MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8620dfa9694ab0983c78573f6a5d3b6a9eae06907282c6ad4ca84fa7d1b79b98. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8620dfa9694ab0983c78573f6a5d3b6a9eae06907282c6ad4ca84fa7d1b79b98
SHA3-384 hash: 42dd724be5ae83f7b4aba96d1ce89cee19499d1e6db74dd11cd80c31b2f91b8a675ac752d6ac8237c1a7a187cbb64ca5
SHA1 hash: 79e7fe3186f64c276ee0a52126073fec21ab997e
MD5 hash: d040f035b741e8895f5004bff64924dd
humanhash: tennessee-florida-eleven-jersey
File name:bank in slip-Inv 3489.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:224'933 bytes
First seen:2022-04-19 11:32:48 UTC
Last seen:2022-04-19 21:57:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 6144:HNeZmRhVAiCcJb3gInVhXXjyGuOTkXyFRYqKZk0M:HNlVA9cZwIVhXX4OTk87H5
Threatray 14'993 similar samples on MalwareBazaar
TLSH T188241214AF40C933D9F396710F36AAB66FFFA6022129C3036710AF597837346991E766
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter cocaman
Tags:exe FormBook


Avatar
cocaman
Malicious email (T1566.001)
From: "JOYCE PARRA - SEALCO <bella@quantums-gps.co.uk>" (likely spoofed)
Received: "from mail.quantums-gps.co.uk (mail.quantums-gps.co.uk [159.223.218.100]) "
Date: "19 Apr 2022 04:15:24 +0200"
Subject: "bank in slip-Inv 3489"
Attachment: "bank in slip-Inv 3489.exe"

Intelligence

File Origin
# of uploads :
3
# of downloads :
244
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
bank in slip-Inv 3489.exe
Verdict:
Malicious activity
Analysis date:
2022-04-19 06:16:25 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/1288c5fd-6b99-4860-844f-cde678661d91

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/264595/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Launching a process
Launching cmd.exe command interpreter
DNS request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe formbook overlay packed python shell32.dll
Link:
https://www.filescan.io/uploads/625e9dee482f2f41cad1879d/reports/28416850-388e-4982-9655-027bd826eed7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8b19ec87-f3d9-4d79-b9bf-a1cd5dc31e55
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/978798
Signature
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 611285 Sample: bank in slip-Inv 3489.exe Startdate: 19/04/2022 Architecture: WINDOWS Score: 100 36 www.themesamurai.com 2->36 38 www.summerinfluence.com 2->38 40 9 other IPs or domains 2->40 56 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 5 other signatures 2->62 12 bank in slip-Inv 3489.exe 18 2->12         started        signatures3 process4 file5 34 C:\Users\user\AppData\Local\Temp\weentr.exe, PE32 12->34 dropped 15 weentr.exe 1 12->15         started        process6 signatures7 76 Multi AV Scanner detection for dropped file 15->76 78 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 15->78 80 Tries to detect virtualization through RDTSC time measurements 15->80 82 Injects a PE file into a foreign processes 15->82 18 weentr.exe 15->18         started        21 conhost.exe 15->21         started        process8 signatures9 48 Modifies the context of a thread in another process (thread injection) 18->48 50 Maps a DLL or memory area into another process 18->50 52 Sample uses process hollowing technique 18->52 54 Queues an APC in another process (thread injection) 18->54 23 explorer.exe 18->23 injected process10 dnsIp11 42 www.official-dyson.online 185.104.45.90, 49835, 80 UKRAINE-ASUA Ukraine 23->42 44 vip-suppliers.com 185.138.42.146, 49778, 80 TOPHOSTGR Greece 23->44 46 13 other IPs or domains 23->46 64 System process connects to network (likely due to code injection or exploit) 23->64 66 Performs DNS queries to domains with low reputation 23->66 68 Uses ipconfig to lookup or modify the Windows network settings 23->68 27 ipconfig.exe 23->27         started        signatures12 process13 signatures14 70 Modifies the context of a thread in another process (thread injection) 27->70 72 Maps a DLL or memory area into another process 27->72 74 Tries to detect virtualization through RDTSC time measurements 27->74 30 cmd.exe 1 27->30         started        process15 process16 32 conhost.exe 30->32         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8620dfa9694ab0983c78573f6a5d3b6a9eae06907282c6ad4ca84fa7d1b79b98/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-04-19 00:41:39 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qyqn7kljjkyjqpdyk47wuxj3nkpk4buqokbmnlkmvbh2punxtoma._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0025e49b33a009c7362ba221cfbc3e43a6fbf5870c4eb43cd3ea8a7cf29bdf68
Formbook
3f0b6a2e50e39420c7b91acb35c08bb088c1ccaaa889491559a572dc481bf489
Formbook
49f94b3fbaf875cb2c223cdee59cfdedf4b2b937fba4a473cf2e4f767b44cb4c
Formbook
67435ee3c6fd3d272c004256f34020df37fb93fd33c18720053b9d2c1bb19b67
Formbook
8609b523be1b22061f1c01a8587f04874836d490196cfa09e8c1eed005f298a0
Formbook
8e2fa281cc72512de1fc53eb27a9c04a524ce87c3cdf5932931ea3dc463a459a
Formbook
97e3431b489d64fb200c178334d0229cea2495e7f01856ac8571e4f085636b73
Formbook
da30dd86e912cbfcf0cb4306265cedf47604891dc868db7c59dd92d47ad32063
Formbook
da90895ec14c13c733ba3550194ab36a4c64130c5c2b2038c163dff0c505b3e3
Formbook
f9fe6b62b2af1b4f6cf38d7526de1824b057220901e997dda4ee1083047e1753
Formbook
+ 14'983 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:6gom loader rat
Link:
https://tria.ge/reports/220419-nnt4hahgc5/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Xloader Payload
Xloader
Unpacked files
SH256 hash:
c773279c07d56223ded25aa0ce525c235bc821dcad8004e561a12cc680be8884
MD5 hash:
4dfd942c95ab43a8e5cef96a35c987b3
SHA1 hash:
aa4204cab31b78209504fb00f277fde2060b7d06
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/e04fbdc3-7b6e-47af-b963-09cfe69f7386/
SH256 hash:
e64af896c249487df98a6e18b8bcaefc5834ca6a30e5fbffd460e5829bde7ca2
MD5 hash:
209a07db02c7ddc1e2b7a5f482885907
SHA1 hash:
a5337b8bd31ece69a97be03a431c408fb71d61ae
Link:
https://www.unpac.me/results/e04fbdc3-7b6e-47af-b963-09cfe69f7386/
SH256 hash:
8620dfa9694ab0983c78573f6a5d3b6a9eae06907282c6ad4ca84fa7d1b79b98
MD5 hash:
d040f035b741e8895f5004bff64924dd
SHA1 hash:
79e7fe3186f64c276ee0a52126073fec21ab997e
Link:
https://www.unpac.me/results/e04fbdc3-7b6e-47af-b963-09cfe69f7386/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8620dfa9694a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8620dfa9694ab0983c78573f6a5d3b6a9eae06907282c6ad4ca84fa7d1b79b98

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_Formbook_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 8620dfa9694ab0983c78573f6a5d3b6a9eae06907282c6ad4ca84fa7d1b79b98

(this sample)

  
Delivery method
Distributed via e-mail attachment
  
Dropping
Formbook
Cape
Cape
https://www.capesandbox.com/analysis/264595/

Comments