MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81cbdffd1b44ca983180456d058b8eaadf51adbd19600dbbde68be7a4ef09a54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 81cbdffd1b44ca983180456d058b8eaadf51adbd19600dbbde68be7a4ef09a54
SHA3-384 hash: f525015a9928d7c8ec5b657705cf6ad23c7a0a04d20eedcfc98d5979c8650e7818056cd2998a0d8c7012d852e888b9d4
SHA1 hash: 9a225f4936ef458a3371e7681f942b7733d8eb25
MD5 hash: ac0aafad021d642a83f0e0e00f925160
humanhash: ink-diet-fruit-alanine
File name:Inv_7623980.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:980'480 bytes
First seen:2021-07-22 05:30:07 UTC
Last seen:2021-07-27 15:24:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:l6F7UAVmIVSV371+vgUWoJ8TDfPOAYxx4PpK6dXPrKyxmu9bzNr5na8+WXsL2O7G:LS83hLISE/MQylMo
Threatray 6'713 similar samples on MalwareBazaar
TLSH T15C25383439FA501AB173EFAA8BE475AADA6FB7333B07645D109103864723A41DEC153E
Reporter cocaman
Tags:exe FormBook INVOICE

Intelligence

File Origin
# of uploads :
4
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Inv_7623980.exe
Verdict:
Malicious activity
Analysis date:
2021-07-22 05:32:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4f5348b2-f299-4b87-ae99-639de7de882d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173216/
Detection(s):
SecuriteInfo.com.Spyware.MSIL.Noon.gen.9595.12573.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b629afd6-7cdf-4428-a34a-341bb9a99132
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/819932
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 452343 Sample: Inv_7623980.exe Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 31 www.lagu45.com 2->31 33 pixie.porkbun.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 5 other signatures 2->47 11 Inv_7623980.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\Inv_7623980.exe.log, ASCII 11->29 dropped 57 Tries to detect virtualization through RDTSC time measurements 11->57 59 Injects a PE file into a foreign processes 11->59 15 Inv_7623980.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.aliyunwangpan.com 103.139.0.9, 49742, 80 WEST263GO-HKWest263InternationalLimitedHK China 18->35 37 mpsaklera.com 72.44.69.242, 49753, 80 MULTA-ASN1US United States 18->37 39 13 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 control.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/81cbdffd1b44ca983180456d058b8eaadf51adbd19600dbbde68be7a4ef09a54/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-22 01:48:44 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
11 of 46 (23.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qhf577i3itfjqmmaivwqlc4ovlpvdln5dfqa3o66nc7hutxqtjka._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2c2a99cd33ecf5c40ea8e15227d60b649c6eabbef386444a8a4d8030eb3b8d1b
Formbook
34066150ffa7efa505b8d2246925cd8a32f83b9609438ae76aa27cef7388054d
Formbook
5397f0168be76c7e5efee936d341eb359b9015af5e77631129dc0664105e9259
Formbook
8855c73a66320b1d62c22f7af62feb301d13e4b68f4edfba64bf47473ad58c4a
Formbook
a8e63fd4741e92c3b02d247fc348b1f0d33bb635e00121063f0efc3caafcc088
Formbook
aace20e28e61cb328da74ff938231b1ce9a07498d477efe3efc5c5d3d04b9dc1
Formbook
bb8edab2af37d542c7774e5f5253e1de86fc80525f29e0e274747378201a3537
Formbook
cd292d4cdb5ff8f2de087a09de2a152722d910f1df7ce7b65e6480be9ae77fdf
Formbook
ddd0a01812b2dba3e3373a246180349b74f3301ba3e218a81144785a13d8cad5
Formbook
f782375e80f3a68b36457886ac1c6490e2497e6c9fb3ffdb33c1679597f0770e
Formbook
+ 6'703 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210722-ff8w7ybv3e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.inverservi.com/m6b5/
Unpacked files
SH256 hash:
971ff8dc9e5e17edf904ffff8117c60e45f607b100d685fdb059569105228885
MD5 hash:
30f7eef363be89f5371d1b42efc6a775
SHA1 hash:
aa3a124919e036103c75d3b89bc089a16abf5d92
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/766fa7d9-5df1-4789-8c71-70e0d8752849/
SH256 hash:
3d7aebc5f0493c028605673f6114e2340a528b3b485f84896e33688e470089f8
MD5 hash:
c09f91c4935fabda697e9435f0b6c18e
SHA1 hash:
43d58aa0c78c8025d7d3b494739a9b4acb7a9500
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/766fa7d9-5df1-4789-8c71-70e0d8752849/
Parent samples :
3ad516ed1d59d2a83e03dd014de474999c1d20885639cd2f77c1108c636636df
81cbdffd1b44ca983180456d058b8eaadf51adbd19600dbbde68be7a4ef09a54
6afa5e287f69f392b8481a94ebb1729c606a1f1023820e79e942ad40dfe96859
1bc91158db7c9edb77fa2d26fda6efd017b8aa70c3bc68d5542059e3f44b9e77
7c071823d86f7f37eb038add1e274db23c722612d74602e11496d0b4e312103a
ffb4062f3105628be393872c098765b9a7736911cb8fee4ff571b006a891c8a8
18b7d102ed7c43b96306fcf3616a4e96add77a7d2c55296dd059f974ef8ddcf5
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/766fa7d9-5df1-4789-8c71-70e0d8752849/
SH256 hash:
5f6f23ec86c2b5e12a0c93f461e7eac1944ca743a4ccc62164565cf391e5a8fc
MD5 hash:
e805de9b92baa75ae955f9c17e266835
SHA1 hash:
d74daf1c7d903b820ad5a0c2472029e1511920d7
Link:
https://www.unpac.me/results/766fa7d9-5df1-4789-8c71-70e0d8752849/
SH256 hash:
81cbdffd1b44ca983180456d058b8eaadf51adbd19600dbbde68be7a4ef09a54
MD5 hash:
ac0aafad021d642a83f0e0e00f925160
SHA1 hash:
9a225f4936ef458a3371e7681f942b7733d8eb25
Link:
https://www.unpac.me/results/766fa7d9-5df1-4789-8c71-70e0d8752849/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/81cbdffd1b44ca983180456d058b8eaadf51adbd19600dbbde68be7a4ef09a54

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 74895afae683396981f97ac9816f39ea4f0c0588355ea6e7696034aa1650d6f8

Formbook

Executable exe 81cbdffd1b44ca983180456d058b8eaadf51adbd19600dbbde68be7a4ef09a54

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 74895afae683396981f97ac9816f39ea4f0c0588355ea6e7696034aa1650d6f8
Cape
Cape
https://www.capesandbox.com/analysis/173216/

Comments