MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 712eb19b7de426341be8eda9e82462388f6c291ee7014c0c47b58d9a1ab9483d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 712eb19b7de426341be8eda9e82462388f6c291ee7014c0c47b58d9a1ab9483d
SHA3-384 hash: 6deed8c8b22bb36c7e4e562848a73a72b076faade2fd26a2bc5183ceb675c5a03319c3c3bf7a41e7b731461d29ef77c7
SHA1 hash: 76270f0bd8feb8c118ab1ce61549d1d56402983e
MD5 hash: 081b15610a6285d4fd0e42ea39a980a3
humanhash: zebra-carolina-king-diet
File name:Invoice.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'341'952 bytes
First seen:2021-06-02 14:43:59 UTC
Last seen:2021-06-02 15:40:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:qUomiciZyqTDiQiU/p9IdcL/fJRejt56Io:TkGCifUvL/hRejf6I
Threatray 5'593 similar samples on MalwareBazaar
TLSH 3155F8D07E54C7B8ED09D632AA185C7943B1A2AD10033F3C9FAD85A82E37B45ABCC457
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Invoice.exe
Verdict:
Malicious activity
Analysis date:
2021-06-02 14:46:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/39ffb367-826d-4934-809c-ed9a15a2e484

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/164086/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/796022
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 428419 Sample: Invoice.exe Startdate: 02/06/2021 Architecture: WINDOWS Score: 100 33 www.tajc.club 2->33 35 www.ashleyjordanoutlaws.com 2->35 37 ashleyjordanoutlaws.com 2->37 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 7 other signatures 2->51 11 Invoice.exe 3 2->11         started        signatures3 process4 file5 31 C:\Users\user\AppData\...\Invoice.exe.log, ASCII 11->31 dropped 61 Tries to detect virtualization through RDTSC time measurements 11->61 63 Injects a PE file into a foreign processes 11->63 15 Invoice.exe 11->15         started        18 Invoice.exe 11->18         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 Queues an APC in another process (thread injection) 15->71 20 explorer.exe 15->20 injected process9 dnsIp10 39 www.payonbux.com 156.224.66.89, 49736, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 20->39 41 generalplex.com 108.167.183.94, 49756, 80 UNIFIEDLAYER-AS-1US United States 20->41 43 10 other IPs or domains 20->43 53 System process connects to network (likely due to code injection or exploit) 20->53 24 systray.exe 20->24         started        signatures11 process12 signatures13 55 Modifies the context of a thread in another process (thread injection) 24->55 57 Maps a DLL or memory area into another process 24->57 59 Tries to detect virtualization through RDTSC time measurements 24->59 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/712eb19b7de426341be8eda9e82462388f6c291ee7014c0c47b58d9a1ab9483d/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-06-02 14:43:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
12 of 29 (41.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oexldg354qtdig7i5wu6qjdchchwyki644auydchwwgzugvzja6q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1925c407d4f24ed0e1e002a57042e4cec58f9e09bde7c441f6f5b9ca5748ea20
Formbook
1a912965cb32d547e15282d11d1251c5fd89a5d2714a198ca26c2ad8597865bb
Formbook
328347fb76bfbe6c93cb671972c70bcf298de581d33df0f13999c338225cddbd
Formbook
3ab2ff5459a46d33405f2c4a2853dbd9c21b09fd8f7abf0bb9683736f372776b
Formbook
3ba0da5db0ccdbabdfd7e95fe24a1c43056b77893dc6c589ede0a2a4ba365cce
Formbook
3c5cf190ba17e8138feadf46a81dbdafff69ecd8b9122aaf4967fbd9aa79c1f6
Formbook
48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908
Formbook
788510bf3fc20aacc76bd0ed1884ff8452f4e79023f2f3ad3072efbd7e74139d
Formbook
ab95bc3c40647b2b700cdb9aba76b6de220fd528fd194e6071c1747df6cb78ce
Formbook
b5e3426a888ddb5751f9802093f1bd10ec696b2994bee03b99b7ba2b4f21a57d
Formbook
+ 5'583 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210602-2pw5w2t2dx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.generalplex.com/pz9b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/712eb19b7de426341be8eda9e82462388f6c291ee7014c0c47b58d9a1ab9483d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/164086/

Comments