76.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iawifx23zwcsq2ghj22nqanmfuz4snq2sqxlkybamffp4fd6vmqq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2d9f7bc0ae2c78c01e07e9fa17d9caf3e5bd315b7f2c71f5c27adf0700f36d06
Formbook
3f999fa0a43425869e768d6ca75c3e5a70dd34e475cdd20ee240076c6ed75749
Formbook
3fdd151be1130daa30b97fd53420ac6ccd214d36dd14083d7b3ee557956277a7
Formbook
4ce2768ba26406a3b872e6e31d5dba57b908a56a0be7980b501ada6a587cfd02
Formbook
5fa79245acfe001f7b4269dadbe7b8ca5c4e3dbe5445b56c3f53c29c28bcb06b
Formbook
7364133b920b40a6d5583a6ae12d8f510df7f2f65da5c026bd7c9ffbe3e54e57
Formbook
f127b3ccc3495b723d23829d0bf947e4108c9332fb13fdd00d0e82ff41a8eb73
Formbook
f45ed09f500667f7fbae32453fa1464a6003dc9ef3be284e156a43bacd3c2147
Formbook
f90cae8d2f230d52a461faf67dd818065329eb8cac4c241734a3f224eee1c531
Formbook
+ 2'250 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230303-t4ss9sad77/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Unpacked files
SH256 hash:
dc2f1d24e1171e4376c920efd85c1fa597a9d4f1b0bdf36470159a8ced1ebccf
MD5 hash:
c18012cc21a367eca4dca2ad7d657bb1
SHA1 hash:
bbbe1949f2ae99a8a383e11ac41ceeb3ee1b94c0
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/f918e2de-2ff3-4fed-9476-8ca381f07697/
SH256 hash:
6ed53293c62c3b239ff4338a157b35aaf1de169f1c41343636fc1693f9d3ff8b
MD5 hash:
b5485e5c366a4531163a468ceae9d234
SHA1 hash:
6d42d80fd777f6ef94332f7ef5f647d31dbef2b7
Link:
https://www.unpac.me/results/f918e2de-2ff3-4fed-9476-8ca381f07697/
SH256 hash:
b1a0ab1e00278427e8c474b8a3a72ac4dac2710c9c93225fedc61ed20bc8b424
MD5 hash:
78c208de69f1fa29664f6bdf9adbd7d8
SHA1 hash:
fcf916d2a53c2ee91628f55a852c54e7f1f17071
Link:
https://www.unpac.me/results/f918e2de-2ff3-4fed-9476-8ca381f07697/
SH256 hash:
d8ec03c34a5f3bd93effeafc2e078ade5df75d468dae5208937c69be4fecfe7f
MD5 hash:
cd4b7952d18e1459bae379e5da7f6afb
SHA1 hash:
e09367a20c19427dae20b53cbe761d1b21272c36
Link:
https://www.unpac.me/results/f918e2de-2ff3-4fed-9476-8ca381f07697/
SH256 hash:
1bab001c090f2f208e39247f8eeaeb77a0740bc9be7fa755cd57a863b3d22dd3
MD5 hash:
90b3109cf9cc5342015fc1583a78b282
SHA1 hash:
bdddff1c96296a0dc9f8d808e3b2d5829a15d2d2
Link:
https://www.unpac.me/results/f918e2de-2ff3-4fed-9476-8ca381f07697/
SH256 hash:
89f19a73a1ed495032cdb31dabafbfc74b533556c4c4f6c7d90867da77d3ff00
MD5 hash:
c0a820a8c28ab7126cde585ca1877ce8
SHA1 hash:
90661071a3f2464095e9255e2e0e509f3d4b3f66
Link:
https://www.unpac.me/results/f918e2de-2ff3-4fed-9476-8ca381f07697/
SH256 hash:
402c82df5bcd852868c74eb4d801ac2d33c9361a942eb56020614afe147eab21
MD5 hash:
325dac8db7e6fce3d01316c693799e04
SHA1 hash:
2af2f0f379d5a11ffa6655ac8bae2a247d0bfca8
Link:
https://www.unpac.me/results/f918e2de-2ff3-4fed-9476-8ca381f07697/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/402c82df5bcd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/402c82df5bcd852868c74eb4d801ac2d33c9361a942eb56020614afe147eab21

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 8eadf6618f60fc52a67cd48c05af8053e92fcb73541454319fa569c80b7c1ec5

Formbook

Executable exe 402c82df5bcd852868c74eb4d801ac2d33c9361a942eb56020614afe147eab21

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 8eadf6618f60fc52a67cd48c05af8053e92fcb73541454319fa569c80b7c1ec5
Cape
Cape
https://www.capesandbox.com/analysis/371485/
  
Dropped by
MD5 5874433a2ffa262780d409316b85a598

Comments