MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 50cb4a77f2df96f675c80dec26c475f843954677b7a44aefc2e4bfa313a4e63d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 50cb4a77f2df96f675c80dec26c475f843954677b7a44aefc2e4bfa313a4e63d
SHA3-384 hash: b518d4d07236c1e6ff795d5a24892f9daee313cd223d7e58723d10a350f4256b6aed5d0bd38d5581524b389f3dedb032
SHA1 hash: 3bdb21d9373fdf0637a366dfb9163327766ef9b5
MD5 hash: c087b98a1a5ef4cf067a9194f1edd316
humanhash: venus-diet-fruit-green
File name:Payment Receipt.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:616'960 bytes
First seen:2020-11-16 16:56:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:7/D+qnZVUpt8LF6CeFTgadXdn7lCSuDBSX6ZiHPRza/zWxXHeZrH/m+SEUoGU:7/D3ZVU38/2pdXZ7lCSuUX6ZiHM/zWxC
Threatray 3'286 similar samples on MalwareBazaar
TLSH 88D4E0353A82BD8FC75B8D76C6501D00AEA1B8675B07E70F7C8B12EC191E79A8E015B7
Reporter fabjer
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Gathering data
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/538209
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 318203 Sample: Payment Receipt.exe Startdate: 16/11/2020 Architecture: WINDOWS Score: 100 31 yusuferdogan.com 2->31 33 www.yusuferdogan.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 9 other signatures 2->47 11 Payment Receipt.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\...\Payment Receipt.exe.log, ASCII 11->29 dropped 57 Writes to foreign memory regions 11->57 59 Allocates memory in foreign processes 11->59 61 Injects a PE file into a foreign processes 11->61 15 RegSvcs.exe 11->15         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 2 other signatures 15->69 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.bancodoimobiliario.com 104.247.218.114, 49737, 80 QUICKPACKETUS United States 18->35 37 www.myscpmed.com 81.17.18.195, 49736, 80 PLI-ASCH Switzerland 18->37 39 www.lowcarbindulgence.com 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 raserver.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/50cb4a77f2df96f675c80dec26c475f843954677b7a44aefc2e4bfa313a4e63d/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-11-16 15:09:09 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kdfuu57s36lpm5oibxwcnrdv7bbzkrtxw6sev36c4s72ge5e4y6q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
16a4855bceb4df02e0478cd72972a6e7f144f2278fedb239c2cb696cf6bf7199
Formbook
333a258f45e7a8baaab72b1539859a00bca7309a8d641490329184977090b540
Formbook
598bcdbe4c3e21a17a48d44dc03640f90643d1a03549ec429c7f96fd48e6a7ea
Formbook
5d23faa05258eb51b196fee00263dc5e4556a37301d312563843a7ac8494ee19
Formbook
767fc756f86db0b4de57b4ec14964f24af0e47eb23ba7fa1df6378bcf9986947
Formbook
7bbb0115208c57bc42a9801afbdfeac6b417269c16739787c4f7a792bfa94c88
Formbook
82ec33dd4f26eab172d8a0fc536751d12153a3f7175351da311a7059217c670e
Formbook
8ca4a5887d8506ae275cdc9d9ba89dab07e2997435435a1f0bd111f78ad0a382
Formbook
ade2f980cf7854d961f35a312e9b21b5372ae091765c2fe9c860602107e7eedd
Formbook
b1b8f6dcd1c8d12e5a79a8d16dd62d0900d552ba435178b691f4497d338cc704
Formbook
+ 3'276 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201116-wg92mmfs1n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.bestancasterrealestateagent.com/shwq/
Unpacked files
SH256 hash:
50cb4a77f2df96f675c80dec26c475f843954677b7a44aefc2e4bfa313a4e63d
MD5 hash:
c087b98a1a5ef4cf067a9194f1edd316
SHA1 hash:
3bdb21d9373fdf0637a366dfb9163327766ef9b5
Link:
https://www.unpac.me/results/7b71028b-28e5-4de0-b66f-08453c5a8a30/
SH256 hash:
73c1bb940789b8401b12ac424e703763317d2646d2dec4f25986afb28b383ec0
MD5 hash:
97e8aaf2ea9a79ea4b54d9f2a1ec3020
SHA1 hash:
0d4a60377cfa2145687b7c492ecb68ffa3776ac5
Link:
https://www.unpac.me/results/7b71028b-28e5-4de0-b66f-08453c5a8a30/
SH256 hash:
cb951f1d2b5460456aad0d89cef1216d9be5e51784d11a92447d43e96177bd5e
MD5 hash:
8cd5d2014866f4ef60802ff1826998a6
SHA1 hash:
8ff75946905d0b117080cc5a07e6e0bbea4e9bbd
Link:
https://www.unpac.me/results/7b71028b-28e5-4de0-b66f-08453c5a8a30/
SH256 hash:
e8a6bb253433053f371b4152bd88664a4b996f9f2bbe5cb4eed22fb6f2dd3333
MD5 hash:
2874e0bee21bcb2ee278c0b7993eff8a
SHA1 hash:
ae6862c0e3ea8d20bda93eaf708a94f05fc9a249
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/7b71028b-28e5-4de0-b66f-08453c5a8a30/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/50cb4a77f2df96f675c80dec26c475f843954677b7a44aefc2e4bfa313a4e63d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

r00 c7207f2d42e3ea57f19949eeb14e7bb8178a3e9b87c095f9291d70efaac8b98b

Formbook

Executable exe 50cb4a77f2df96f675c80dec26c475f843954677b7a44aefc2e4bfa313a4e63d

(this sample)

  
Dropped by
SHA256 c7207f2d42e3ea57f19949eeb14e7bb8178a3e9b87c095f9291d70efaac8b98b
  
Delivery method
Distributed via e-mail attachment

Comments


Avatar
fab jer commented on 2020-11-16 17:07:24 UTC

https://app.any.run/tasks/7411dc4a-7569-4334-8c2b-0d8fd37853c7