MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8532972f199b85a336710c894ddebea7560f7f19c774b52a0d648275960e4db4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8532972f199b85a336710c894ddebea7560f7f19c774b52a0d648275960e4db4
SHA3-384 hash: 784d407a2e8446b2bb7d7b0c2bc6f0ac4935aa83065c5f92d7221c4e81ce7bc148ba4f3ecce5d2068b1c4485a72f0d5e
SHA1 hash: 6dff245bd3bee89555cbd65ac8d4a136d1fc5300
MD5 hash: 1a48b4b314d6f2b3e9a67a8261b6d0d1
humanhash: papa-fix-beer-zulu
File name:Invoice #0023228 PDF.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:227'593 bytes
First seen:2021-03-03 07:35:07 UTC
Last seen:2021-03-03 09:39:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (278 x GuLoader, 44 x RemcosRAT, 40 x VIPKeylogger)
ssdeep 6144:ZT4DtRF5xXGGxhTju8gOWPESDuzEJJDh0ZCNocL:ZTIHpxA8grc0LJ30ZU5
TLSH 34241241A7A4CC77C1B11178153A967F9FAAC0195C50FE4B07416A8D3EB1EE2CF2F5A2
Reporter abuse_ch
Tags:exe FormBook GoDaddy


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: a2nlsmtp01-05.prod.iad2.secureserver.net
Sending IP: 198.71.225.49
From: Klevev Finance A.P <customerservice@hhmtelemedicine.com>
Subject: Payment Invoice Receipt
Attachment: Invoice Payment Receipt PDF .img (contains "Invoice #0023228 PDF.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Invoice #0023228 PDF.exe
Verdict:
Malicious activity
Analysis date:
2021-03-03 07:41:08 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/b86200fb-99ef-461e-8ac1-5a4253350781

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/121268/
Detection(s):
SecuriteInfo.com.Variant.Jaik.44324.16404.4854.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Unauthorized injection to a recently created process
Launching a process
Sending a UDP request
Launching cmd.exe command interpreter
DNS request
Sending an HTTP GET request
Connection attempt
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/625736
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: CMSTP Execution Process Creation
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 361854 Sample: Invoice #0023228 PDF.exe Startdate: 03/03/2021 Architecture: WINDOWS Score: 100 32 www.highcore-info.com 2->32 34 www.connecthacker.net 2->34 36 www.001894.com 2->36 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 11 other signatures 2->52 11 Invoice #0023228 PDF.exe 11 2->11         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\...\oljxv2rr2.dll, PE32 11->30 dropped 62 Maps a DLL or memory area into another process 11->62 15 Invoice #0023228 PDF.exe 11->15         started        signatures6 process7 signatures8 64 Modifies the context of a thread in another process (thread injection) 15->64 66 Maps a DLL or memory area into another process 15->66 68 Sample uses process hollowing technique 15->68 70 Queues an APC in another process (thread injection) 15->70 18 explorer.exe 15->18 injected process9 dnsIp10 38 www.lms-pg.com 41.203.16.26, 49728, 80 xneeloZA South Africa 18->38 40 www.elmejorsetup.com 217.76.156.252, 49744, 80 ONEANDONE-ASBrauerstrasse48DE Spain 18->40 42 6 other IPs or domains 18->42 54 System process connects to network (likely due to code injection or exploit) 18->54 22 cmstp.exe 12 18->22         started        signatures11 process12 dnsIp13 44 www.tusdaygfts1.com 22->44 56 Modifies the context of a thread in another process (thread injection) 22->56 58 Maps a DLL or memory area into another process 22->58 60 Tries to detect virtualization through RDTSC time measurements 22->60 26 cmd.exe 1 22->26         started        signatures14 process15 process16 28 conhost.exe 26->28         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8532972f199b85a336710c894ddebea7560f7f19c774b52a0d648275960e4db4/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-03-03 07:35:27 UTC
AV detection:
20 of 47 (42.55%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=quzjolyztoc2gntrbseu3xv6u5la67yzy52lkkqnmsbhlfqojw2a._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210303-5k4bsg2pa2/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.yaksync.com/p6mp/
Unpacked files
SH256 hash:
b34fb342f21d690aac024b6f48a597e78d15791ef480ac55159cd585d0f64af7
MD5 hash:
0a9fb96a7579b685ec36b17fc354e6a3
SHA1 hash:
355754104dd47d5fcf8918dee0dc2e2ee53390a6
Link:
https://www.unpac.me/results/6e86e621-19dc-40f3-b8e4-b19738c4d591/
SH256 hash:
1dec5c474e1623d5d5fdfd37d834eab8679d6b145b562a73829d345486c4e887
MD5 hash:
c507643c4d20f6ffd3fda6f7816984ef
SHA1 hash:
f6becad3fb82823984b3c99577a69649fc48111d
Link:
https://www.unpac.me/results/6e86e621-19dc-40f3-b8e4-b19738c4d591/
SH256 hash:
8532972f199b85a336710c894ddebea7560f7f19c774b52a0d648275960e4db4
MD5 hash:
1a48b4b314d6f2b3e9a67a8261b6d0d1
SHA1 hash:
6dff245bd3bee89555cbd65ac8d4a136d1fc5300
Link:
https://www.unpac.me/results/6e86e621-19dc-40f3-b8e4-b19738c4d591/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.47
Link:
https://yomi.yoroi.company/submissions/8532972f199b85a336710c894ddebea7560f7f19c774b52a0d648275960e4db4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

img f0d126f49034e3701305ea919df19a34f32e55971ba4a4c970cfbebae601a23f

Formbook

Executable exe 8532972f199b85a336710c894ddebea7560f7f19c774b52a0d648275960e4db4

(this sample)

  
Dropped by
MD5 d29aadaf68b91be934641eac6f3206d6
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f0d126f49034e3701305ea919df19a34f32e55971ba4a4c970cfbebae601a23f
Cape
Cape
https://www.capesandbox.com/analysis/121268/

Comments