MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 780ba59b7be77a7413771f560855e61d9acc2b0d68809bd8665154693b11ce2a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 780ba59b7be77a7413771f560855e61d9acc2b0d68809bd8665154693b11ce2a
SHA3-384 hash: ce93784f9985eca8d674f6abef27518f27337d639e487bbf7e6555caa54964b105ec1784dbc5b26dac86284a681407bf
SHA1 hash: f46f0086b5dee4906ece543068bb1ef61d623435
MD5 hash: bd845ba55e7b3c176d4bb5c5069bf30b
humanhash: three-minnesota-tennessee-shade
File name:Fizetési_visszaigazolás.pif
Download: download sample
Signature Formbook
Create hunting rule
File size:196'954 bytes
First seen:2022-04-25 15:47:48 UTC
Last seen:2022-04-26 06:22:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (719 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 6144:HNeZmwqmm1haXWYhFN7iNq7j5kqQzXeUmGWB1:HNlTmuhd7Nm+qxv1
Threatray 15'268 similar samples on MalwareBazaar
TLSH T1941402197A80C15FE6E35B721E749677BBFAA700A950938B13606FAC7E71783C50D306
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe FormBook pif

Intelligence

File Origin
# of uploads :
2
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/266478/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Searching for synchronization primitives
DNS request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6266c2f2a7c29825bf70f3a3/reports/1260d7a6-4830-40c2-a71b-6ce698fd0423/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/283a4dbd-df95-40a6-8fc6-ef255e9b2461
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/982546
Signature
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 615034 Sample: Fizet#U00e9si_visszaigazol#... Startdate: 25/04/2022 Architecture: WINDOWS Score: 100 34 www.oudste.com 2->34 36 traff-1.hugedomains.com 2->36 38 hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com 2->38 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 4 other signatures 2->60 12 Fizet#U00e9si_visszaigazol#U00e1s.exe 18 2->12         started        signatures3 process4 file5 32 C:\Users\user\AppData\Local\Temp\yfzxx.exe, PE32 12->32 dropped 15 yfzxx.exe 12->15         started        process6 signatures7 70 Multi AV Scanner detection for dropped file 15->70 72 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 15->72 74 Tries to detect virtualization through RDTSC time measurements 15->74 76 Injects a PE file into a foreign processes 15->76 18 yfzxx.exe 15->18         started        process8 signatures9 46 Modifies the context of a thread in another process (thread injection) 18->46 48 Maps a DLL or memory area into another process 18->48 50 Sample uses process hollowing technique 18->50 52 Queues an APC in another process (thread injection) 18->52 21 explorer.exe 18->21 injected process10 dnsIp11 40 www.hoaxkapota.quest 37.123.118.150, 49818, 80 UK2NET-ASGB United Kingdom 21->40 42 ur37-site-01.cdn-ng.net 20.187.252.206, 49764, 80 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 21->42 44 13 other IPs or domains 21->44 62 System process connects to network (likely due to code injection or exploit) 21->62 25 help.exe 21->25         started        signatures12 process13 signatures14 64 Modifies the context of a thread in another process (thread injection) 25->64 66 Maps a DLL or memory area into another process 25->66 68 Tries to detect virtualization through RDTSC time measurements 25->68 28 cmd.exe 1 25->28         started        process15 process16 30 conhost.exe 28->30         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/780ba59b7be77a7413771f560855e61d9acc2b0d68809bd8665154693b11ce2a/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-04-25 00:53:13 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=paf2lg33455hie3xd5laqvpgdwnmykynncajxwdgkfkgsoyrzyva._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0bd840a10d4463fe31116ce57b0b674a6d10176d910cf7bcd9ba360cfcb9f3a6
Formbook
191fc1cbb34d2b86bf085a019d6204f1ee76f55a7e6c3849e0309d7666da4614
Formbook
28c28db28e96276f72ce38a60d04f0711388d3f93ecb34d4721dc94fc2bf9f07
Formbook
2f6a10bdc0e72b2b49bfdb61c307c72c8fe2fc9dd5ede0cfabc63ea5aabf9a4f
Formbook
3ea19f45dd5b9c5ed0e6f371d7e92afda076c69e6a43eafc3c83337819eee56a
Formbook
42c22b1ceff07541d20717e8b9fea63a1418dc92917303cdcf48cce246a7d29f
Formbook
4ba70a201f9aeed927954ccf79ebba102df5f50c437c278636b1905b3f71058f
Formbook
60b97b4d45e3850d57a661bf37987909c1f99096384123594cc1b79d5449348f
Formbook
9d42e6621d13c43c63721e4f9b4f63c00ef1d7e97cb0fe061bd19cbcc6e2e735
Formbook
af985554eebc4990f77fc7c337d7af4367c2e28acbb41386669e5fa3bb55fbcd
Formbook
+ 15'258 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader campaign:mt6e loader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220425-s8r7vsceg4/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Xloader Payload
Formbook
Xloader
Unpacked files
SH256 hash:
6086fdd61649e83dce8f56cd286b2df116eeed8a275b0ffaba77557f56136590
MD5 hash:
88250ea3676780fe857057876eda1cac
SHA1 hash:
817ff91a57eab1ba05f79ce17a91dea82ede91a0
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/a55db698-926a-4312-93d6-020bd377712c/
SH256 hash:
1f71a7d815a9ef5b91f8fd1c136ca0dcd8f490f1ff47e151eb7041eb4c2bcfa8
MD5 hash:
99ad309e667449804d57bde33a0fb927
SHA1 hash:
2f991c0fbf132737e2f4cb0be6b5a7803b176fd3
Link:
https://www.unpac.me/results/a55db698-926a-4312-93d6-020bd377712c/
SH256 hash:
97107ffb4c57b4d8b17c0f0de371155ece706a2d71ca9ebd55345359484e99b4
MD5 hash:
ac62b829b1453db41ba43dca5ecc69b5
SHA1 hash:
79fab20b42dc714dea0eca3259bdeb5a1c0767b9
Link:
https://www.unpac.me/results/a55db698-926a-4312-93d6-020bd377712c/
SH256 hash:
780ba59b7be77a7413771f560855e61d9acc2b0d68809bd8665154693b11ce2a
MD5 hash:
bd845ba55e7b3c176d4bb5c5069bf30b
SHA1 hash:
f46f0086b5dee4906ece543068bb1ef61d623435
Link:
https://www.unpac.me/results/a55db698-926a-4312-93d6-020bd377712c/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/780ba59b7be7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/780ba59b7be77a7413771f560855e61d9acc2b0d68809bd8665154693b11ce2a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb2
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/266478/

Comments