MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 50cdd51095fdcef2b731f6fa30952916f37782b1a9a5778556347e338cec85aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 50cdd51095fdcef2b731f6fa30952916f37782b1a9a5778556347e338cec85aa
SHA3-384 hash: 5f35fc506a73c8f8005915694a550ef0b93d46eb38f9267303cb6e3b8856d5b6ad4489c2bee81dd31f61ca8d9dd3693a
SHA1 hash: e6b0ff0326fbf4ad5579366e396b871015d5c66d
MD5 hash: 40bb98fd28ddc98102058340372887bd
humanhash: aspen-bacon-floor-hydrogen
File name:MT103 USD COPY.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:696'320 bytes
First seen:2023-05-16 10:47:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:wysSpPyNU9O055VQ7Kih04czIM71mhbmqZaaWCgMswxn5YXj:WY5H1gQ3Qhb7a0gMswx58j
Threatray 2'911 similar samples on MalwareBazaar
TLSH T1F3E4E120B1FE0477C76943F502491A490BB951AB7C27D6F84DDE70DAFAD2B020B52EA7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0c6c4c5ac4c9c0a4 (6 x Loki, 6 x AgentTesla, 5 x Formbook)
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
236
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
MT103 USD COPY.exe
Verdict:
Malicious activity
Analysis date:
2023-05-16 10:51:02 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/577223fb-1634-476c-a836-d1338bed5f36

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/390395/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.25438.24089.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64635f641865ea590a014ad0/reports/d9e922fb-89e0-4374-9692-ae92273b67a4/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/50cdd51095fdcef2b731f6fa30952916f37782b1a9a5778556347e338cec85aa
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ecfa566d-bb63-47d9-a332-aa5176a1aac7
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1234649
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 867635 Sample: MT103_USD_COPY.exe Startdate: 16/05/2023 Architecture: WINDOWS Score: 100 31 www.alarab-dubai.com 2->31 33 alarab-dubai.com 2->33 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus detection for URL or domain 2->45 47 5 other signatures 2->47 11 MT103_USD_COPY.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\...\MT103_USD_COPY.exe.log, ASCII 11->29 dropped 57 Tries to detect virtualization through RDTSC time measurements 11->57 59 Injects a PE file into a foreign processes 11->59 15 MT103_USD_COPY.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 18 explorer.exe 4 1 15->18 injected process9 dnsIp10 35 www.autoflowerbirds.shop 18->35 37 www.atthecornerof.com 18->37 39 atthecornerof.com 34.102.136.180, 49696, 80 GOOGLEUS United States 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 control.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/50cdd51095fdcef2b731f6fa30952916f37782b1a9a5778556347e338cec85aa/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-15 08:47:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kdg5keev7xhpfnzr635dbfjjc3zxpavrvgsxpbkwgr7dhdhmqwva._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
597979053a51f37ffa0cbeb1847f707b2dd3b3cdbcc5c0a5e66a1f15b5419b8e
Formbook
5a056284d1d1ed301db9889707086b4f90527b0e22965fc3a01cc1abd97a2972
Formbook
9c3d5704da83029f78ee8cf532c746cd04834f5375a698f21c50040ade6c5a09
Formbook
a2ed07bb61747f46086f07900e698d552f1a36ac21bbeee313894743aeb1276a
Formbook
a5976236ba0b3e31a6dd09af3abe7d0121a4053bb22669869a874d1ba97bd495
Formbook
a70b171c28645f51d9405f8429ae74f28d27ddb48786545bc21f35810f9501e4
Formbook
a79e68bc2d8643ff603ce0333efb343924760abc43edcc450c124fe4b9142c75
Formbook
aee5d1b7326545ff692b98743e04d035e01415300fea8a5bf445d3490d6776cc
Formbook
bfede26656dbab01c01f5187f8a5d9b63cd0f8bba301e8c1d145bda515960f02
Formbook
c930599e45ce9f8d2d1ffcce335e47b1beef8119dabef13eefe381927a4f6719
Formbook
+ 2'901 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ws6g rat spyware stealer trojan
Link:
https://tria.ge/reports/230516-mv4e3sad24/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
a6fa92763754694a72b9eea01f3a132e73e7b28d4bccf816bd00d9037aac18c7
MD5 hash:
82467fdefd20c7b1c6f132589b425ffd
SHA1 hash:
127583d2fb33e57d7fed2ee2ea99c2476a499775
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/8955ecc0-cb5f-448c-8b3e-9d18bfdb804b/
Parent samples :
50cdd51095fdcef2b731f6fa30952916f37782b1a9a5778556347e338cec85aa
9ef04feb0ee1752a0482420b2ffecc24d69aea3421a5aaa3b36d1d4061133b4c
d47b09aa20047a24da4bb05c726b29200b0803e350d0d51b2f63162d1fd0e66f
SH256 hash:
2621c42354b90477affc47f472c1838142dfc2a2ead8b2522d4ebd63185574d7
MD5 hash:
9fb1f4d4ca367032ed2781f2a8913328
SHA1 hash:
df3539f00ddd28677a1bc284d1c2df8314e633a0
Link:
https://www.unpac.me/results/8955ecc0-cb5f-448c-8b3e-9d18bfdb804b/
SH256 hash:
689c0d99223363597d927e35c0758a9c343fb4b6ac8e2dcdd80525557bb00d80
MD5 hash:
1817cb11b1c02eb1a0a0de6ad41d88bd
SHA1 hash:
b4feb620f2378af9cadbe1b1b6e7e742eb154bc8
Link:
https://www.unpac.me/results/8955ecc0-cb5f-448c-8b3e-9d18bfdb804b/
SH256 hash:
ef6783461db7b8fda06287059b9df40415ee956806af1ad58c1d99fd8d910b7f
MD5 hash:
b2eff56ffc6f7b81e587f71eb8f4e173
SHA1 hash:
5687d1e75fb892868c9f37a70e500b51d2a54414
Link:
https://www.unpac.me/results/8955ecc0-cb5f-448c-8b3e-9d18bfdb804b/
SH256 hash:
6722a58c81f6d11004e880bd8481acc423bf96afd46bf692f1562cfa4c5852bd
MD5 hash:
d92d2ba953be4be2d6f2bc859ec5c607
SHA1 hash:
05da51752277bd907ebcfb799524ec7655abbc3a
Link:
https://www.unpac.me/results/8955ecc0-cb5f-448c-8b3e-9d18bfdb804b/
SH256 hash:
50cdd51095fdcef2b731f6fa30952916f37782b1a9a5778556347e338cec85aa
MD5 hash:
40bb98fd28ddc98102058340372887bd
SHA1 hash:
e6b0ff0326fbf4ad5579366e396b871015d5c66d
Link:
https://www.unpac.me/results/8955ecc0-cb5f-448c-8b3e-9d18bfdb804b/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 50cdd51095fdcef2b731f6fa30952916f37782b1a9a5778556347e338cec85aa

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/390395/

Comments