MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b0bc19da168e08d383523f412fd6dd81fecdfccdfe59d239c736506dc13b0cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b0bc19da168e08d383523f412fd6dd81fecdfccdfe59d239c736506dc13b0cd
SHA3-384 hash: 18e5dc1081969d34a41a7127bd6d40f742a969367a0170e683cfe8e9a80460f01f2f036a6baa90d38d4decf6589dfc98
SHA1 hash: 5e6da39f8b722d4123bdfa07409c7fd78b3d5737
MD5 hash: 6b2728139698e9f8dd53d208982d0641
humanhash: leopard-magnesium-indigo-emma
File name:TNT Original Invoice.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:343'584 bytes
First seen:2022-08-13 06:17:19 UTC
Last seen:2022-08-13 06:39:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 6144:DIAXZZo/nCc8+RoFTj9lAEmdk6qjfHmHu/dZAxC8rkR8ICTOomEVD:vZZyCSRo1xlRml+fGtxC8rkR8ICTOom
Threatray 1'177 similar samples on MalwareBazaar
TLSH T11F748C9C756035CFC897F9F19AA81C24AA217CA6570BC203E47736AC9A3D597CF440BE
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 174f4559191b1b13 (81 x AgentTesla, 68 x Formbook, 34 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe FormBook TNT

Intelligence

File Origin
# of uploads :
2
# of downloads :
310
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
TNT Original Invoice.exe
Verdict:
Malicious activity
Analysis date:
2022-08-13 06:26:56 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/cec9937b-373d-4c95-a3a0-609f1ffac669

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/298358/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.34829.18298.386.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Searching for synchronization primitives
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated overlay packed wacatac
Link:
https://www.filescan.io/uploads/62f74257e4e65a67c4a430e7/reports/52b49810-87a2-495a-a492-97e4ae47e047/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/77388132-7936-4381-9da6-4b48f93f8aef
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1050956
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected potential unwanted application
Executable has a suspicious name (potential lure to open the executable)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 683467 Sample: TNT Original Invoice.exe Startdate: 13/08/2022 Architecture: WINDOWS Score: 100 27 www.brainpeoplecollective.com 2->27 29 www.awesomegih.net 2->29 37 Snort IDS alert for network traffic 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus detection for URL or domain 2->41 43 11 other signatures 2->43 9 TNT Original Invoice.exe 1 2->9         started        signatures3 process4 file5 25 C:\Users\...\TNT Original Invoice.exe.log, ASCII 9->25 dropped 55 Writes to foreign memory regions 9->55 57 Allocates memory in foreign processes 9->57 59 Injects a PE file into a foreign processes 9->59 13 cvtres.exe 9->13         started        16 cvtres.exe 9->16         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 13->61 63 Maps a DLL or memory area into another process 13->63 65 Sample uses process hollowing technique 13->65 67 Queues an APC in another process (thread injection) 13->67 18 explorer.exe 13->18 injected process9 dnsIp10 31 www.998899.lc 128.14.22.37, 49854, 49856, 80 ZNETUS United States 18->31 33 artistamundial.com 66.225.241.38, 49857, 49859, 80 USG-CORPORATIONUS United States 18->33 35 6 other IPs or domains 18->35 45 System process connects to network (likely due to code injection or exploit) 18->45 22 chkdsk.exe 13 18->22         started        signatures11 process12 signatures13 47 Tries to steal Mail credentials (via file / registry access) 22->47 49 Tries to harvest and steal browser information (history, passwords, etc) 22->49 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8b0bc19da168e08d383523f412fd6dd81fecdfccdfe59d239c736506dc13b0cd/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-08-12 09:08:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
17 of 25 (68.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rmf4dhnbndqi2obvep2bf7ln3ap6zx6m37sz2i44onsqnxatwdgq._file
Verdict:
malicious
Similar samples:
01b7ecba4c040bd3c352b2023e1f7f38c2b2ef741f23a91301153f03760d3505
Formbook
1da2f6c15940cf37556f471f610fa4812f5d2809d0c9908ac2a2bddae0a56b07
Formbook
3deefd1f1f776cc14993508ae21a6434b496b48d7c1c85ec892572e2a56473ab
Formbook
8745bcfcc6dcae5b29429a611278c58127abaf751650d7177bb94b801ea67e81
Formbook
cbd2c4b5531b924ae824137a1349613686aa8e9599adbfc2c1741b69c3f2ad24
Formbook
d465ff22dc9be084281d48c3857b7fdc3fbd541717e2016627f75b8a4012838c
Formbook
ee643573b6c459331e833e00629da9643b47da0f661a82020dd2c0db5ccfa259
Formbook
f239a57a44872a5cc2f4facc6b62acb8ea45c39f2bad517991ca52a682c46d91
Formbook
+ 1'167 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/220813-g2ms1shad2/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Blocklisted process makes network request
Unpacked files
SH256 hash:
aa1871a6c1fe17fda81349156b1368494579a38ce8d7ddb911902acd3d133961
MD5 hash:
53e8f4ba6e3a667868eca46b0a4a8d72
SHA1 hash:
369224ef8e8aa09691d7ce2083929442b73550e8
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/2514e171-41fd-4a75-9ff2-3db83d36d854/
Parent samples :
aa7436d336aa352db635976f19fe9f6fce9078608d3fdb4bbe1994f3425326ec
8b0bc19da168e08d383523f412fd6dd81fecdfccdfe59d239c736506dc13b0cd
b3aacdce33e707b3c746e091c700042484e2916c9072d6065e0cb6505aed9724
905dd9e890f6ed79a1a1d55aa2a1134d1415e874783a2a46d266d90005174ce0
dbe6edef6915f72ae6a2be3fff6620f7d187f6430c3e46702c374e08385acddd
13719a6ec946f01321466c47537734cc9b1ae2c3943e7f1971c085c0e98ce81a
4e50e27798aadc14b8bd88d3e15f48e4217517f609ed1f5bd8ea06522f8b8baf
b5cc87fd5f7ec59b978d6b6b3f142fe60bd10233c887aceca55954c84ccda9e0
9a61edd9b5ea6a7486c0f016e3b3335a2f4b8c3fb59f5b45c4b57a5aafb8b1c6
fd6c37d7e88dcea50b3ff64bdc6b0c6bc84ca6a5f1f753587c78f26bd5feff4c
a7e7ce206966cd8a16bc3d80dc608740ea6dc81983c8a8481ad4754cc02163bc
54dad457608c666626603d6612ab44e1fc81049898e292d1511a7e684ea31cc6
4a180eb3aa1d0ce4ef2a44679132f0b646c63f7d24439d0ddab6a09b9afaebf9
5c2538990f139690efc6411f297aa8c985a9198a3159d0abb5d243ada93d819c
bb1cdf3e4dc9939b08e34959a5733017b71c081f5ac851b74dc3cc182ee61418
9586cb34f6fa42b5b89f4457f775731256f1b53ac22aaa3a35aa4ad305f632a7
SH256 hash:
aff0f2b5b607376ca0bd13b720012a0812dff74f26dfbbaf87f24ce7cf873bab
MD5 hash:
bd82e260f84fc82019bfcbf2e944fde9
SHA1 hash:
c840c5b2df24086b0b2f2c51e3301a8c012cdbf2
Link:
https://www.unpac.me/results/2514e171-41fd-4a75-9ff2-3db83d36d854/
SH256 hash:
b8578fd9dae40473d33304306f4f8728f2362bc230a252a21f8b5bdeeb5859d2
MD5 hash:
54a59e8d6b6143d478eeff206929176e
SHA1 hash:
9252b935252ea045c868d6ebfd5b585d3b86f4c0
Link:
https://www.unpac.me/results/2514e171-41fd-4a75-9ff2-3db83d36d854/
SH256 hash:
a597cb5db9ae2dd56289e77e7589e88675cde1b5f7ae6e5c695e9bab629ebabd
MD5 hash:
e2a3932448ec9fe4ab3634244013e8ee
SHA1 hash:
84c324dcb93a21fab2b5c61b26f344367c671fe8
Link:
https://www.unpac.me/results/2514e171-41fd-4a75-9ff2-3db83d36d854/
SH256 hash:
2e813fdfa2bb11ffd22aa3fdef42215f25aa56dac7a6fb4591f0fcce07e6a558
MD5 hash:
33a95d2a774ffda769091b30bca2b7e7
SHA1 hash:
19d32df67af4ce4c8cc6bef7ee2060ecf08daf2a
Link:
https://www.unpac.me/results/2514e171-41fd-4a75-9ff2-3db83d36d854/
SH256 hash:
8b0bc19da168e08d383523f412fd6dd81fecdfccdfe59d239c736506dc13b0cd
MD5 hash:
6b2728139698e9f8dd53d208982d0641
SHA1 hash:
5e6da39f8b722d4123bdfa07409c7fd78b3d5737
Link:
https://www.unpac.me/results/2514e171-41fd-4a75-9ff2-3db83d36d854/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8b0bc19da168/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/8b0bc19da168e08d383523f412fd6dd81fecdfccdfe59d239c736506dc13b0cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/298358/

Comments