MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5875c3bafcddce0e3a6413060898fe0d283f967769829a7c26e93bf7cf35c94d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5875c3bafcddce0e3a6413060898fe0d283f967769829a7c26e93bf7cf35c94d
SHA3-384 hash: bfd062b4a87bcc37ecc2d8d71f81e22e0a2a02ed133b18afddebe78888bc9aadd6a7ceb291959841f2f8cd6352763dfd
SHA1 hash: 2e8becc73d2229525cf91c585308e31eb4ecc9f0
MD5 hash: c631a9b343ef34dbee8335ca1a3429e8
humanhash: quebec-cola-xray-louisiana
File name:Payment - 20220408 xlsx.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:178'688 bytes
First seen:2022-04-08 15:04:06 UTC
Last seen:2022-04-08 15:17:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 384:jH26/MZaDJZ5/9UeAxbQffJKXl+/AhFVeGidNETT4k4g6tGocA04sQm6eS2KWVAj:jWGLX/A/Veua08e3EYGKeR9
Threatray 360 similar samples on MalwareBazaar
TLSH T158044202257CA8C3F69C6C73A8DC975E1EE06C6C4676106DF647B6E9E53F103E6212E2
File icon (PE):PE icon
dhash icon 74fcd4c2c4c4c0d4 (4 x Formbook, 3 x NanoCore, 2 x AgentTesla)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment - 20220408 xlsx.exe
Verdict:
Suspicious activity
Analysis date:
2022-04-08 18:03:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e0ddd1f7-3883-4e74-8217-3915b84f03ce

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/262175/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.GYT.genEldorado.4867.29886.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Creating a file
Searching for synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed
Link:
https://www.filescan.io/uploads/62504f20bbd90911a298770c/reports/98aa3be8-4bdf-46d6-80d2-4968298a0a7b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a7e70ebe-5775-440f-817d-f45a5ca12e1a
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/973293
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Yara detected Costura Assembly Loader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 605778 Sample: Payment - 20220408 xlsx.exe Startdate: 08/04/2022 Architecture: WINDOWS Score: 100 30 www.nbxinwen.com 2->30 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for URL or domain 2->40 42 11 other signatures 2->42 11 Payment - 20220408 xlsx.exe 15 3 2->11         started        signatures3 process4 dnsIp5 32 graphictrunk.com 192.185.113.153, 443, 49781 UNIFIEDLAYER-AS-1US United States 11->32 28 C:\Users\...\Payment - 20220408 xlsx.exe.log, ASCII 11->28 dropped 15 Payment - 20220408 xlsx.exe 11->15         started        file6 process7 signatures8 52 Modifies the context of a thread in another process (thread injection) 15->52 54 Maps a DLL or memory area into another process 15->54 56 Sample uses process hollowing technique 15->56 58 Queues an APC in another process (thread injection) 15->58 18 explorer.exe 15->18 injected process9 signatures10 34 Uses netsh to modify the Windows network and firewall settings 18->34 21 netsh.exe 18->21         started        process11 signatures12 44 Self deletion via cmd delete 21->44 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5875c3bafcddce0e3a6413060898fe0d283f967769829a7c26e93bf7cf35c94d/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-04-08 15:05:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
49
AV detection:
13 of 42 (30.95%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lb24hox43xha4otecmdargh6buud7ftxngbju7bg5e57ptzvzfgq._file
Verdict:
suspicious
Similar samples:
0d913321824b24f168daf6da5e888c9700fb5ed5e3bc06bd24be670c1a10fcb7
Formbook
20dde0ac9cfe41a1b3b1d6b7cb58008cb95a76b4876ca823d1b5f6a5ebf03bcc
Formbook
5391a6ed1fe458685e02c04cad045a5148d4f01e4d45b9dd70927c46b5e6420f
Formbook
588692919a751e9852cf32e0b1da42c347f2ff99a2afd2378c6a7573d7a532fc
Formbook
62dfec4ae1b54d763d3ae01d9a0458c6ebf2e35f898bcaebac5e10d5ff477c7c
Formbook
cf8994976d58b8778246f5c5908ec64a0fdfebfe2bd80ecaa96ed27baf9d1ed2
Formbook
d727b63c6bcf81ea3c6a345f8435ad103f37c11c1b2cc89f9fee1f7253a26f9f
Formbook
f27c6d23143bb1c0ea77515c806ee7d75889c31262c7c26a5868989fef41e466
Formbook
f469b5c967ff28b96444a48b6769ccde102417de9d59df1878bfe486ade890dd
Formbook
f4af46ad96a86cad60d613a3387a0a68c580247ef88943e2ea0e5b9679a38c2e
Formbook
+ 350 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:gc5j rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220408-sf581sbadj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE Suspected SmokeLoader Retrieving Next Stage (GET)
Unpacked files
SH256 hash:
5875c3bafcddce0e3a6413060898fe0d283f967769829a7c26e93bf7cf35c94d
MD5 hash:
c631a9b343ef34dbee8335ca1a3429e8
SHA1 hash:
2e8becc73d2229525cf91c585308e31eb4ecc9f0
Link:
https://www.unpac.me/results/b032ecc6-7992-4dc8-8dea-5e0c5002401d/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5875c3bafcdd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/5875c3bafcddce0e3a6413060898fe0d283f967769829a7c26e93bf7cf35c94d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 5875c3bafcddce0e3a6413060898fe0d283f967769829a7c26e93bf7cf35c94d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/262175/

Comments