MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e99dc28bcc8be32fb1477bc6b67da52d67195e1e9ebc9612118a9e180675af7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e99dc28bcc8be32fb1477bc6b67da52d67195e1e9ebc9612118a9e180675af7
SHA3-384 hash: 7ccfa9fff0d2f92bb00074eaec07f153f9010a863b942cb51bedf56cf836ff60e6de99c8898aec35b73fba86f4cfdc0c
SHA1 hash: 0e1b7baa19c708aada04ebe148575996eb5ee7cb
MD5 hash: fbc0a38898145f58ec52b75a6a0d4f58
humanhash: venus-nuts-lima-eight
File name:Payment Confirmation.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:887'808 bytes
First seen:2021-08-23 07:20:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:bPvDc9F3nC0Py3gAhI3cPtgRBKmSL4NT29PnrpTtQ/wFkXih3cHIy2P5K:bPaK/LS2VnRK/w6wcHh6
Threatray 8'500 similar samples on MalwareBazaar
TLSH T13515C4BC19B9B6279079C765EBE18817F0409C9F3151ADA4E4EE27B7032EA5234C723D
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
266
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment Confirmation.exe
Verdict:
Malicious activity
Analysis date:
2021-08-23 07:21:40 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/81f7fce2-0834-43ab-b06f-19876d062738

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/181415/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.998-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/51616977-8cae-40fd-a855-287acb8549bb
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/837328
Signature
.NET source code contains very large strings
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 469757 Sample: Payment Confirmation.exe Startdate: 23/08/2021 Architecture: WINDOWS Score: 100 37 www.mattarelloly.xyz 2->37 39 www.bitdoubler.info 2->39 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 11 other signatures 2->55 11 Payment Confirmation.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\...\Payment Confirmation.exe.log, ASCII 11->29 dropped 14 Payment Confirmation.exe 11->14         started        process6 signatures7 63 Modifies the context of a thread in another process (thread injection) 14->63 65 Maps a DLL or memory area into another process 14->65 67 Sample uses process hollowing technique 14->67 69 Queues an APC in another process (thread injection) 14->69 17 explorer.exe 14->17 injected process8 dnsIp9 31 www.ilovepretoria.com 41.203.18.177, 49690, 80 xneeloZA South Africa 17->31 33 galaxyinsurancequotes.com 162.241.24.56, 49689, 80 UNIFIEDLAYER-AS-1US United States 17->33 35 9 other IPs or domains 17->35 45 System process connects to network (likely due to code injection or exploit) 17->45 47 Uses ipconfig to lookup or modify the Windows network settings 17->47 21 ipconfig.exe 12 17->21         started        signatures10 process11 dnsIp12 41 www.psd4arb.com 21->41 43 192.168.2.1 unknown unknown 21->43 57 Modifies the context of a thread in another process (thread injection) 21->57 59 Maps a DLL or memory area into another process 21->59 61 Tries to detect virtualization through RDTSC time measurements 21->61 25 cmd.exe 1 21->25         started        signatures13 process14 process15 27 conhost.exe 25->27         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7e99dc28bcc8be32fb1477bc6b67da52d67195e1e9ebc9612118a9e180675af7/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-18 11:31:08 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p2m5ykf4zc7df6yuo66gwz62kllhdfpb5hv4syjbdcu6dadhll3q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
03735650255866b1c2592bcb4567cbcb2b9d23eea5430d2e7d7c6315abadb5ad
Formbook
18f4cf60cabec371c21e141ab1e15754654351ba4bfd85ae717f5c760f3c102a
Formbook
5955bf6676d1f4d7e9e12f2201674381535d24bd88bd480feda425839841ecaf
Formbook
8d77ac5e45a0f443b317f1a717dffd55e98319508cc05080ea006b5fcc93c78a
Formbook
a352710790883442f580f87d70387649d03b7d1d6472d995ca4bdf96d88bbf50
Formbook
ab4795f656b54e9388c89d6a4df52747510fa418bdb50aa3bafd7b332ef1ff81
Formbook
c3dad4eb294afef3dd4251826c1c1d25679c1044120e8bfaaea14e582be06357
Formbook
d337cba627486e1f99e4a96407591609d888c6656a4010b88047e7cd1ab19482
Formbook
dc26789a27709300dcdd742b50b8acb5c4d96d13c0aa5adb69c4f76d8e75c8ba
Formbook
de3c81ef7e59a386f6572d4c095739d45493d90b03c348748200012ec165372f
Formbook
+ 8'490 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ubqk loader rat suricata
Link:
https://tria.ge/reports/210823-clepxkhlqn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.fireescapebk.com/ubqk/
Unpacked files
SH256 hash:
e09e6ea59c1b29aa8a2ec27e0dc5445b11af6b8fd732b85f6d29833f6b23f730
MD5 hash:
f24f944546a1eef1a9b287bc38f033f5
SHA1 hash:
167ef08debfb058ea502ff4ce7c820aab61563bb
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/de984af1-190f-49e8-ac02-e7d354467131/
SH256 hash:
6912e4bedd1288f116e968f0a79d9797f6d6bd24d45a5f10c52e20f9d33b8c61
MD5 hash:
03bde4a82ad64c0f314985232fbca3fa
SHA1 hash:
e8d0b6339e94192eaaca32c812f914e60576dca6
Link:
https://www.unpac.me/results/de984af1-190f-49e8-ac02-e7d354467131/
SH256 hash:
4b6ae310ca8ce8418ce430b75eb477f0f917fd797534e1d10b16c0a61a0d31ff
MD5 hash:
774429e77a3b23cd7b4a04201d91334a
SHA1 hash:
7c49ae0a66834e8fdbc9453014443dfaf927a21b
Link:
https://www.unpac.me/results/de984af1-190f-49e8-ac02-e7d354467131/
SH256 hash:
7e99dc28bcc8be32fb1477bc6b67da52d67195e1e9ebc9612118a9e180675af7
MD5 hash:
fbc0a38898145f58ec52b75a6a0d4f58
SHA1 hash:
0e1b7baa19c708aada04ebe148575996eb5ee7cb
Link:
https://www.unpac.me/results/de984af1-190f-49e8-ac02-e7d354467131/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/7e99dc28bcc8be32fb1477bc6b67da52d67195e1e9ebc9612118a9e180675af7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 7e99dc28bcc8be32fb1477bc6b67da52d67195e1e9ebc9612118a9e180675af7

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/181415/

Comments