MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7fd75617ee39e8ed51f7e118f0aa46b83916dbf0d1d769e088c3fca7a4c0014f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7fd75617ee39e8ed51f7e118f0aa46b83916dbf0d1d769e088c3fca7a4c0014f
SHA3-384 hash: 4cca33fd172b8c44e795fc4638d2902767718265763a56e13a2defb6444a022d477d126a681365ff7f7399b52bc23111
SHA1 hash: d71954224a3c986ac4a7f116d4067d98257cfbb5
MD5 hash: 5cdcec900819b181a01ea4c007995969
humanhash: eight-xray-minnesota-edward
File name:Payment Slip.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:229'012 bytes
First seen:2021-08-10 09:13:07 UTC
Last seen:2021-08-10 09:54:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f6b61b8e7cfb6c1ac49476384f4084e5 (8 x Loki, 4 x Formbook, 1 x SnakeKeylogger)
ssdeep 3072:1g10r0K/C7MAov2zdV2JE/0unArFJHJlrAlfidgVkmv058mZT6+upQkdO7:1q0rpsMA+krMBBJHJZdnrb6+uQ
Threatray 7'620 similar samples on MalwareBazaar
TLSH T1B52412B5A1D81AE8D1BF4C3506E172029ADD883C471FE2F3D06524736A7F8D1A67782E
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
289
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment Slip.exe
Verdict:
Malicious activity
Analysis date:
2021-08-10 03:28:17 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/a9a6ea3c-5260-409e-8090-ba2348ffa302

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177873/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Noon.lc.30590.29236.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Launching the process to change network settings
Sending a UDP request
Launching cmd.exe command interpreter
DNS request
Connection attempt
Sending an HTTP GET request
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0a1b7ae0-9d3d-4538-a893-95a0f9bd6bf6
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/830036
Signature
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 462467 Sample: Payment Slip.exe Startdate: 10/08/2021 Architecture: WINDOWS Score: 100 34 www.lunasparallevar.com 2->34 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 7 other signatures 2->44 11 Payment Slip.exe 2->11         started        signatures3 process4 signatures5 52 Maps a DLL or memory area into another process 11->52 14 Payment Slip.exe 11->14         started        process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 14->17 injected process8 dnsIp9 28 lumber-pt.com 182.48.49.190, 49706, 80 SAKURA-CSAKURAInternetIncJP Japan 17->28 30 sleekedup.net 72.52.252.191, 49712, 80 LIQUIDWEBUS United States 17->30 32 18 other IPs or domains 17->32 36 System process connects to network (likely due to code injection or exploit) 17->36 21 control.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7fd75617ee39e8ed51f7e118f0aa46b83916dbf0d1d769e088c3fca7a4c0014f/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2021-08-10 09:13:10 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
18 of 45 (40.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p7lvmf7ohhuo2upx4empbksgxa4rnw7q2hlwtyeiyp6kpjgaafhq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
07af0ffdb9e42eb6ca145708be323b7641311d943d28ba746d5f16dd4c5a3eed
Formbook
1dc173b24c0b503a394568e4a1fff7887dd739cc287e529f25b173dbfea4010b
Formbook
224ddfe0908d9cc2833a8f0f4c28f8a95ba1975cc0e8da5434a8ce17df54f972
Formbook
3adaa1111196714a172b66f0deb9013f5b86c1671a7d126b69703d64e358f624
Formbook
4796e12d5a33b3b717b0ddc65286b9de7479e86bc91cc0bdb843722a5b62951b
Formbook
6d308c2e93c341ef11c0b14420e158fd650c637190a4daedf003ec091e703a85
Formbook
a1e601d45399b724a7247ca82708d74182923dc096c62031ec80419e26f8e0f6
Formbook
ab95bc3c40647b2b700cdb9aba76b6de220fd528fd194e6071c1747df6cb78ce
Formbook
dd4114ea355d3f70e7683fb8491e2499347b6133bd9ef6d094a0cb6ad8aa4609
Formbook
+ 7'610 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ieqo loader rat suricata
Link:
https://tria.ge/reports/210810-y18xk59yjj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.rukreditpay.com/ieqo/
Unpacked files
SH256 hash:
e5c497c0770b119a72919ef46dceef93eebd149e56788727ed959ae3234ba509
MD5 hash:
fa55c6e1e9ed49ba1879e5762cce8f25
SHA1 hash:
f7912e1863797e3365ab1a2df01415a4659a037e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/bbd69f3a-792f-45b5-bfe4-eff9b8729d5a/
Parent samples :
3adaa1111196714a172b66f0deb9013f5b86c1671a7d126b69703d64e358f624
7fd75617ee39e8ed51f7e118f0aa46b83916dbf0d1d769e088c3fca7a4c0014f
SH256 hash:
7fd75617ee39e8ed51f7e118f0aa46b83916dbf0d1d769e088c3fca7a4c0014f
MD5 hash:
5cdcec900819b181a01ea4c007995969
SHA1 hash:
d71954224a3c986ac4a7f116d4067d98257cfbb5
Link:
https://www.unpac.me/results/bbd69f3a-792f-45b5-bfe4-eff9b8729d5a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7fd75617ee39/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.13
Link:
https://yomi.yoroi.company/submissions/7fd75617ee39e8ed51f7e118f0aa46b83916dbf0d1d769e088c3fca7a4c0014f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz c1ce2e8d13a1272f8f4db5ff64b9fa10660d7040f71ac3de3e09a775daade60e

Formbook

Executable exe 7fd75617ee39e8ed51f7e118f0aa46b83916dbf0d1d769e088c3fca7a4c0014f

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 c1ce2e8d13a1272f8f4db5ff64b9fa10660d7040f71ac3de3e09a775daade60e
Cape
Cape
https://www.capesandbox.com/analysis/177873/

Comments