MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59202d95bbcb9a85624ae56b93adeecc94b476a0131fe4670b718439ae4da1c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 59202d95bbcb9a85624ae56b93adeecc94b476a0131fe4670b718439ae4da1c9
SHA3-384 hash: 2cc19ebd0a96b023496b61555729dcb0d0a60c9ad8404829de459a912933793a38e6a747fba4b2c6ae6c7441ce719eea
SHA1 hash: 4f2435a19956ebbe4acd214c65428a36337f7abd
MD5 hash: 9c05d1ae12cc58702c8a54ad739b9551
humanhash: pennsylvania-robert-lima-four
File name:preuve de paiement.scr
Download: download sample
Signature Formbook
Create hunting rule
File size:266'476 bytes
First seen:2021-10-11 14:58:22 UTC
Last seen:2021-10-11 15:27:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:F8LxBsOIdSIHJKM7xTTGYsmLMJKsYTwnXfK8fJV4:/OKlgVmcYMnXfp4
Threatray 2'388 similar samples on MalwareBazaar
TLSH T16D4412399995CAF7D6A217312A3AB7F5F332474C8412158F57F19F332E2129B931E08A
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
preuve de paiement.scr
Verdict:
Malicious activity
Analysis date:
2021-10-11 15:05:10 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/d91856f0-6a06-4650-a9aa-4f125ac5fa3f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/196679/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/616451371c2d58ba7401e8e9/reports/9e953f01-3e38-4313-a49e-e0cc7e38b60f/overview
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dd1496f5-75bf-46a6-ab3a-1b5ea0015936
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/867789
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 500216 Sample: preuve de paiement.scr Startdate: 11/10/2021 Architecture: WINDOWS Score: 100 36 Multi AV Scanner detection for domain / URL 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 8 other signatures 2->42 10 preuve de paiement.exe 17 2->10         started        process3 file4 28 C:\Users\user\AppData\Local\Temp\...\sqxq.dll, PE32 10->28 dropped 54 Injects a PE file into a foreign processes 10->54 14 preuve de paiement.exe 10->14         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.blwcd.com 103.47.80.234, 80 CHINANET-YUNNAN-IDC1CHINANETYunnanprovinceIDC1network China 17->30 32 www.lepirecredit.com 17->32 34 www.advertfaces.com 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 mstsc.exe 17->21         started        signatures10 process11 signatures12 46 Self deletion via cmd delete 21->46 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/59202d95bbcb9a85624ae56b93adeecc94b476a0131fe4670b718439ae4da1c9/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-10-11 12:00:44 UTC
AV detection:
13 of 27 (48.15%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=leqc3fn3zonikysk4vvzhlpozskli5vacmp6izylogcdtlsnuheq._file
Verdict:
unknown
Similar samples:
09fdcf52fff7285e32960072d6e88300f70be978d41560b19a4175e9701500dd
Formbook
1eaac3194b53e9523347d6d8392bb9ac437437217b530f2c61a270459c7da06e
Formbook
22c6a5976ce7b78c9fc9be80c53945344670b5df128629f0d1e99d48b2e65121
Formbook
321614efdd982c05c30e11529158d445e17a49bef9437c17a95567aa3cccc890
Formbook
52dc772f8a1fba5d23b2bd62f1762d49f180579d561bbb64d84f97f4c3a7b2cd
Formbook
63d0937af7bf53fe0b74ae6631452ff2d254ab6c7e1d0a62372f1f6992a1a1fd
Formbook
66ba5ddfe4ba8eff18b461334b8e589d64ee3421fe7f5cd9e1c614e3661f70a3
Formbook
75beaf53680c0e6ee8a24d54255a86b1c4fd644bc010e48c6a2dc182697db766
Formbook
8c38dbbc3834ab600313e6cd32e0e1a077726f002a608b5cbf9baa87ff11f90f
Formbook
b8059fc344b91a7b02e6a15a94551fcb3450f1109ad59bd6f3a22e0342ad9ff5
Formbook
+ 2'378 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/211011-scqn6ahefj/
Behaviour
Enumerates physical storage devices
Unpacked files
SH256 hash:
37ded35a9642064abf77680a8001ed61ab3e44f02d087aa2c298dad5354c9d09
MD5 hash:
69c5fa95dad7d3f16e220f9a83ab67ab
SHA1 hash:
4891df071dcb5f455770a9b51dcaa56931ba8811
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/734913fe-5668-4f51-aafa-2a5693a742af/
Parent samples :
bbedcbe77cff074e73d9265b5cd4dfaba57b573065b1cb36e7944880a54239e9
218a43f5f1a1bb3a7974fe8fd0532829b1b858dec3c8d6bc2a5835a6bb735321
9e13a5c939cf22a9d4b60631d6c397903095561e51a9aaaca44be3666abf75e5
d54e341578828a215bbe78db4f2dc64a5388d4ce3bc7d6488f7bafb8c6b02d1c
59202d95bbcb9a85624ae56b93adeecc94b476a0131fe4670b718439ae4da1c9
c14ba2023f89dc57df157690e40042b8b090906257c59b6e5834b2212cd3142e
SH256 hash:
77f3d6aeda2cc91d95bf5065aefc4cea853471801a8f44580b922bfaa48eda18
MD5 hash:
b6c4d640ca42f58d5fd2c44d3b6e4fe7
SHA1 hash:
8d30123daec7bb056e7d598b5486d93098f81350
Link:
https://www.unpac.me/results/734913fe-5668-4f51-aafa-2a5693a742af/
SH256 hash:
59202d95bbcb9a85624ae56b93adeecc94b476a0131fe4670b718439ae4da1c9
MD5 hash:
9c05d1ae12cc58702c8a54ad739b9551
SHA1 hash:
4f2435a19956ebbe4acd214c65428a36337f7abd
Link:
https://www.unpac.me/results/734913fe-5668-4f51-aafa-2a5693a742af/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/59202d95bbcb9a85624ae56b93adeecc94b476a0131fe4670b718439ae4da1c9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 59202d95bbcb9a85624ae56b93adeecc94b476a0131fe4670b718439ae4da1c9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/196679/

Comments