MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 780da6ad1de123c74b8fc845639ee4a2d41b135e8f46fa4b323e8da0da406e53. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 2 File information Comments

SHA256 hash:	780da6ad1de123c74b8fc845639ee4a2d41b135e8f46fa4b323e8da0da406e53
SHA3-384 hash:	d5d1e77f00d4e610cbdbabab4ded2c3089f8a25009405ffe651f7f0713edfa4b7e7a88afd54dfe758fe234091458b168
SHA1 hash:	d9f97d8e033c292a0cbd8801a9aee95d688a56c3
MD5 hash:	fc60744442054f64a878efed4e934c5c
humanhash:	iowa-west-wyoming-massachusetts
File name:	Factura.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	640'512 bytes
First seen:	2022-06-09 13:50:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:xoI9qbtPjjleU3Qq13zGRK4RFJ1jmVCXTT4uHWxfY5svOb0X:yIyth3f13aIcRjACXQOWxfQP0X
TLSH	T12BD4E1E4EFF5B8A1E1242433B490613C37E29E0EDC66D92AD68BF64A34927C254F5D07
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

305

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Factura.exe

Verdict:

Malicious activity

Analysis date:

2022-06-09 20:07:02 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/24519fd2-774b-486a-a47a-1d6d555b0ac7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/278390/

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.31001.3689.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62a1facc8e867832d9eba62e/reports/b8f6177c-6093-4f2c-b28a-f0ab1039d765/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5374e3b1-fd60-4e8f-9f11-1c212635e22b

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1010051

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Self deletion via cmd or bat file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/780da6ad1de123c74b8fc845639ee4a2d41b135e8f46fa4b323e8da0da406e53/

Threat name:

ByteCode-MSIL.Trojan.Tnega

Status:

Malicious

First seen:

2022-06-09 02:33:16 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 41 (48.78%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pag2nli54er4os4pzbcwhhxeulkbwe26r5dpuszsh2g2bwsanzjq._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:cy84 rat spyware stealer suricata trojan

Link:

https://tria.ge/reports/220609-q5s9msgfgm/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

Formbook

suricata: ET MALWARE FormBook CnC Checkin (GET)

Unpacked files

SH256 hash:

08818d7d4e27cea5b6d8d259c4de1a9e862823a4f594e5a58d247734503d7bf0

MD5 hash:

78fabaf81a4cf56385fcb2972f1e6982

SHA1 hash:

1aacda354da2ce5c68c0cc05dc1180c89b10f7d7

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/1a6a142e-5921-4820-949b-0897965efccf/

Parent samples :

780da6ad1de123c74b8fc845639ee4a2d41b135e8f46fa4b323e8da0da406e53
d16928ea116bf3bfb6f3b51c833fd52a540e645ba60ef8842b4750cdd33080bb

SH256 hash:

9f17ce19955c72ca95b79866ac835b43b668fd262ec3327aed7ea39679386a77

MD5 hash:

64b68e475db7dc354b44db2172b2d137

SHA1 hash:

8f12b0ad33254f0211be14bc6a032c45256cf37f

Link:

https://www.unpac.me/results/1a6a142e-5921-4820-949b-0897965efccf/

SH256 hash:

b8878527411be40b34c2fbaed8232eb19850a9c8c20da123a8fd8bdfb0db4b31

MD5 hash:

4ce114dba3a7712c15001c72c4dd63c8

SHA1 hash:

6cbad59856cf38d2fed2e4c38f8a6f76f0c08624

Link:

https://www.unpac.me/results/1a6a142e-5921-4820-949b-0897965efccf/

SH256 hash:

ab041940ab09ecc57f12450cd14ccc2adf43e308ab30b8ab944138437af77ee7

MD5 hash:

c21f667d5281aeb732920d81e9bacd50

SHA1 hash:

2fe22c684fb13741d6f71a3dd6bc9dfa65eb4c5a

Link:

https://www.unpac.me/results/1a6a142e-5921-4820-949b-0897965efccf/

SH256 hash:

780da6ad1de123c74b8fc845639ee4a2d41b135e8f46fa4b323e8da0da406e53

MD5 hash:

fc60744442054f64a878efed4e934c5c

SHA1 hash:

d9f97d8e033c292a0cbd8801a9aee95d688a56c3

Link:

https://www.unpac.me/results/1a6a142e-5921-4820-949b-0897965efccf/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/780da6ad1de1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/780da6ad1de123c74b8fc845639ee4a2d41b135e8f46fa4b323e8da0da406e53

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/278390/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample