MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 555948e64ed4825dea5e57865e80d764aab3dbf4b973a223f7590ee9b72d23f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 555948e64ed4825dea5e57865e80d764aab3dbf4b973a223f7590ee9b72d23f5
SHA3-384 hash: 7080e75e4062a1db72eaafb46338936716b246651c9ab1618c0a8bcb676b59d769a633327c91276ba0cb062cfcb1dbb9
SHA1 hash: 2383fdf2826e5b4b75cefc0b0ae767ec831840be
MD5 hash: b854d01747abc6ce5af8d14c9aaf5d15
humanhash: uniform-arizona-louisiana-angel
File name:INVOICE_0097WE8.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:813'056 bytes
First seen:2022-02-16 15:17:49 UTC
Last seen:2022-02-16 20:42:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:sgxaVSfUXUDj0ABuHdigABZ3uhzjwsGAF6ftsyisY3xUBmorA2kp7:D9DgWuHdM+jwsGjsyisYiBYJp
Threatray 13'590 similar samples on MalwareBazaar
TLSH T134055B7631EF105697B2EBE30BD8ECBF8A5AF173120E753A31811B868722D419D82775
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/241944/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.26075.10302.5961.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook obfuscated packed
Link:
https://www.filescan.io/uploads/620d15b4ac8ad0468b475456/reports/d980727f-8a41-453e-bc5b-6761cbd41fa0/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/940921
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 573399 Sample: INVOICE_0097WE8.exe Startdate: 16/02/2022 Architecture: WINDOWS Score: 100 32 www.robroyrecords.com 2->32 34 www.merlinreport.com 2->34 36 6 other IPs or domains 2->36 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 9 other signatures 2->46 11 INVOICE_0097WE8.exe 3 2->11         started        signatures3 process4 file5 30 C:\Users\user\...\INVOICE_0097WE8.exe.log, ASCII 11->30 dropped 56 Tries to detect virtualization through RDTSC time measurements 11->56 15 INVOICE_0097WE8.exe 11->15         started        signatures6 process7 signatures8 58 Modifies the context of a thread in another process (thread injection) 15->58 60 Maps a DLL or memory area into another process 15->60 62 Sample uses process hollowing technique 15->62 64 Queues an APC in another process (thread injection) 15->64 18 explorer.exe 15->18 injected process9 process10 20 mstsc.exe 18->20         started        signatures11 48 Self deletion via cmd delete 20->48 50 Modifies the context of a thread in another process (thread injection) 20->50 52 Maps a DLL or memory area into another process 20->52 54 Tries to detect virtualization through RDTSC time measurements 20->54 23 explorer.exe 1 151 20->23         started        26 cmd.exe 1 20->26         started        process12 dnsIp13 38 192.168.2.1 unknown unknown 23->38 28 conhost.exe 26->28         started        process14
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/555948e64ed4825dea5e57865e80d764aab3dbf4b973a223f7590ee9b72d23f5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-16 14:12:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
23 of 41 (56.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kvmurzso2sbf32s6k6df5agxmsvlhw7uxfz2ei7xlehotnznep2q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
08e2b0e469f2809991e59e65177fe994f3aeeea601a2af8aec6c7ae1406debb0
Formbook
201616caaad839735dc703230c000ebb254e0435a77253e160622c8cfbe10cc6
Formbook
2a170cc5086a00b41ce8ff4bcf8fce45f85aef342d4cf4d08f018943cc5221ac
Formbook
2fd3db9eb65d7a120e24e7245a73e4e88d4b2a7998d82986e8b2e2f20af1d932
Formbook
640ac0fcf97c0474f805fdf150d7c539650a833e1cbb47393e188da5a1f5f5c3
Formbook
950ead10061a0d06ae1314f85d90925ed519d91ff8360236960e9abf68a99b7c
Formbook
9bceb9680d39094087add5289a7e19aa93168faf9c5f2465700b117d59e8d841
Formbook
b3b6f6f58e9df22dda93da3c41997e4c36b48b4e8e851a217c572a0b78ce4b83
Formbook
d53c0ce4893779afc24b84d79e926ba6684b2dbc549b85e8213137e2a8358ab2
Formbook
f37548aa52109fbdf38ab248aadb6809eb3a677a15f6916883d9612cec4ffa86
Formbook
+ 13'580 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:rmpc loader rat suricata
Link:
https://tria.ge/reports/220216-splwqsdbar/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
f78780e73536894b81b641dd13bb07a695d4db252660ea0eb05eac4c0c0791ac
MD5 hash:
127f40bd49e98c99917ca783c4f9a043
SHA1 hash:
68844b38e9c16af99c05f81a202ae93e9866e3e9
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/183b3241-0129-4dd4-aad4-6d0a582b6de7/
Parent samples :
44d74d198ab05ed038d6ca78530988c46fc81911a5e22bdc286049e70563d208
b3b6f6f58e9df22dda93da3c41997e4c36b48b4e8e851a217c572a0b78ce4b83
d53c0ce4893779afc24b84d79e926ba6684b2dbc549b85e8213137e2a8358ab2
555948e64ed4825dea5e57865e80d764aab3dbf4b973a223f7590ee9b72d23f5
3446a9d1fcd21b6e219220379f6b82cccf3cb967b9af1f9e91fa511e90eab639
125c8338e7cdf610f8aa3cc58db3e350997597a525f85ef6e81c38cc155a62da
04ee371bea0863aab03ca6cec8c5512522c4082654ada54991c483610df7a249
fd8161addee5162327eb1bff7dead0d9f2d8c2b6041bf2edaab964e2c38a78a0
9b4ea9f90dc0bd79331fb576e8e11bfcd1aaca5d89eed706bba28e23d81819e6
6c7bc2a0288450e984898339f779daa67583a202427e894fcb55a8c4238daae0
5c291b48b03f7208a95902a735edb8ff29b7fb241d7451b1ed0fbe49f537f3d7
40ca831a495e2c76c2de5e94c2a65fdbc91a6a59e5a5be2c86a2381166365459
43d06e86f98619000a7cc9600f95da73794070c1a541cb5cec13835600631a06
1b6f19244c3917f5c492d60071b20ec6627ca7cba830d16b8e1e45008de6823b
ebc4b771993d4f5850dcb26b20ba7f36cadd67b0f4ee05c691bddff94a6f5ee0
96a0dffa7387628ad30a6d44608812c3b79f6fd07cd8b144ce9bdd8fb4824187
fe7f81cde71cd5b66042ed13b89d0be7529cd5478f0d768181547d9bde21d519
e1754d3bb2df3b1c3c8b6448afd0e7e03b65e4d4a9fa331df40acc0acc38a408
12a79c59a47c99e0fc5ecf626e45e5b4d1abef887f00214096d18e4813757234
7ac201d7a13b441e0e7ec03787bb6570dbb7e88ebc68f021c34f2704793e1675
de3a3c103b66a98978a8d6467d81865c78c4df0448c69c4d7c68d87dc17f7e4a
8d4069f952ab15494c3be7c5cdf0fa161641dcc5fe3a1aab978726ea585f0076
0482134079f147f5535027b2a9e3b0f0c5c841d8d1f38d59ff3e3fdc89f18b7d
d0f3311ded7e19f8d94535b66c9eb741c5d3b4eebbffe924e8c3f2982f266647
d674ad918b0c38a26ec796220f99d14147297ddc01dd8e09c9b9b0dec8998cf2
cba32f8a548cbcab4798e55a6d9c5773ae980932d021126e295a03d05f644f22
de9a953b4f1570485b65622d0255625244e10746d5d2be0384505b60b743a11e
1eb8af23658c91ba76fe9516d0a7f8a678d0122454cb837183326c5a7fb95850
293e285042ed8b51e4166782005c54d1b3c20ba5f148f90b318f3c788115e892
083e99f9a493e14a03ae5c6270873363f0da35583615ef348ea83493a8dc0efa
537d8486471b326e32f04ca8c3c3fbef3955e25722b3e271022b03d8a82f0af2
84d399a3116d4038d5730fdbae6857142c0141f042dbba9a42e8a21e1ce6448b
be51d1c2d8a30045b3fa84863ef8f5073f8ebcdac3bbdbfd483ff61365a9a2c5
fd2f3e46722baeada38453fb8307d78a6a7e590fac0bc7ac36e52e1c95747dfb
06ff0d7203bc986c93f29bba10687aaa29880e3698810b9bea8a5ac04b5ba7a3
c4f73dd9b20be2611e4947816fc9a432b8ae654c84e3e33380543ecfe3323ca1
625c5bcad021d0e8c8f0478d2bec573db81fbf5957e5f9323a481b7d1756f66e
be173845e18d050a20b0dcb71293a32651bc804afe4298225189987d45f4550b
4ac7bddd4fe25bfcc91a63d1fb9a5563af110b5485cd8d00a277938da210a2ca
873b9d986cfc2bbb91df471b4d80bfbfd40f304d7a7fab5260d3ddacd34346a6
SH256 hash:
80637a4797a1529dd3ee55e6e3d19b60af352c68c5878fcd3a8010eba0d1011b
MD5 hash:
6c32a344bff3d560a9e7a5f4985d0d65
SHA1 hash:
a7327f5d1872c9176cc050f9ac214b92da2df0c8
Link:
https://www.unpac.me/results/183b3241-0129-4dd4-aad4-6d0a582b6de7/
SH256 hash:
0cc272835ee6d12502dba4fdc6de0bd36de736e26d87c4666a6b70521fbc3bd6
MD5 hash:
353c0b656ffb7e7405135feffff90bf2
SHA1 hash:
8d0524f36290eb0b2df0b8f9cf287ac27bb8abd4
Link:
https://www.unpac.me/results/183b3241-0129-4dd4-aad4-6d0a582b6de7/
SH256 hash:
e07389bca6e44225f97f1c9dd8bee373ebb930de6100c98baba9ade137fbac27
MD5 hash:
752fc390d281f8a1480c671252c98951
SHA1 hash:
4f2a06aa775d03179e884dad64f244e3683463d6
Link:
https://www.unpac.me/results/183b3241-0129-4dd4-aad4-6d0a582b6de7/
SH256 hash:
555948e64ed4825dea5e57865e80d764aab3dbf4b973a223f7590ee9b72d23f5
MD5 hash:
b854d01747abc6ce5af8d14c9aaf5d15
SHA1 hash:
2383fdf2826e5b4b75cefc0b0ae767ec831840be
Link:
https://www.unpac.me/results/183b3241-0129-4dd4-aad4-6d0a582b6de7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/555948e64ed4825dea5e57865e80d764aab3dbf4b973a223f7590ee9b72d23f5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/241944/

Comments