MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5319b55161ffe72376bf39ec273f60d73d998d8f466022deab056d8cccab2ddc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5319b55161ffe72376bf39ec273f60d73d998d8f466022deab056d8cccab2ddc
SHA3-384 hash: 9a5cccc5a941596983f7c98507409647a7d37bc3252c887461a9e67ffb49969a4d67447cc224e8c678e73d777d97fd10
SHA1 hash: 47625939b389b5a1c74f0a06fe909178aa1a4e9d
MD5 hash: 984cc2dc61722bd0eda0c5e1fa171b37
humanhash: white-princess-london-tango
File name:Protected copy of the commercial invoice Packing list.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'673'216 bytes
First seen:2021-07-15 05:41:51 UTC
Last seen:2021-07-15 06:44:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:V1M2vCM80VH9ifiKnG9TXDRhPgOD0MU6GHhO:DMC8+EiKG1PgC0iG
Threatray 6'421 similar samples on MalwareBazaar
TLSH T18B756C3EAA682F27A73F916445430004F4AB8DDA3E315BD746C72D88755D9023EAE36F
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Protected copy of the commercial invoice Packing list.exe
Verdict:
Malicious activity
Analysis date:
2021-07-15 05:43:04 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/6c6149b1-1aa1-4eac-9f31-0c7a1f82afae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/171859/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Noon.lc.22084.7526.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/84ab5cf8-f463-4a85-8c96-3d0641161d70
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/816663
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 449074 Sample: Protected copy of the comme... Startdate: 15/07/2021 Architecture: WINDOWS Score: 100 33 www.pornometal.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 6 other signatures 2->47 10 Protected copy of the commercial invoice Packing list.exe 3 2->10         started        signatures3 process4 file5 31 Protected copy of ...acking list.exe.log, ASCII 10->31 dropped 57 Injects a PE file into a foreign processes 10->57 14 Protected copy of the commercial invoice Packing list.exe 10->14         started        17 Protected copy of the commercial invoice Packing list.exe 10->17         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 14->59 61 Maps a DLL or memory area into another process 14->61 63 Sample uses process hollowing technique 14->63 65 Queues an APC in another process (thread injection) 14->65 19 wlanext.exe 14->19         started        22 explorer.exe 14->22 injected process9 dnsIp10 49 Modifies the context of a thread in another process (thread injection) 19->49 51 Maps a DLL or memory area into another process 19->51 53 Tries to detect virtualization through RDTSC time measurements 19->53 25 cmd.exe 1 19->25         started        35 www.yinhangli.com 23.27.8.216, 49733, 80 EGIHOSTINGUS United States 22->35 37 www.sitedesing.com 172.67.193.107, 49737, 80 CLOUDFLARENETUS United States 22->37 39 12 other IPs or domains 22->39 55 System process connects to network (likely due to code injection or exploit) 22->55 27 autochk.exe 22->27         started        signatures11 process12 process13 29 conhost.exe 25->29         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5319b55161ffe72376bf39ec273f60d73d998d8f466022deab056d8cccab2ddc/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-07-15 01:23:26 UTC
AV detection:
7 of 46 (15.22%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kmm3kulb77tsg5v7hhwcop3a246ztdmpizqcfxvlavwyztflfxoa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
03735650255866b1c2592bcb4567cbcb2b9d23eea5430d2e7d7c6315abadb5ad
Formbook
214910524a528bab8dae4a704169e20d9f2f92444df6e6a65d19decafd9f69b0
Formbook
23e1c48906d47f98ad9d0445f924bd1853341cc61810e70ef267ef1563969647
Formbook
2c696217e2b047158bc9be361907f236233e4d7091ee4c0e1f1402247c827498
Formbook
40f8cfeb5f68c1980aaddf36f9915076d613c4c99293f1f6043180fe1006ea78
Formbook
5bcba2a09d8758ca07490dfcd3859a64b3a0092ed7873a707e73346eefd4235e
Formbook
c75c953e098f6999fd4a1674f4fd325d538502aead639872dec4cb89ca3ffee9
Formbook
dd4114ea355d3f70e7683fb8491e2499347b6133bd9ef6d094a0cb6ad8aa4609
Formbook
f4ceea0a1881800f657906368b21c25ebee2c6ac3c7ae210548b1dea0ccd420c
Formbook
+ 6'411 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210715-hhh8wqbecn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.jiltedowl.com/um8e/
Unpacked files
SH256 hash:
40f7d71281aa5b1d292c4421619cb49f87f637579c8b2ec75db8f218a3d514fa
MD5 hash:
dcbdccf32594509ad091c0fe2703f145
SHA1 hash:
92cc96e5cf1dd12ff42c137ac38e26cbea8e91ad
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/597b7956-0862-4272-aa6d-e2bb47d6552a/
Parent samples :
214910524a528bab8dae4a704169e20d9f2f92444df6e6a65d19decafd9f69b0
c75c953e098f6999fd4a1674f4fd325d538502aead639872dec4cb89ca3ffee9
23e1c48906d47f98ad9d0445f924bd1853341cc61810e70ef267ef1563969647
5319b55161ffe72376bf39ec273f60d73d998d8f466022deab056d8cccab2ddc
2a3c5d424e042d82f295aba4197bc052355cbea30b0fa9c419a1cd7fb6c2bc31
0c6823e63b28799c28145805bc2c143c67a52698e4af497070b9da8439d6b327
e7e775fb123a80ae7c57fa23883b060b3b333c4831d5272015c4751736bf2626
SH256 hash:
cdce2f39b43e34697412b871f3cf91744cf3976a6aa091b42e77dac113d86dda
MD5 hash:
bd054b32b3c4a83b24bb253561b7b7e0
SHA1 hash:
f454cd3dd5869e5eac45eba7620c3b08423d0f50
Link:
https://www.unpac.me/results/597b7956-0862-4272-aa6d-e2bb47d6552a/
SH256 hash:
6864411713edb99438e7b18a31a64f6a8d6c40a5d7b2eed1e9bddbed274af22d
MD5 hash:
0e41890a843eb47d91dde9fd8a8e3de2
SHA1 hash:
6ff9b147752df3776ab60abdee1f7ceeb993eaaf
Link:
https://www.unpac.me/results/597b7956-0862-4272-aa6d-e2bb47d6552a/
SH256 hash:
5319b55161ffe72376bf39ec273f60d73d998d8f466022deab056d8cccab2ddc
MD5 hash:
984cc2dc61722bd0eda0c5e1fa171b37
SHA1 hash:
47625939b389b5a1c74f0a06fe909178aa1a4e9d
Link:
https://www.unpac.me/results/597b7956-0862-4272-aa6d-e2bb47d6552a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/5319b55161ffe72376bf39ec273f60d73d998d8f466022deab056d8cccab2ddc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 5319b55161ffe72376bf39ec273f60d73d998d8f466022deab056d8cccab2ddc

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/171859/

Comments