MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41cd3397a694531836178ec9ceec2d7e2b127049bcd9e6a8bdd483728809624d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 41cd3397a694531836178ec9ceec2d7e2b127049bcd9e6a8bdd483728809624d
SHA3-384 hash: fe05eebcc7b341e842982de0bc3a61b3e206338f476a79ca2e3d32ab625fe319b1e01bf4d81555224a06ca31b54e8890
SHA1 hash: 5c0bab854b18a887b0c21931cc69d8123f3cceea
MD5 hash: 5f5a185621768509b2f0b53c182d3ad7
humanhash: fruit-blossom-comet-early
File name:payment.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:890'880 bytes
First seen:2022-09-01 11:24:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:yCpCc6+aG6xFjjvuEHslgDaz7zibGyLwJEbTQ+jt6NL165OlW2uxq6fd6q6/xWv1:1hC+ziKyUibTto65OgM66q6/xIJ
TLSH T16A1501293B56A98FC463CD798CA49E60F261A3275707D747611B266CFE2D3C6CF801A3
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
298
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
payment.exe
Verdict:
Malicious activity
Analysis date:
2022-09-01 11:29:43 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/7a27c5f1-724a-4242-abfb-bdb796f336c1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/307226/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1496.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/631097212fdf5a082598037d/reports/e8406290-0be4-4a7c-9f43-582dbc4d4a67/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/85c0b5eb-59bb-437a-8676-2ea9bde967dc
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1062725
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 695249 Sample: payment.exe Startdate: 01/09/2022 Architecture: WINDOWS Score: 100 39 www.150819.xyz 2->39 41 webredir.vip.gandi.net 2->41 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for URL or domain 2->51 53 Multi AV Scanner detection for dropped file 2->53 55 10 other signatures 2->55 9 payment.exe 7 2->9         started        signatures3 process4 file5 31 C:\Users\user\AppData\...\pfeqOyKsfNz.exe, PE32 9->31 dropped 33 C:\Users\...\pfeqOyKsfNz.exe:Zone.Identifier, ASCII 9->33 dropped 35 C:\Users\user\AppData\Local\...\tmp7851.tmp, XML 9->35 dropped 37 C:\Users\user\AppData\...\payment.exe.log, ASCII 9->37 dropped 61 Uses schtasks.exe or at.exe to add and modify task schedules 9->61 63 Writes to foreign memory regions 9->63 65 Adds a directory exclusion to Windows Defender 9->65 67 Injects a PE file into a foreign processes 9->67 13 RegSvcs.exe 9->13         started        16 powershell.exe 25 9->16         started        18 schtasks.exe 1 9->18         started        signatures6 process7 signatures8 77 Modifies the context of a thread in another process (thread injection) 13->77 79 Maps a DLL or memory area into another process 13->79 81 Sample uses process hollowing technique 13->81 83 Queues an APC in another process (thread injection) 13->83 20 explorer.exe 13->20 injected 24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        process9 dnsIp10 43 www.retail-trading-ca.site 64.190.63.111, 49722, 80 NBS11696US United States 20->43 45 www.josephmagnoli.com 103.255.45.60, 49723, 49724, 80 COMING-ASABCDEGROUPCOMPANYLIMITEDHK Hong Kong 20->45 47 www.dmistra.world 20->47 57 System process connects to network (likely due to code injection or exploit) 20->57 59 Uses ipconfig to lookup or modify the Windows network settings 20->59 28 ipconfig.exe 13 20->28         started        signatures11 process12 signatures13 69 Tries to steal Mail credentials (via file / registry access) 28->69 71 Tries to harvest and steal browser information (history, passwords, etc) 28->71 73 Modifies the context of a thread in another process (thread injection) 28->73 75 Maps a DLL or memory area into another process 28->75
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/41cd3397a694531836178ec9ceec2d7e2b127049bcd9e6a8bdd483728809624d/
Threat name:
ByteCode-MSIL.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2022-08-20 16:35:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
46
AV detection:
19 of 25 (76.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ihgthf5gsrjrqnqxr3e453bnpyvre4cjxtm6nkf52sbxfcajmjgq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220901-njbflaehg6/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
dc0b78b8dff95f26b817b087014f09106b2801b9f72d4b5d663c88d032a09718
MD5 hash:
d7635bbf67d9f1e7c6c6a41027b71b4d
SHA1 hash:
63dc09d51b28890543d813f013bfc98a249958dc
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/d20d7498-7b25-4ef7-bdb4-5eec3081fff1/
Parent samples :
fc437e069c626c4380522863a5329fc7b4aae8330903cdf13eeef54445ab6898
f9cb260e8f4d7486c00f8ead190336a776adbaeab55b514ce808e9c9e6c407dc
1a1523496f14c5d3a3c0cac4e0a5a19a782cb9c6bb2ab6a984bff04cd2ccdd36
ef485b6c343128cd8c40897fe6613cf65d759e330bdf6c6925f2fd7168ff4f06
f47848fb64be8caf6c55a0e4d8773a383ce526c10d072417b3e13edd04b9e73b
7caa5e395127eeb881461690c8c3f47252bee4e42c2b69716fe5fcb8d62b5fef
3014d818f3e7c9dc6feda171ba1370ca613e9a12238ec69ae3c5908a7f8483e7
582b9f31ea52585e315523385506389d3ab7bc50ffe1c5e1ff7f83aed0f1535b
e58b63e862b6038f3c96fc8224ec3c493321e5862b45704c5e3185224426167e
f6d985f7f6ea28d32427fd4543b310febacc8bd94e296c6aee33ae8532c9cae3
d1bb2951d655bd250df5eab810403bf4ca4f37f7bf38a641c74cfc1908464dc6
db43d92fb68d224b483a10ca9ef9e0da10f9073f9a17eb5e532cf8a20a449625
192270166e17780c5b1de39e0b906115798df4185b2413dedcbebd114a01a5e1
1b5882c4ba74d1cc2367938d0dd85e8c651887309d9c0abab0587d903878229e
a044da065d4eaf497ccc5365580e78eaea4411b8650e62052407f16afbb150ca
71b8d65f48ae74c35083b832b4ae5acb5564f744e5895a666f332392bce335cd
2a8df78b05fd8f497ed976ca4db985249c2c6b250850619168d5ee56b4c3d4a4
eb5553282526065116c7a3beaf3c707052f9268b5598fac475f6f96c88080419
16ba659d813dfa2c6d143c32c493f56266d9a408ec75b01b0aa019db2dad216c
41cd3397a694531836178ec9ceec2d7e2b127049bcd9e6a8bdd483728809624d
90d4d8f68b8e94514add55bedfb36e7bbe3bcc1781d6e00b0bc3bfaabe1d9301
3bfc405f340396a4b679a770d8232aec67f5e42d43c9f8b14aa3b689d444b917
49357eea6bdaa8334590e3cae0e14a265730944feef1792298bce6a13d7d54a8
a139b8fab8e24344af7b4f5a261440cb81449a71449e20e1ab16abdd4e35e909
ddb24ba8d91f511ca86554d35f16cb9ef5d6103f5275c90217bc8ddb35111616
dac75f90478b07cd9c53c36a4d2b01e73b7e31554a9bfec57bd328031ec15017
0f8f203e0b21e34ad21c3e762dbae4c4c7b158624a5f805ebf19e8ba05c76e5d
69870e2a61815839fdc55f251a07c89580dc6c1725f850288c4dc190c08b7175
041ee64deb9710bd802be8d6b2cdcf5623cd8ab974a52fe4bc4e4add965bb08d
b96b285d4a28e1c31ca5c844fc8a9c6ff61a7dc3e283d5dc26ad697af46b8df0
be702722d3bc33164534d9eae10457f1344d855ffc1c94dba5c40b97ef144052
443123bad678f73d1fa804d131c23f0ab5a334601de7e4b2681d9e5e2c03bc42
5db9ee8081b4a9e2359bd67b65edeec998aa12fb995a441adcec6e450f0fe6aa
d06e9a0bc38a688ec308ebf3b7806de3d4f13bc7e630f1c34f8e2356a9123e10
a415a91f46c03305f5a94b719f07a14cfe5cd497abda54762dcdd434e9d40927
413ad4daf54c1b3c50f35aa2afb87a3582589599bb20085ccb7b89eb5acccee8
6beb15ecc2ebf386675a66585a253327e094c1c654f3cbe7fe93f8cca3c35b45
3dfbf2852a3ceda68d8e1b2d5e31a440b8ff30c4ed56e8952a9a614dfb2bb008
cf6bd9457b03ee9d17e0249c7d504d02eb902cc67dd1973119cf658531240e56
0f4847c04b273a0cc37ba6f7f9d4d9b3eb2685c3465cda610f90a0afa8440c9f
6bf5a3809ca423061cb16a815ca5e5f3ba86d6c7fbf5233fd68b589012eae0ab
1e68a25ee97601a9898f7af37b64a160c22db3bd8442888912e570bbdf7c5e48
9d3234fef11c8917c540d371dfe4cd268a737bc62cf900997752634c7124f634
SH256 hash:
551ef0181260a5ab5728a618c2e86443753aaeb425e6c3b1346dfb0a661c73af
MD5 hash:
3c7205139e6aabd7de040b15021c24ed
SHA1 hash:
e4c66e4ca1bb3b5488d7c4ba7fddc8cac118955f
Link:
https://www.unpac.me/results/d20d7498-7b25-4ef7-bdb4-5eec3081fff1/
SH256 hash:
47e358eb6d12e78fdd558243dbe79cb617f6ebffa82a2ff29b70cc6abfdc6e9e
MD5 hash:
c474a4d41142a548ad817adbfff54ad1
SHA1 hash:
cac2a9fb15b891b15dee19ec52585cbed67a1ed5
Link:
https://www.unpac.me/results/d20d7498-7b25-4ef7-bdb4-5eec3081fff1/
SH256 hash:
452ec3a1122b46cb97fa3d0e94b3eff2df3ad87bb8af516f2e669d697bfaf78b
MD5 hash:
4772d4e59fc621c859692a4320b2861c
SHA1 hash:
98f4835e4ac2df1ed58ed73d1b1a8d00f5ee9c79
Link:
https://www.unpac.me/results/d20d7498-7b25-4ef7-bdb4-5eec3081fff1/
SH256 hash:
9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034
MD5 hash:
93c6391d23c1aa1ed66fb13f82f2ee31
SHA1 hash:
220098c3047c32b51ae13a5cc1e9beeef3da6e18
Link:
https://www.unpac.me/results/d20d7498-7b25-4ef7-bdb4-5eec3081fff1/
SH256 hash:
41cd3397a694531836178ec9ceec2d7e2b127049bcd9e6a8bdd483728809624d
MD5 hash:
5f5a185621768509b2f0b53c182d3ad7
SHA1 hash:
5c0bab854b18a887b0c21931cc69d8123f3cceea
Link:
https://www.unpac.me/results/d20d7498-7b25-4ef7-bdb4-5eec3081fff1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/41cd3397a694/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/41cd3397a694531836178ec9ceec2d7e2b127049bcd9e6a8bdd483728809624d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 41cd3397a694531836178ec9ceec2d7e2b127049bcd9e6a8bdd483728809624d

(this sample)

  
Dropped by
Formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/307226/

Comments