MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 441ba10d2078c45be3d266523f77b59a1478f61ce09f2097ccc276d534c35855. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 441ba10d2078c45be3d266523f77b59a1478f61ce09f2097ccc276d534c35855
SHA3-384 hash: 4122d81531b28131e4b5093ccfd9894e694199340b3303b619e63217593d834ca023df68ebb9894ce743d15ab49d30ec
SHA1 hash: 4b3e36dcd7ea9785f93e43699e1224ad30626148
MD5 hash: 297e8b7f26a2eb1af366cac0202eca9a
humanhash: don-illinois-foxtrot-grey
File name:Notificación de pago.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:535'552 bytes
First seen:2022-05-13 14:35:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:3GuFJoO8gHHV3PnS2l3wCGeoPzaHkkzXlWaVaGNtl7:rwyHHRS2tPweEkzXRVJ
Threatray 15'441 similar samples on MalwareBazaar
TLSH T14DB41256A267A933C14A9736CCD855CC5330CF06AC23DA4768E932CC2B73BC64E91B67
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
282
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/270462/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process from a recently created file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/627e6d0e40028d3247d119ab/reports/92a4e8dc-4041-4985-bd03-55364de106a1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e36e59d1-f017-4c1f-ae73-c484c90f0503
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/993658
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 626150 Sample: Notificaci#U00f3n de pago.exe Startdate: 13/05/2022 Architecture: WINDOWS Score: 100 31 www.triptoasiam.com 2->31 33 www.massage-rino.com 2->33 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 8 other signatures 2->47 11 Notificaci#U00f3n de pago.exe 3 2->11         started        signatures3 process4 file5 29 C:\...29otificaci#U00f3n de pago.exe.log, ASCII 11->29 dropped 59 Injects a PE file into a foreign processes 11->59 15 Notificaci#U00f3n de pago.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.librevillegabon.com 104.195.7.239, 49764, 80 ESITEDUS United States 18->35 37 theguiriguide.com 192.0.78.25, 49761, 80 AUTOMATTICUS United States 18->37 39 4 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 WWAHost.exe 18->22         started        signatures11 process12 signatures13 51 Self deletion via cmd delete 22->51 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/441ba10d2078c45be3d266523f77b59a1478f61ce09f2097ccc276d534c35855/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-05-12 14:53:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iqn2cdjapdcfxy6smzjd655vtikhr5q44cpsbf6myj3nkngdlbkq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1fa17f6996cc7efdabe3099d0543ec457cff4f54d246c089d6d7dd8e72eee1c9
Formbook
387234df5ff2369a1a2bd25b060d5d7dd3817e07577baadd33bdf5c2dc7725c1
Formbook
786940cf8fc524d46f8b3a0e72883d63c23315ea642c38f75d897e2162404e3e
Formbook
b8d8a8ab682956d7abd31c4fa49690ece5f9349ea7753e83243ef5a933df4684
Formbook
e01aab97bf2805546ef29b22bb0d9e3e2205d4a319faaf6f7f4ce966b8aaa149
Formbook
eba97a314b1c02ecdd75fe691c6883b214dc0b239d0ba39b7d578162b5218ad0
Formbook
f156099a9282dcdcab3acbf57c50bc1d0121a6e9714d43ba69ab9934ab0d9439
Formbook
+ 15'431 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader campaign:d6fp loader persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220513-ryj8tsged9/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System policy modification
Drops file in Program Files directory
Suspicious use of SetThreadContext
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Xloader Payload
Formbook
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Unpacked files
SH256 hash:
be6458bd999d52c751590ce4d8f45160e19a0a7a614996f745c3480ea335d644
MD5 hash:
7af322c4073a8866cd02f7061c0c3ad2
SHA1 hash:
03142c0bfeee917284de9199ad6792a50503771e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/f37cc1c5-c07e-43ff-a57b-d157c1b43735/
Parent samples :
441ba10d2078c45be3d266523f77b59a1478f61ce09f2097ccc276d534c35855
0e5dd52da4fa3d13be08ae1fdf59eddbcce0fe300006f0e84d7f885cb61ff0bb
SH256 hash:
c206122a7336385be557580c114ac0923192f61bc8f77aa58c898135438399f9
MD5 hash:
6c9e813248a01432890c476813d210b8
SHA1 hash:
fd54aa3af58fc3a88cb3fd6753d773cd6c51b7f8
Link:
https://www.unpac.me/results/f37cc1c5-c07e-43ff-a57b-d157c1b43735/
SH256 hash:
2fbf61304e91c9d3c02c7e6173a21d847e3feba678267c19c87b5a2da7e94782
MD5 hash:
2d3ddc208c0acc8ca3b6e99d5cd2ee0d
SHA1 hash:
64acbc1efd3a572974b6225b9d54dce7e3404a23
Link:
https://www.unpac.me/results/f37cc1c5-c07e-43ff-a57b-d157c1b43735/
SH256 hash:
7645d02747667f4bffedc03e389938f90953b33bcd7249c953dddc5386f4d355
MD5 hash:
abbef56a6dff13244df5949b8cd79844
SHA1 hash:
1984f63466daf3e13bf8d51b3894ade00b3ec13c
Link:
https://www.unpac.me/results/f37cc1c5-c07e-43ff-a57b-d157c1b43735/
SH256 hash:
441ba10d2078c45be3d266523f77b59a1478f61ce09f2097ccc276d534c35855
MD5 hash:
297e8b7f26a2eb1af366cac0202eca9a
SHA1 hash:
4b3e36dcd7ea9785f93e43699e1224ad30626148
Link:
https://www.unpac.me/results/f37cc1c5-c07e-43ff-a57b-d157c1b43735/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/441ba10d2078/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/441ba10d2078c45be3d266523f77b59a1478f61ce09f2097ccc276d534c35855

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 441ba10d2078c45be3d266523f77b59a1478f61ce09f2097ccc276d534c35855

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/270462/

Comments