MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8165ac99e7dbfb2059308aaa1105ede0f191bb846d14dfd7ed709c3bcfb88510. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8165ac99e7dbfb2059308aaa1105ede0f191bb846d14dfd7ed709c3bcfb88510
SHA3-384 hash: 4f2575422312ab1b023353e47f966d4e7418a4d93676122d6822e5603862ae7349f669d5273addc407ae42159cab8f2c
SHA1 hash: 179eff5b36d76590dc2225191152313cf6135505
MD5 hash: 147a8837d4c40043c70ea3c819a98adf
humanhash: early-friend-cup-table
File name:invoice copy.pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:731'136 bytes
First seen:2021-11-25 06:49:59 UTC
Last seen:2021-11-26 14:09:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:GBzcmhiTzu+vWTf19UlU+CMcvS7v/9ponTR8WXFsa/UhnWMD0gyWz/O/cXixBFm0:GBomhiXBWD1QUjRqr/9Y2uaaMhnWMD0b
Threatray 11'568 similar samples on MalwareBazaar
TLSH T137F4F12233F8499FC7BE06F6A464548003F5BA17619ED7DD8DC5B4EE09E2F424712A2B
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
4
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
invoice copy.pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-11-25 06:52:12 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/b992f149-de7c-448d-9794-5eec28ca9605

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
Sanesecurity.Rogue.0hr.20211125-0605.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Sending an HTTP GET request
Searching for synchronization primitives
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/619f322202c80febc2a8e4cd/reports/f3fdc403-8104-4d37-a543-31c9eecf6bd7/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a97fa55f-6c5e-4d90-a98b-e87965914aaf
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/895906
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Double Extension
Sigma detected: Suspicius Add Task From User AppData Temp
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 528384 Sample: invoice copy.pdf.exe Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Multi AV Scanner detection for dropped file 2->52 54 15 other signatures 2->54 10 invoice copy.pdf.exe 7 2->10         started        process3 file4 36 C:\Users\user\AppData\Roaming\KhhRUrkK.exe, PE32 10->36 dropped 38 C:\Users\user\AppData\Local\...\tmp8622.tmp, XML 10->38 dropped 40 C:\Users\user\...\invoice copy.pdf.exe.log, ASCII 10->40 dropped 58 Adds a directory exclusion to Windows Defender 10->58 14 invoice copy.pdf.exe 10->14         started        17 powershell.exe 24 10->17         started        19 schtasks.exe 1 10->19         started        signatures5 process6 signatures7 68 Modifies the context of a thread in another process (thread injection) 14->68 70 Maps a DLL or memory area into another process 14->70 72 Sample uses process hollowing technique 14->72 74 Queues an APC in another process (thread injection) 14->74 21 explorer.exe 14->21 injected 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        process8 dnsIp9 42 lojavirtualnuvem.com.br 52.200.197.31, 49825, 80 AMAZON-AESUS United States 21->42 44 www.tarjarosa.com 21->44 46 2 other IPs or domains 21->46 56 System process connects to network (likely due to code injection or exploit) 21->56 29 cmmon32.exe 21->29         started        signatures10 process11 signatures12 60 Self deletion via cmd delete 29->60 62 Modifies the context of a thread in another process (thread injection) 29->62 64 Maps a DLL or memory area into another process 29->64 66 Tries to detect virtualization through RDTSC time measurements 29->66 32 cmd.exe 1 29->32         started        process13 process14 34 conhost.exe 32->34         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8165ac99e7dbfb2059308aaa1105ede0f191bb846d14dfd7ed709c3bcfb88510/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-25 03:15:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
67
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qfs2zgph3p5sawjqrkvbcbpn4dyzdo4enukn7v7nocodxt5yquia._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
26b24cfe3b0bb84b26fc83ce689b74728ac61f32391772dcc76eab04cc7042b5
Formbook
2776237004407d8c72906ce72050cda1b0d9abeb20e313abf7a98e6fea03ce8d
Formbook
3d0d81b07dac6bebdcf5d7a2306f4659e9df8bd40aaeba10ae37d03b30221d3b
Formbook
5898ff655531cce98050d6ac064d14b5e64249c3e8a01110e12b46e93bf72de9
Formbook
5ab3abbaaa772885b083fd8bd8d5855e8c6578c4a7cbaeef2cf68c1a3f4c1e11
Formbook
7f15af6ad30b84b5047a47d92a2319b1043dc00576d80a5cae1e8a23fcb97854
Formbook
c32b5b1c2a90a6a38f7dc2dcb4541c111fa1ddc39eab5f0173205aa4079cbc5e
Formbook
e2682ee08233df5afc90d9295165ffed0373e4f34278d99d5a30622c2577639b
Formbook
eb39b7952714c4a7c7fbfc68a077ef0a2dd31c24da35078da08bcfc0b1e2ff32
Formbook
ff64ff314c7947e5faae8181ac818b124a6d17d0fc3a66e8777a78a613d6093c
Formbook
+ 11'558 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:f2t3 rat spyware stealer trojan
Link:
https://tria.ge/reports/211125-hlz9vahgd5/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.allnestek.com/f2t3/
Unpacked files
SH256 hash:
a9ff94ea07ebc9addb6b07b801a1556a55f60b1a7c3f9f0e03553fc75c797c75
MD5 hash:
4e4465c2d38b1a2c9cab0b464e4ababd
SHA1 hash:
6c39811a6aa53bca5c3998582af73bc80ddee6ff
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/460278d3-9e86-474f-972d-571960e80200/
SH256 hash:
f6639a3b21a09ca5e9e43e10f8ac7f822956232806805252096f03f68bc9815c
MD5 hash:
aa334e922c53c5cba0b43c342ac13b14
SHA1 hash:
68109327b5e98174293bb348dfea6a088cbd5d2f
Link:
https://www.unpac.me/results/460278d3-9e86-474f-972d-571960e80200/
SH256 hash:
7c184c37157681e202accaafac14091fa717442789adf6b615b7ab3810ac8488
MD5 hash:
ee97f71e16cc1ac6aabce47988a97eb4
SHA1 hash:
630f6d4690f1f264d8a9e1bf845e68f0893ac357
Link:
https://www.unpac.me/results/460278d3-9e86-474f-972d-571960e80200/
SH256 hash:
8165ac99e7dbfb2059308aaa1105ede0f191bb846d14dfd7ed709c3bcfb88510
MD5 hash:
147a8837d4c40043c70ea3c819a98adf
SHA1 hash:
179eff5b36d76590dc2225191152313cf6135505
Link:
https://www.unpac.me/results/460278d3-9e86-474f-972d-571960e80200/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8165ac99e7db/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8165ac99e7dbfb2059308aaa1105ede0f191bb846d14dfd7ed709c3bcfb88510

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 8165ac99e7dbfb2059308aaa1105ede0f191bb846d14dfd7ed709c3bcfb88510

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/209235/

Comments