MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83f6d958662190fa986bb003a232fde5df9e1d1ba1b72dbb95822ccb85cec7c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 83f6d958662190fa986bb003a232fde5df9e1d1ba1b72dbb95822ccb85cec7c0
SHA3-384 hash: 84dedefa4160debf5b79264453018d283cb25bcaf5f047a12c499d1a9be262a8fadc522b8ff2c97f4aed7ae689dadbb2
SHA1 hash: f43a2fbe19e8b78ab40c061a18e0727b46784da6
MD5 hash: 6d43c3599479e71ef7961a6169e7d747
humanhash: tango-six-sink-romeo
File name:Payment_Advice.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:435'200 bytes
First seen:2022-05-24 15:52:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:kiH22qla5w/yXbx+DbZ83FLDqqC5lBJQqIX:kiH0MW/Ibx+DbZ83pqp5lB
Threatray 16'873 similar samples on MalwareBazaar
TLSH T17294DF2D6BB2CD18E8D8057389B657607F1CAFD2016FD31F4882346E997A7D16E903E8
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 07f0d8d4d4d8f007 (8 x AgentTesla, 2 x Formbook, 1 x a310Logger)
Reporter TeamDreier
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
312
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Payment_Advice.exe
Verdict:
Malicious activity
Analysis date:
2022-05-24 23:50:06 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/5e86fcb2-b99a-493b-b2d4-66fc22fd0f82

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/274180/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a file
Searching for synchronization primitives
Launching cmd.exe command interpreter
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/628cff80054dcf0ecae838a6/reports/00e92cf7-21f0-4d3e-8372-8cf16706e8b1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/17e10582-0613-422a-9a4f-8e5a8781332a
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1000835
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 633328 Sample: Payment_Advice.exe Startdate: 24/05/2022 Architecture: WINDOWS Score: 100 49 www-bing-com.dual-a-0001.a-msedge.net 2->49 51 dual-a-0001.a-msedge.net 2->51 53 canonicalizer.ucsuri.tcs 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Antivirus detection for URL or domain 2->59 61 9 other signatures 2->61 11 Payment_Advice.exe 1 7 2->11         started        15 Skipyfd.exe 3 2->15         started        signatures3 process4 file5 43 C:\Users\user\AppData\Roaming\...\Skipyfd.exe, PE32 11->43 dropped 45 C:\Users\user\...\Skipyfd.exe:Zone.Identifier, ASCII 11->45 dropped 47 C:\Users\user\...\Payment_Advice.exe.log, ASCII 11->47 dropped 63 Tries to detect virtualization through RDTSC time measurements 11->63 65 Injects a PE file into a foreign processes 11->65 17 Payment_Advice.exe 11->17         started        19 cmd.exe 1 11->19         started        67 Antivirus detection for dropped file 15->67 69 Multi AV Scanner detection for dropped file 15->69 71 Machine Learning detection for dropped file 15->71 21 cmd.exe 1 15->21         started        23 Skipyfd.exe 15->23         started        signatures6 process7 process8 25 explorer.exe 17->25 injected 27 conhost.exe 19->27         started        29 timeout.exe 1 19->29         started        31 conhost.exe 21->31         started        33 timeout.exe 1 21->33         started        process9 35 Skipyfd.exe 3 25->35         started        process10 37 cmd.exe 1 35->37         started        process11 39 conhost.exe 37->39         started        41 timeout.exe 1 37->41         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/83f6d958662190fa986bb003a232fde5df9e1d1ba1b72dbb95822ccb85cec7c0/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-20 13:19:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
32 of 41 (78.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qp3nswdgegipvgdlwab2emx54xpz4hi3ug3s3o4vqiwmxbooy7aa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2fce5c6cd34933c0811963c7333c9ba463632ef7ba87f7140686f833b8cb8a6a
Formbook
32f396374d2c80cb3c72983d7d232e40bdbcd70475c389c94caa118d4c8f3032
Formbook
895ef47b4da61470f4ba9c87d131b1f74adfea16dd6162e5bca0eee391d0a6f4
Formbook
9af7966457a612505ab014eabf6eb8e96a09bdc6b248816506271fc554473197
Formbook
a342e8f2472ac316cab1017fc24f46d8206390f90448b91d62b9225aa3d2e229
Formbook
ac23d509999ba6aeffbf49a41e104a7e876872740dbf24ccff54f5bc36ee3eb6
Formbook
c5b6415df416f3cfe28a72004a02c3a7d2abbddb478a945069e6e20a71215e22
Formbook
+ 16'863 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:fs44 persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220524-tbmfsagfc9/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Deletes itself
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
86dacf814ca96d5ef463f338ce46749cc31a5213b02940289ddbd00da63c5919
MD5 hash:
13afebe5c0a112e3442a7d7f4eb64220
SHA1 hash:
08d59e7c3f28182f7283884e0ab00e15c2bb6d5c
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/aaebbedf-f531-48c3-8747-c9b50e7a1c5f/
Parent samples :
83f6d958662190fa986bb003a232fde5df9e1d1ba1b72dbb95822ccb85cec7c0
7f6242e9dcb1ce45c70b22d3c87b36b04fbc0b65d7f7ec07b008693d8763b66b
4f96791030398551e7c0dcf5ea66daf14e4f6c21bf8d4563a92fcc531cc18768
78fff929b8912e1b4d90a3be2e07fde0c1f08d45f3682bb009eabca909183f44
SH256 hash:
9f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026
MD5 hash:
9fbb8cec55b2115c00c0ba386c37ce62
SHA1 hash:
e2378a1c22c35e40fd1c3e19066de4e33b50f24a
Link:
https://www.unpac.me/results/aaebbedf-f531-48c3-8747-c9b50e7a1c5f/
SH256 hash:
20827be39ee026e245b6be55cf51f804e197037160d9138505cbc79c893fdb7c
MD5 hash:
3dc35b083886a7bc14faf7879c296423
SHA1 hash:
ad5be0b5b491d123dacb94751610ea052550dbf5
Link:
https://www.unpac.me/results/aaebbedf-f531-48c3-8747-c9b50e7a1c5f/
SH256 hash:
83f6d958662190fa986bb003a232fde5df9e1d1ba1b72dbb95822ccb85cec7c0
MD5 hash:
6d43c3599479e71ef7961a6169e7d747
SHA1 hash:
f43a2fbe19e8b78ab40c061a18e0727b46784da6
Link:
https://www.unpac.me/results/aaebbedf-f531-48c3-8747-c9b50e7a1c5f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/83f6d958662190fa986bb003a232fde5df9e1d1ba1b72dbb95822ccb85cec7c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_Reverse_DOS_header
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects an reversed DOS header
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 83f6d958662190fa986bb003a232fde5df9e1d1ba1b72dbb95822ccb85cec7c0

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/274180/

Comments