MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d53b16faa7d57ada4a5c9a6db40d57bc992b1525f35e87dded4d9c80dc1c5d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d53b16faa7d57ada4a5c9a6db40d57bc992b1525f35e87dded4d9c80dc1c5d0
SHA3-384 hash: aa6bfbf58cf0cc0b1b32923723bc9e9f6989d43dfe7241f646af6aa98b68b15a9ab421de50e2612ef4d2ec46d029201b
SHA1 hash: 2953a5b4ed0012cd6d994f0e9e199aabbac237b5
MD5 hash: 6cd01e3bfd1e0b2efb791cebc45ae7a0
humanhash: sodium-hawaii-five-seven
File name:bank slip_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'415'680 bytes
First seen:2021-05-24 17:43:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:rlXdgAF6gwTWajxRbvRfwkW/V4j5WUWQO37KZ5hwWjY:BtgG8DRwv9LQhTY
Threatray 23 similar samples on MalwareBazaar
TLSH 18652350B390914AD85C0974CA22BD205AF2BEA01D10EA9F4EDB3F5E3DB3745254BADF
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bank slip_pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-05-24 22:49:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/72a56536-b813-40a0-ab32-9ae3c3eb3b3a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/790724
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 423126 Sample: bank slip_pdf.exe Startdate: 24/05/2021 Architecture: WINDOWS Score: 100 54 www.rekoup.tax 2->54 56 clientconfig.passport.net 2->56 58 www.8160phaeton.com 2->58 72 Found malware configuration 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 Multi AV Scanner detection for dropped file 2->76 78 9 other signatures 2->78 12 bank slip_pdf.exe 7 2->12         started        signatures3 process4 file5 46 C:\Users\user\AppData\...\TXfsCVyOlJ.exe, PE32 12->46 dropped 48 C:\Users\...\TXfsCVyOlJ.exe:Zone.Identifier, ASCII 12->48 dropped 50 C:\Users\user\AppData\Local\...\tmpCFB1.tmp, XML 12->50 dropped 52 C:\Users\user\...\bank slip_pdf.exe.log, ASCII 12->52 dropped 94 Writes to foreign memory regions 12->94 96 Allocates memory in foreign processes 12->96 98 Injects a PE file into a foreign processes 12->98 16 RegSvcs.exe 6 12->16         started        20 RegSvcs.exe 12->20         started        22 schtasks.exe 1 12->22         started        signatures6 process7 file8 44 C:\Users\user\AppData\Roaming\suSwVklf.exe, PE32 16->44 dropped 68 Injects a PE file into a foreign processes 16->68 24 RegSvcs.exe 16->24         started        27 schtasks.exe 1 16->27         started        70 Tries to detect virtualization through RDTSC time measurements 20->70 29 conhost.exe 22->29         started        signatures9 process10 signatures11 86 Modifies the context of a thread in another process (thread injection) 24->86 88 Maps a DLL or memory area into another process 24->88 90 Sample uses process hollowing technique 24->90 92 Queues an APC in another process (thread injection) 24->92 31 explorer.exe 9 24->31 injected 35 conhost.exe 27->35         started        process12 dnsIp13 60 aminulhaque.info 23.29.122.195, 49719, 80 HVC-ASUS United States 31->60 62 www.corrlib.com 168.119.91.111, 49720, 80 HETZNER-ASDE Germany 31->62 64 2 other IPs or domains 31->64 66 System process connects to network (likely due to code injection or exploit) 31->66 37 wlanext.exe 31->37         started        signatures14 process15 signatures16 80 Modifies the context of a thread in another process (thread injection) 37->80 82 Maps a DLL or memory area into another process 37->82 84 Tries to detect virtualization through RDTSC time measurements 37->84 40 cmd.exe 1 37->40         started        process17 process18 42 conhost.exe 40->42         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6d53b16faa7d57ada4a5c9a6db40d57bc992b1525f35e87dded4d9c80dc1c5d0/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-05-24 17:44:08 UTC
AV detection:
11 of 29 (37.93%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nvj3c35kpvl23jffzgtnwqgvppezfmksl426q7o62tm4qdobyxia._file
Verdict:
suspicious
Similar samples:
084b7a2a142edf5c3ebcd6bcafebe00a6953b36eff6ed7dafd54a490e657b1f5
Formbook
1d3e01fb6e4f61f482bf3bc2628b5141a896284973eaa50c35bdb929a5aa541b
Formbook
40377adc190ad001ea80a3e8bbc32aedc3bf77bcc8954baa1808bd8ae9c322a0
Formbook
43e9194904503eb5a508cf89297b8dbfc73f79600ff6bf13c5d8e717941e2652
Formbook
4427dbd6209079235487c24f4843a10d582fe6264fae0d107091e81133a8960c
Formbook
88e4cafa9fe18c0b4f53f5e0d176d78bf9f81bb02328ec448fa644be018747a4
Formbook
b49f6a646a9c6cdc0456310e02695f338b0a9fe352a7b8edbdd3ed8e1ffc069d
Formbook
b5d8a24e97905a0333243481930777008b654c43dd04bbf995d75334183c8070
Formbook
f73bd79fa45052bdee47d286e58107be584dd64d6cafb38362d494d9b388356f
Formbook
fc19eafdcfe6ae03a37ac61ee6fc5fb2c1cf57172c2754dce4aefc3c8a35c976
Formbook
+ 13 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210524-jdkbrwhgfs/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/6d53b16faa7d57ada4a5c9a6db40d57bc992b1525f35e87dded4d9c80dc1c5d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments