MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 71d1fda394f185684d721f59017634f981e972964f1b4c23366fa28c1da4307f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 71d1fda394f185684d721f59017634f981e972964f1b4c23366fa28c1da4307f
SHA3-384 hash: f810cb2a57efde1447233fd498eba961dbf4d0798d4e1c393595d3050d09acf452dba1a3e6c9a30bb31c8768ae789814
SHA1 hash: 8a7b3cb301aa2a738b200ffb04c085bb6587c7e9
MD5 hash: 367b0970e71059bc349ee67bba1afde2
humanhash: lamp-seventeen-quiet-maine
File name:PROFOMA INVOICE NO2021TD24 PDF.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:889'856 bytes
First seen:2021-08-18 07:34:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:lIDc9F3nC0Py3gAh0myrYO8EFA/PWqqz1xpxHLEWKfaFWAR0ekeNTvDqYs0jxN6+:ldf25qz1xvHIVfif0OqhqN6apBfO5q
Threatray 8'024 similar samples on MalwareBazaar
TLSH T14F15D5BC19B9B62791B9C725EBE18817F0409C9F3551ADA4E4DE27B3032EA5234C723D
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PROFOMA INVOICE NO2021TD24 PDF.exe
Verdict:
Malicious activity
Analysis date:
2021-08-18 07:35:49 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/31c1ee6b-6bd9-4ff4-943f-a82ae5d39931

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/180230/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.998-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3b0548af-d9e1-44b3-97ea-9747744ac665
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/834930
Signature
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 467361 Sample: PROFOMA INVOICE NO2021TD24 ... Startdate: 18/08/2021 Architecture: WINDOWS Score: 100 36 www.idt-metrofireandsecurity.com 2->36 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 8 other signatures 2->48 11 PROFOMA INVOICE NO2021TD24 PDF.exe 3 2->11         started        signatures3 process4 file5 28 C:\...\PROFOMA INVOICE NO2021TD24 PDF.exe.log, ASCII 11->28 dropped 14 PROFOMA INVOICE NO2021TD24 PDF.exe 11->14         started        process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.accountmangerford.com 81.17.29.150, 49724, 80 PLI-ASCH Switzerland 17->30 32 www.hold-sometimes.xyz 150.95.255.38, 49720, 80 INTERQGMOInternetIncJP Japan 17->32 34 14 other IPs or domains 17->34 38 System process connects to network (likely due to code injection or exploit) 17->38 40 Performs DNS queries to domains with low reputation 17->40 21 systray.exe 17->21         started        signatures10 process11 signatures12 50 Modifies the context of a thread in another process (thread injection) 21->50 52 Maps a DLL or memory area into another process 21->52 54 Tries to detect virtualization through RDTSC time measurements 21->54 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/71d1fda394f185684d721f59017634f981e972964f1b4c23366fa28c1da4307f/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-18 07:06:44 UTC
AV detection:
11 of 46 (23.91%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ohi73i4u6gcwqtlsd5mqc5ru7ga6s4uwj4nuyizwn6riyhnegb7q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
016e6200c368ec7e158572673568037338e92642721c8e543a01571fd0ee2571
Formbook
0cb047df6b7a2df55972c4d33b5d10b511f707f30907513f07bf5ae2c070d534
Formbook
132167fd6c334c13919991a82a38645572a9d58c5f83cb1ddf0fcf41e37d2105
Formbook
435b924af18dce67e3fbc2b55fc515b839fe883da2e10fd3c8c21859a1181d64
Formbook
7f0599ad186f76d0d5ae5daf5e713747281b1b631bfef0cb340b2977ed53d253
Formbook
9744a8f624cc86bce830db5caf4a5a8b2263b51f53ca384908b2557e5f9ce99d
Formbook
fa7a3ac64a6c26f248d805abfb0961bfe6518df6dcb3212de51593b92d5e4158
Formbook
+ 8'014 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ssee loader rat suricata
Link:
https://tria.ge/reports/210818-bgrbd26c56/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.idt-metrofireandsecurity.com/ssee/
Unpacked files
SH256 hash:
fe4ed2a81e8d978e5af169b4144f115f27e039f4d56f627ec25dcdf3468bc1ef
MD5 hash:
84869db9efc28228fd5932c0a33a9aac
SHA1 hash:
33b9d49e3eb86dbd7b9bac6b2580bc69d251b611
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/880d11a2-4162-4bbd-bb8b-82d6eec66559/
Parent samples :
1c49c90dceca146ee0b95fab3873e38bcda5b46b550a59f8ba2ccf5984a11b92
fa7a3ac64a6c26f248d805abfb0961bfe6518df6dcb3212de51593b92d5e4158
435b924af18dce67e3fbc2b55fc515b839fe883da2e10fd3c8c21859a1181d64
132167fd6c334c13919991a82a38645572a9d58c5f83cb1ddf0fcf41e37d2105
0cb047df6b7a2df55972c4d33b5d10b511f707f30907513f07bf5ae2c070d534
9744a8f624cc86bce830db5caf4a5a8b2263b51f53ca384908b2557e5f9ce99d
7f0599ad186f76d0d5ae5daf5e713747281b1b631bfef0cb340b2977ed53d253
71d1fda394f185684d721f59017634f981e972964f1b4c23366fa28c1da4307f
366b6d23b6e536c3b8bd769edbebc2e7dc26e38e75ac85a32a7b4512f585b68f
f7c1ecf2c6e90d8a9a0ac0972b0ab02ca809a85da65d51b46f56a4c81cc4996e
aba30cfb1f3ce3760e9cbd42f49cafa3582d349d690f1ee91674e2998f4b290e
ac57d8cb242185bd11b7b0ab898c06f7904e0e0a0d9c39edd3b136c902bf394a
69a08fcc2b3eb5499a9356a801bb646d7726dc158cba7f141335997f374ead38
a73336c8fc448bd54031998ad8cbda50f452c3c8a1600623a43e07ce6476b3d5
b4c38c13fa5c4e7789b534da669f6aff46e9faa41ceac97ed3deea7ca94094ca
2465cbd2ae3adb04f06a069fef61acc098096ef1f33cece8076d059b106f7b3a
63abf2ffa58c2c36920a2be604c77ac2a25b2bd5d1d6ba9d81338da21418ff10
e426d0d32845bb665740831128bcb5109a588544acf73317f5ee3bce6e5f486f
42c496ed24bc4b1abd0d647105d7931b9b18b9ce638550dcc5e96fa0cd69dc4c
a9d0de4abec8a5d9f13b203b8f4bcc0dcd101fb5f5f89ea910414d4cc16391ab
169a316f9557b3a154c1cbc1ab4aae2b690d71fd197ff39ac77e58c7e7db4196
fdd78bbf6d05b69fbdcaa24727822f1ec7e9b652266ac34ed69916537e6aeff2
ee5ab13a8694e1883f2e4f1509580d2cd01b6041ef78da9e1524f8b4eaee6ed5
c221c9dcc6e6a5c53181b072958ebe173ac1781861fb1d95ed1734def6322972
b5821114ae6e03e71fa7cc2dc293aa7f8a5563ebb4a2151194b2acb9eed4758d
61364951cb7faf165eaadcb66f8e124a689f5f298ec5f2d9539206904d1194b8
1fad173e519f8c7cb34093e926807794765789e79d377e89ffe201ae8d76dd99
13c385c3a7e1297c506764e1b956a5aa568590389356140c92e2a2cb953bffe5
6ec3a910864aa91b0bec91275ffc3ef7e3dcc0e1c7f247624514b1c9d4c16992
9dbcb6d140d0fd1db131b3f086eb8ee6dc9d0dcdd325f36b48aea1495408e2a2
91a28bbaaaed3acd39f0c37cf091e0a4e3a54ac5f00b4c26c5d3af44c9bc3fb3
cb32d42bcbcc716d12c9926bd3aab2def79f4dc2774f2f04234d95b2b4849e86
def69bd673ae57b70c20087596b787eb27c1f0da7053ba2991e87cf7f032c43c
SH256 hash:
6912e4bedd1288f116e968f0a79d9797f6d6bd24d45a5f10c52e20f9d33b8c61
MD5 hash:
03bde4a82ad64c0f314985232fbca3fa
SHA1 hash:
e8d0b6339e94192eaaca32c812f914e60576dca6
Link:
https://www.unpac.me/results/880d11a2-4162-4bbd-bb8b-82d6eec66559/
SH256 hash:
7efde4d19607d9e86e4c5dca31e459c2b25375dcc041b810a669da89d83173c4
MD5 hash:
2bc7ff75595b0fee0992971c7569c14b
SHA1 hash:
1379a594a8adcc2e7c69354bf6e80b8fcdf5c93f
Link:
https://www.unpac.me/results/880d11a2-4162-4bbd-bb8b-82d6eec66559/
SH256 hash:
71d1fda394f185684d721f59017634f981e972964f1b4c23366fa28c1da4307f
MD5 hash:
367b0970e71059bc349ee67bba1afde2
SHA1 hash:
8a7b3cb301aa2a738b200ffb04c085bb6587c7e9
Link:
https://www.unpac.me/results/880d11a2-4162-4bbd-bb8b-82d6eec66559/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/71d1fda394f185684d721f59017634f981e972964f1b4c23366fa28c1da4307f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 71d1fda394f185684d721f59017634f981e972964f1b4c23366fa28c1da4307f

(this sample)

  
Dropped by
Formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/180230/

Comments