MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a68426f18f239950d5bb0d82223890b44ea10de5a5fa83294457dd3dcdc5068. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6a68426f18f239950d5bb0d82223890b44ea10de5a5fa83294457dd3dcdc5068
SHA3-384 hash: 659c7e0a25977a8facaa18826cb304fbed482e155d3323f82742396fd076231ec025607348bec8a9da0a1515986e3acc
SHA1 hash: 3389025f571b28d42a340275e50c60f674a8767f
MD5 hash: 400a077d32f8c542b07e4dc2229d1583
humanhash: jersey-rugby-zulu-five
File name:Outstanding Payment.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'025'536 bytes
First seen:2022-03-09 12:38:51 UTC
Last seen:2022-03-09 15:09:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:M+nZt3Zy3WD5kP+nmdrAIQd6hxB6fzwBm3zMhX99Cb5LRXbErnPbF+jnd8luiDec:xTD5kVtAXd6fICkWYNLRXgR+jndUt9
Threatray 14'833 similar samples on MalwareBazaar
TLSH T18325AEE229EF501DF377ABB12FC8F8CE996AF973161A30DB10521B768423A409D61735
Reporter GovCERT_CH
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
2
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/248640/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1230.28800.26221.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit obfuscated obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/62289fe9b94fb38cb44769b8/reports/719d1572-9dbe-402e-8c1b-dbf00c1c9d03/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/22950875-1484-4ba0-b364-7ea2695d888e
Result
Threat name:
FormBook gzRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/953273
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Yara detected gzRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 585754 Sample: Outstanding Payment.exe Startdate: 09/03/2022 Architecture: WINDOWS Score: 100 31 www.torrentinfo.online 2->31 33 www.integrations-304vjp.xyz 2->33 35 torrentinfo.online 2->35 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus detection for URL or domain 2->45 47 10 other signatures 2->47 11 Outstanding Payment.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\...\Outstanding Payment.exe.log, ASCII 11->29 dropped 59 Injects a PE file into a foreign processes 11->59 15 Outstanding Payment.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 18 explorer.exe 15->18 injected process9 dnsIp10 37 chevesfernando.com 209.133.197.146, 49778, 80 HVC-ASUS United States 18->37 39 www.chevesfernando.com 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 help.exe 18->22         started        signatures11 process12 signatures13 51 Self deletion via cmd delete 22->51 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6a68426f18f239950d5bb0d82223890b44ea10de5a5fa83294457dd3dcdc5068/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-03-09 07:06:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
22 of 42 (52.38%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=njuee3yy6i4zkdk3wdmcei4jbncoueg6ljp2qmuuiv65hxg4kbua._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
28c28db28e96276f72ce38a60d04f0711388d3f93ecb34d4721dc94fc2bf9f07
Formbook
417c951fb4d744d1446011b1e2e36e76d450801fa8072d72ea600d323d03a8c5
Formbook
510bc545d130a8a3ba0761398b897e7f0840a393d7cd12d98699525e0eb8bfff
Formbook
5645d9e38c998f5db43ae93e35339d7dca0a96b81f806b370624e7410e2eea0a
Formbook
60b97b4d45e3850d57a661bf37987909c1f99096384123594cc1b79d5449348f
Formbook
982e727a53a27d2bfbaea608209b315bc892947a1ef954033f1b29c687b6e001
Formbook
9d42e6621d13c43c63721e4f9b4f63c00ef1d7e97cb0fe061bd19cbcc6e2e735
Formbook
9e41bc1734c4bc894acdc9c08568cb2f1cd01078fa9b5f30d6f18c6383c22863
Formbook
e745791e3faad64dc3c475e87b458ac60853d5ca429a32b812c6bacbc841ef99
Formbook
f725b6a2466a6f4c7084eeab5994e30b8ef836633c1a84d85c1899deb1808d3c
Formbook
+ 14'823 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:m46a loader rat suricata
Link:
https://tria.ge/reports/220309-pvl7xabcdn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
.NET Reactor proctector
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
f7b953613cb87b7220f9b73583982a07afa136effe6e1d56ae3a4c0230968bd1
MD5 hash:
6fb87f025ce2d1fc228bf046605d0854
SHA1 hash:
711a8868cf1f6ef62c82578a7e759130cf40f80a
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/054793b1-6f13-41eb-be8b-6d036071957d/
Parent samples :
5645d9e38c998f5db43ae93e35339d7dca0a96b81f806b370624e7410e2eea0a
e5f3bd60bce911ddbe8272a218b0690fff6b36f5876a51f26914b4b066d17ca6
e745791e3faad64dc3c475e87b458ac60853d5ca429a32b812c6bacbc841ef99
6a68426f18f239950d5bb0d82223890b44ea10de5a5fa83294457dd3dcdc5068
SH256 hash:
79ac92f6e5abcfe87e101ca45a70f621dd68dad2472440679cb4679e0e16cb7c
MD5 hash:
87f34bdb7ff149e7864a52c401f7d5f4
SHA1 hash:
512dbbe9e766cac61f965b5d2470a91c8f9db9e7
Link:
https://www.unpac.me/results/054793b1-6f13-41eb-be8b-6d036071957d/
SH256 hash:
01755a94eb4bdd6ba89bcafe560f8f7f2716281f34c88ea47672e3a9dc9b1179
MD5 hash:
af787d0a6703c928b28188cfb460f921
SHA1 hash:
4c5598f60e48ce4a36c76af694f2bd6facb7c478
Link:
https://www.unpac.me/results/054793b1-6f13-41eb-be8b-6d036071957d/
SH256 hash:
9b00e2fa33ad72dec22a5e107ab6886da72bbe0bed89a721e877c1dc3ce6a662
MD5 hash:
b4c9c16228f0ee1de70ffc6264fb720c
SHA1 hash:
437049e452a511e220abdb32df695cdf07f5a7d0
Link:
https://www.unpac.me/results/054793b1-6f13-41eb-be8b-6d036071957d/
SH256 hash:
6a68426f18f239950d5bb0d82223890b44ea10de5a5fa83294457dd3dcdc5068
MD5 hash:
400a077d32f8c542b07e4dc2229d1583
SHA1 hash:
3389025f571b28d42a340275e50c60f674a8767f
Link:
https://www.unpac.me/results/054793b1-6f13-41eb-be8b-6d036071957d/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6a68426f18f2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/6a68426f18f239950d5bb0d82223890b44ea10de5a5fa83294457dd3dcdc5068

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 6a68426f18f239950d5bb0d82223890b44ea10de5a5fa83294457dd3dcdc5068

(this sample)

  
Dropped by
xloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/248640/

Comments