MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56e4e634c9dcd2d51f03bcaeaccc3dae511c6709520e81f0745ddb7e30c5e827. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56e4e634c9dcd2d51f03bcaeaccc3dae511c6709520e81f0745ddb7e30c5e827
SHA3-384 hash: 6e9860e6327395a5a1a10dd5b34a07d31c7b18e0fe8361ed03fe5160062c684d4363bd750019ae6090fde41fe0b64e1f
SHA1 hash: 3e2238c1df48afc1c8be394cae27f8fcac4670a8
MD5 hash: efcca03e332e9f48110fde97de065e98
humanhash: king-yellow-autumn-queen
File name:INV_payment_copy_HSBc03102022000000000000000PDF.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:287'728 bytes
First seen:2022-10-04 17:34:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:5hchqr8ljuLNhZanEvbDJBKLKF5lD53P+FjL4yM:YJh6haebeLud/wdM
Threatray 80 similar samples on MalwareBazaar
TLSH T1E95402A4B6E41C5FCE5BCAB660879C008130F963A983D38391FBE21C55963D6B89D4F7
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon d2e8ecb2b2a2b282 (106 x AgentTesla, 106 x Formbook, 24 x RedLineStealer)
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316606/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.62487299.22655.31459.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
Sending a custom TCP request
Reading critical registry keys
DNS request
Sending an HTTP GET request
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated overlay packed
Link:
https://www.filescan.io/uploads/633c6ec9d089a0c15dd51b95/reports/e6bce057-610d-468d-81d3-9b3f8f80ccb9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3a3ab02e-61f8-4629-8e0d-b47e2a9fc26f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1083460
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 716022 Sample: INV_payment_copy_HSBc031020... Startdate: 04/10/2022 Architecture: WINDOWS Score: 100 31 www.elcomconsulting.com 2->31 35 Snort IDS alert for network traffic 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus / Scanner detection for submitted sample 2->39 41 7 other signatures 2->41 9 INV_payment_copy_HSBc03102022000000000000000PDF.exe 1 2->9         started        signatures3 process4 file5 23 INV_payment_copy_H...00000000PDF.exe.log, CSV 9->23 dropped 51 Writes to foreign memory regions 9->51 53 Allocates memory in foreign processes 9->53 55 Injects a PE file into a foreign processes 9->55 13 cvtres.exe 9->13         started        signatures6 process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 13->57 59 Maps a DLL or memory area into another process 13->59 61 Sample uses process hollowing technique 13->61 63 Queues an APC in another process (thread injection) 13->63 16 explorer.exe 13->16 injected process9 dnsIp10 25 www.rodriguezempirerealty.com 216.40.34.41, 49703, 49704, 49705 TUCOWSCA Canada 16->25 27 www.mariefrank.shop 91.195.240.117, 49700, 49701, 49702 SEDO-ASDE Germany 16->27 29 6 other IPs or domains 16->29 33 System process connects to network (likely due to code injection or exploit) 16->33 20 cscript.exe 13 16->20         started        signatures11 process12 signatures13 43 Tries to steal Mail credentials (via file / registry access) 20->43 45 Tries to harvest and steal browser information (history, passwords, etc) 20->45 47 Modifies the context of a thread in another process (thread injection) 20->47 49 Maps a DLL or memory area into another process 20->49
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/56e4e634c9dcd2d51f03bcaeaccc3dae511c6709520e81f0745ddb7e30c5e827/
Threat name:
ByteCode-MSIL.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2022-10-03 10:21:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
22 of 25 (88.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k3somngj3tjnkhydxsxkztb5vziryzyjkihid4dulxnx4mgf5atq._file
Verdict:
malicious
Similar samples:
183c29706c0a2dea564942c2f989e25eec5854a8ced14f7c48579857241aee5b
Formbook
3aa7626c625be28b83463afd05ea7d530d1f88bda8eec08c457b39ab28d68965
Formbook
3d70466e2cb7b2b051feb16750acb3b40af81f4595a0c0ffa865c13907820ca2
Formbook
5f0a7dc1b811c17fd637280f721864e465772c8e3ce51b31c3e1c8570ba72619
Formbook
6bbfa5ab7aa24cf9fe44b50930dc21142387d590c988004fdb0d3b40df3ed1fa
Formbook
8c575aa5e93a77f506411780e84f57617a784605557c36053bc3535306509f03
Formbook
a5e3197260ba1af2869c876321feddcaff9840446e5094d8e881e06732b27454
Formbook
c4d1c39814d1e2d2aff5e0bd608585c6ff9c932c3480d73eb30310cf3c4be029
Formbook
d50091f2f374614a00ae73f14dabf529e887e1729da0903f59a09739f4c37e8d
Formbook
fad6952d13fe03d8e9a8f04e8168be03ce0b8deb45de91123fa82ff890aafc5f
Formbook
+ 70 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ubpr rat spyware stealer trojan
Link:
https://tria.ge/reports/221004-v5z5eabhhr/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2911aeca-1d3d-48f9-8a36-34ba5e3dc072
Unpacked files
SH256 hash:
5eb722e0646eb44c1bbe03fd04e69c2b47d0e309e784332c1a477a31d58a48e6
MD5 hash:
85ac044b42de1f49426049aa3641a803
SHA1 hash:
6d16390e40abae8f6a1723ad0371051354a8799b
Link:
https://www.unpac.me/results/ba5e3661-367b-481a-adc1-02f90fa30218/
SH256 hash:
f727ec4386e70aaf1658448edb4aac06eabc75f67284dd810820d9e77e00bf27
MD5 hash:
fa4d830fb00507a2582f97803806f7c9
SHA1 hash:
3b411095aaaf11a160244d014d69c1f6c3c22f61
Link:
https://www.unpac.me/results/ba5e3661-367b-481a-adc1-02f90fa30218/
SH256 hash:
c8a113f4a247a6424208be28e2e2ade4ad862999caed76c1d39ce426e1c0aa40
MD5 hash:
13bda2deebf7f5ef091522ec2be9ded4
SHA1 hash:
2af1d935faa9e04eabe067f36acdf0486a234d8f
Link:
https://www.unpac.me/results/ba5e3661-367b-481a-adc1-02f90fa30218/
SH256 hash:
56e4e634c9dcd2d51f03bcaeaccc3dae511c6709520e81f0745ddb7e30c5e827
MD5 hash:
efcca03e332e9f48110fde97de065e98
SHA1 hash:
3e2238c1df48afc1c8be394cae27f8fcac4670a8
Link:
https://www.unpac.me/results/ba5e3661-367b-481a-adc1-02f90fa30218/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/56e4e634c9dcd2d51f03bcaeaccc3dae511c6709520e81f0745ddb7e30c5e827

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:malware_Formbook_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:RansomwareTest8
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/316606/

Comments