MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 58bd17702ff34a0317239001bc22682e03a7417a0b47438a4fa2aa1c26b6937a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 58bd17702ff34a0317239001bc22682e03a7417a0b47438a4fa2aa1c26b6937a
SHA3-384 hash: 846b17ae9c583581a0d3ba8fb8034cb0278e1e29e582c64eb7140891844414ddb70da54cf79c12b1abc53483751aed5b
SHA1 hash: e6bbb175af3110e5523e5fd14fd5aad9ec119f9c
MD5 hash: 48a62b906ffdf81960924e36b86543ea
humanhash: blossom-louisiana-bravo-carpet
File name:Invoice25343.scr
Download: download sample
Signature Formbook
Create hunting rule
File size:324'240 bytes
First seen:2023-03-06 09:40:38 UTC
Last seen:2023-03-06 11:36:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 431 x GuLoader)
ssdeep 6144:jYa6U/GWS34473n8eO1Iukqmu2koxNlea+s+Vu0BZxNogZ/J1ALkg:jY2/GWI3kIukqmu2pvL+sEFDxj7c9
Threatray 3'304 similar samples on MalwareBazaar
TLSH T12864F1023A49CAC3D1190B3151E78BB527F96D2259CE4B9E2751F6E87C72B58730EB22
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 1efeb3f2caeafe07 (1 x Formbook)
Reporter cocaman
Tags:exe FormBook INVOICE payment scr


Avatar
cocaman
Malicious email (T1566.001)
From: ""Reuben Machin" <serial@lukesengineering.com>" (likely spoofed)
Received: "from mta0.lukesengineering.com (unknown [45.125.67.81]) "
Date: "Mon, 06 Mar 2023 01:04:48 -0800"
Subject: "RE: Comfirm your Payment Information in the Invoice"
Attachment: "Invoice25343.scr"

Intelligence

File Origin
# of uploads :
2
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Invoice25343.scr
Verdict:
Malicious activity
Analysis date:
2023-03-06 09:42:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7750070f-285c-4264-835b-9a72f7403403

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/371846/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.26364.900.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Launching a process
DNS request
Sending an HTTP GET request
Reading critical registry keys
Unauthorized injection to a recently created process
Searching for synchronization primitives
Unauthorized injection to a recently created process by context flags manipulation
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6405b530bfec0852a68fa7df/reports/632cceea-9915-4f64-b502-746724c5fb78/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/58bd17702ff34a0317239001bc22682e03a7417a0b47438a4fa2aa1c26b6937a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bf181e92-868a-4021-96a3-8c3ce27bb693
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1187646
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample has a suspicious name (potential lure to open the executable)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 820521 Sample: Invoice25343.scr.exe Startdate: 06/03/2023 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic 2->38 40 Multi AV Scanner detection for domain / URL 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 6 other signatures 2->44 9 Invoice25343.scr.exe 19 2->9         started        process3 file4 26 C:\Users\user\AppData\Local\Temp\mhsglp.exe, PE32 9->26 dropped 12 mhsglp.exe 9->12         started        process5 signatures6 58 Antivirus detection for dropped file 12->58 60 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 12->60 62 Maps a DLL or memory area into another process 12->62 15 mhsglp.exe 12->15         started        process7 signatures8 64 Modifies the context of a thread in another process (thread injection) 15->64 66 Maps a DLL or memory area into another process 15->66 68 Sample uses process hollowing technique 15->68 70 Queues an APC in another process (thread injection) 15->70 18 explorer.exe 4 6 15->18 injected process9 dnsIp10 28 www.ectdamageoutlaytospe.xyz 198.54.117.242, 49685, 49686, 49687 NAMECHEAP-NETUS United States 18->28 30 iidethakur.xyz 95.216.161.178, 49684, 80 HETZNER-ASDE Germany 18->30 32 2 other IPs or domains 18->32 46 System process connects to network (likely due to code injection or exploit) 18->46 48 Performs DNS queries to domains with low reputation 18->48 22 cscript.exe 13 18->22         started        signatures11 process12 dnsIp13 34 www.chiyiqian.net 22->34 36 192.168.2.1 unknown unknown 22->36 50 Tries to steal Mail credentials (via file / registry access) 22->50 52 Tries to harvest and steal browser information (history, passwords, etc) 22->52 54 Modifies the context of a thread in another process (thread injection) 22->54 56 Maps a DLL or memory area into another process 22->56 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/58bd17702ff34a0317239001bc22682e03a7417a0b47438a4fa2aa1c26b6937a/
Threat name:
Win32.Trojan.Nsisx
Create hunting rule
Status:
Malicious
First seen:
2023-03-06 09:03:42 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
16 of 34 (47.06%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lc6ro4bp6nfagfzdsaa3yitifyb2oql2bnduhcspukvbyjvwsn5a._file
Verdict:
unknown
Similar samples:
0b27deefbf362687701891f8fcbacf4122ce0a6e4972bc7b68cc8f3e7034b1eb
Formbook
0e21cb48d334fa636c6a2d9d40726f4b7f03b80ae79bc611d6ac94ff552398cc
Formbook
29032ae14e315863a55a0851c3e1c9cb246beb4513a279d8b1bf7fac97be6ff7
Formbook
82d448cb2461440d0ab1777690a41e228118c36961d8ee506ce94a9622b8af5d
Formbook
8eaffa403a0bacae0e43928c07f77ea8540b480eda49e10d4a44079b8e0236fe
Formbook
aaf0aae0610d84f673e476995899a9fd5169ade32485bbfa248b6571132b100b
Formbook
bc49d2a85d44b57a55063bf2f784f96d127a7ec7ad0b9f385ade2cf3d713e35b
Formbook
d84b6f3b066ab525f9a42b819e618196568925ebe76eafb545ce8376f1ea223c
Formbook
ebb0272ecef9d8bf07a71b9ead8718760d27c4fdc334fe2de7a8b93237e61044
Formbook
+ 3'294 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230306-lnr8ssbe86/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
ed1a11512089a6d10c687021c8dddaf2adcb2dd6cada975385fe6a2bd1738ebf
MD5 hash:
1934cc19c86323d62d706440db5d4ae3
SHA1 hash:
cf8d6fb6a71dce3372c76e500948016978c9c7e8
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/74f225f2-616b-4eb8-8e7e-b1720bcd9cce/
SH256 hash:
4b0a0c3b0a3d54b23f15494aca728b7bab4086a705998c7479c39ba969ae1157
MD5 hash:
d28a03f563c1c4d9fc19cc4ae5cbc0a1
SHA1 hash:
014606577be7c8c642cdbbed82931744a7dd9a86
Link:
https://www.unpac.me/results/74f225f2-616b-4eb8-8e7e-b1720bcd9cce/
SH256 hash:
0df521693280e8262c8e8306f2eb88335bef2ded5eaddb04cd2fd401f174b8cc
MD5 hash:
b95ccbfde0103492b7a08b183227856f
SHA1 hash:
6db9d36a3eeaeb51b403ec09ebdf565d435887ad
Link:
https://www.unpac.me/results/74f225f2-616b-4eb8-8e7e-b1720bcd9cce/
SH256 hash:
58bd17702ff34a0317239001bc22682e03a7417a0b47438a4fa2aa1c26b6937a
MD5 hash:
48a62b906ffdf81960924e36b86543ea
SHA1 hash:
e6bbb175af3110e5523e5fd14fd5aad9ec119f9c
Link:
https://www.unpac.me/results/74f225f2-616b-4eb8-8e7e-b1720bcd9cce/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/58bd17702ff3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/58bd17702ff34a0317239001bc22682e03a7417a0b47438a4fa2aa1c26b6937a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 58bd17702ff34a0317239001bc22682e03a7417a0b47438a4fa2aa1c26b6937a

(this sample)

  
Delivery method
Distributed via e-mail attachment
  
Dropping
Formbook
Cape
Cape
https://www.capesandbox.com/analysis/371846/

Comments