MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8860e3c71ecb84168ebb5f24df91cbd0db7190e83b79754606e7ded7dbc94481. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8860e3c71ecb84168ebb5f24df91cbd0db7190e83b79754606e7ded7dbc94481
SHA3-384 hash: 33b5e839e654989f9cf5de2483f21ace54cc05e2c5b9b3dc280526241fe6996a43358e527f93c90667ed93aa3b517c39
SHA1 hash: 1c87e5c8f089cbeeb92130f70a6cfd1b1323e0bb
MD5 hash: 19423ceb0e06158e5fcc57207d7419e1
humanhash: minnesota-bulldog-oklahoma-enemy
File name:Invoice pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:536'064 bytes
First seen:2021-02-10 20:36:20 UTC
Last seen:2021-02-10 22:54:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:TAizNVdXD8BRxV7vwt40xTWEEZ+cnVwMkhxp9UXcmjf:zVdXDwRxV7k4ncWdk/p2M
Threatray 3'809 similar samples on MalwareBazaar
TLSH 95B4DF3232987F51E57E97790421914093F6E586D722EB0EBEB851CD1E62F80C7327AB
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Invoice pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-02-10 20:40:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ca6ee177-86f8-4674-b584-d909abdbc0a0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/116643/
Detection(s):
SecuriteInfo.com.Artemis19423CEB0E06.19932.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/605149
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 351604 Sample: Invoice pdf.exe Startdate: 10/02/2021 Architecture: WINDOWS Score: 100 42 www.tkrbeautyinstitut.com 2->42 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 14 other signatures 2->56 11 Invoice pdf.exe 7 2->11         started        signatures3 process4 file5 34 C:\Users\user\AppData\...\OEhVruGlRy.exe, PE32 11->34 dropped 36 C:\Users\...\OEhVruGlRy.exe:Zone.Identifier, ASCII 11->36 dropped 38 C:\Users\user\AppData\Local\...\tmp20F5.tmp, XML 11->38 dropped 40 C:\Users\user\AppData\...\Invoice pdf.exe.log, ASCII 11->40 dropped 14 Invoice pdf.exe 11->14         started        17 schtasks.exe 1 11->17         started        19 Invoice pdf.exe 11->19         started        process6 signatures7 66 Modifies the context of a thread in another process (thread injection) 14->66 68 Maps a DLL or memory area into another process 14->68 70 Sample uses process hollowing technique 14->70 72 Queues an APC in another process (thread injection) 14->72 21 explorer.exe 14->21 injected 25 conhost.exe 17->25         started        process8 dnsIp9 44 mrcskin.com 37.97.254.27, 49751, 80 TRANSIP-ASAmsterdamtheNetherlandsNL Netherlands 21->44 46 www.contrarrie.com 23.226.65.211, 49758, 80 IOFLOODUS United States 21->46 48 6 other IPs or domains 21->48 58 System process connects to network (likely due to code injection or exploit) 21->58 27 cmd.exe 21->27         started        signatures10 process11 signatures12 60 Modifies the context of a thread in another process (thread injection) 27->60 62 Maps a DLL or memory area into another process 27->62 64 Tries to detect virtualization through RDTSC time measurements 27->64 30 cmd.exe 1 27->30         started        process13 process14 32 conhost.exe 30->32         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8860e3c71ecb84168ebb5f24df91cbd0db7190e83b79754606e7ded7dbc94481/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-10 15:08:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
25
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rbqohry6zocbndv3l4sn7eol2dnxdehihn4xkrqg47pnpw6jisaq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2a5b157dc8c983424ebc3a69962649236e17001585de6280cf11f4d94742d28e
Formbook
2dce266f65b63c927ddf95e71bb0d226eb1c8b260ba8a6965ba1352e9fa837af
Formbook
3550ff88757875f1e8566d7855eacb36fa3213a1537d4125555bc71a88d55018
Formbook
420f06103fac607a08bc7ff557201ffc5fc4f693aa52df9476171ed5398d8bf5
Formbook
48d3a3e4c8e3ee8168d1f0b24f1d57ba7f7f66628f7f81ee9dab9f9f26aadfd7
Formbook
726a32ca7c910d88e59d2d2364def087b00b9c869ef29926016884def6457b6b
Formbook
72c822dc6059af0f57f65a9e52a509e30caefe4225367c3eec186f013134d54f
Formbook
7c8c0bb9a552f62aa1ef1e5c037ef17b2064055d15025eea8c6b2b5ccd54f10e
Formbook
c8c864915e84ba7ec98eed5ed70893bcb5b328e59751694595a71b303ea587aa
Formbook
cc768b0d5c345d446eacb21922c6561e763015cc6782fdde5a051e1d4fe56acf
Formbook
+ 3'799 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook ransomware rat spyware stealer trojan
Link:
https://tria.ge/reports/210210-1dxapzrzvx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.brasilseo.com/bft/
Unpacked files
SH256 hash:
b2499a2af35b550fbe7f541a14ff1225e1202324f351eecf85de6c8e9fc7c27c
MD5 hash:
5e732e4265622675313195dead01047e
SHA1 hash:
359c710a93c2f58cdc2a45de8dd48a6884a70645
Link:
https://www.unpac.me/results/52f89ee0-25e1-4165-8c96-818b9218415a/
SH256 hash:
8860e3c71ecb84168ebb5f24df91cbd0db7190e83b79754606e7ded7dbc94481
MD5 hash:
19423ceb0e06158e5fcc57207d7419e1
SHA1 hash:
1c87e5c8f089cbeeb92130f70a6cfd1b1323e0bb
Link:
https://www.unpac.me/results/52f89ee0-25e1-4165-8c96-818b9218415a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8860e3c71ecb84168ebb5f24df91cbd0db7190e83b79754606e7ded7dbc94481

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

7z ab8a74506e2bbda2a335357cbe0ba5728784d75fb28f67efa1a885c6156d33fc

Formbook

Executable exe 8860e3c71ecb84168ebb5f24df91cbd0db7190e83b79754606e7ded7dbc94481

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 ab8a74506e2bbda2a335357cbe0ba5728784d75fb28f67efa1a885c6156d33fc
Cape
Cape
https://www.capesandbox.com/analysis/116643/

Comments