MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c5c4469e32f3399e57e3f56a78ea3ce8fb52542ffa51c4ccfc42b5680854ab6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c5c4469e32f3399e57e3f56a78ea3ce8fb52542ffa51c4ccfc42b5680854ab6
SHA3-384 hash: d73429a6c97740b5fc42e7ad6eb652d710d642a35477ca55ec4ebdc024475cb5acdb6394b2c656ce5556162ff94236b8
SHA1 hash: 7298e687c7ee6db59fffd7a9197ec99ae5815c7f
MD5 hash: 04bd913db8304d2c2efb51e70599e9f7
humanhash: nine-queen-grey-mobile
File name:Pdf Scen Invoice 17INV06003.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:712'192 bytes
First seen:2021-05-27 09:31:39 UTC
Last seen:2021-05-27 11:59:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:qQMZGdkNvlqfxsHoarXBsKsWlVAOuRGW0P6l7Y3c:qQdkRlm+I4VvVuAjP6BY3
Threatray 5'419 similar samples on MalwareBazaar
TLSH 83E47C1C2168C216D5ADD2B49ED5D82FD250E9377112BFE8D8E703BA1B07A4379821BF
Reporter cocaman
Tags:exe FormBook INVOICE

Intelligence

File Origin
# of uploads :
4
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BANK DETAILS.exe
Verdict:
Malicious activity
Analysis date:
2021-05-27 06:34:45 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/305e17a5-e7d0-49db-af15-d2ff725832d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/162671/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.12165.26991.1236.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/793110
Signature
.NET source code contains very large strings
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 425506 Sample: Pdf Scen Invoice 17INV06003.exe Startdate: 27/05/2021 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 9 other signatures 2->44 10 Pdf Scen Invoice 17INV06003.exe 3 2->10         started        process3 file4 30 C:\...\Pdf Scen Invoice 17INV06003.exe.log, ASCII 10->30 dropped 54 Writes to foreign memory regions 10->54 56 Allocates memory in foreign processes 10->56 58 Injects a PE file into a foreign processes 10->58 14 RegSvcs.exe 10->14         started        17 RegSvcs.exe 10->17         started        signatures5 process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 14->60 62 Maps a DLL or memory area into another process 14->62 64 Sample uses process hollowing technique 14->64 66 Queues an APC in another process (thread injection) 14->66 19 explorer.exe 14->19 injected 68 Tries to detect virtualization through RDTSC time measurements 17->68 process8 dnsIp9 32 www.zaseto.com 217.198.116.188, 49759, 80 ZONER-ASCZ Czech Republic 19->32 34 gamechangers.ovh 185.225.208.56, 49755, 80 UK2NET-ASGB Germany 19->34 36 18 other IPs or domains 19->36 46 System process connects to network (likely due to code injection or exploit) 19->46 23 systray.exe 19->23         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 23->48 50 Maps a DLL or memory area into another process 23->50 52 Tries to detect virtualization through RDTSC time measurements 23->52 26 cmd.exe 1 23->26         started        process13 process14 28 conhost.exe 26->28         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8c5c4469e32f3399e57e3f56a78ea3ce8fb52542ffa51c4ccfc42b5680854ab6/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-05-26 22:11:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
7 of 47 (14.89%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rroei2pdf4zztzl6h5lkpdvdz2h3kjkc76srytgpyqvvnaefjk3a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
06590d709bb90096480fb153f62efa1b0738a561014afac367907fa47478079c
Formbook
1b9311365ac0c371e7e3656d8d9074a654bfff4677e074f754e5053bca200298
Formbook
3638ac885ef63f3b5bfadd95b0f43c34c3854e2483adde873b3d5fca7a831632
Formbook
501ba71db36e9fde4d0c6a8bde7734dfb5cfd5391452d301033918e0c491ebdd
Formbook
503660af16b89ea2dcb7afa3537cfff0df5cbc3a3f036e4aa7bbd39783cd8df9
Formbook
6716f9ca37043f0684164a12c5971f67c738cefb8b8322556d970f60333d72b0
Formbook
89c01edaf3c1a273cb379afb191b307536223adeff9a4d2e3089d0758714a791
Formbook
9435bf4ae05e98f0e1b3fc55188dba5d50ac937cef36d69112776e39b8584ce4
Formbook
adc50d637d48a25c809ee9e8ee791830d978d45f6cf781b917b8d88788363311
Formbook
e3bee5a93e861869521bc7cc72dbc5f08fe64a1eb1c547d51af200393ea48ea9
Formbook
+ 5'409 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210527-k9em3t3l5j/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.ursulaaubri.com/s5cm/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8c5c4469e32f3399e57e3f56a78ea3ce8fb52542ffa51c4ccfc42b5680854ab6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

r00 788d26d24e830328ddb8538a8125af334df8ac92aedc2801af8df7ed0ba90fe8

Formbook

Executable exe 8c5c4469e32f3399e57e3f56a78ea3ce8fb52542ffa51c4ccfc42b5680854ab6

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 788d26d24e830328ddb8538a8125af334df8ac92aedc2801af8df7ed0ba90fe8
  
Dropped by
SHA256 a581540b37de1c11b9ea8b2ef286c73f54147dbd4013c1a3dbb3b6f9ef280424
Cape
Cape
https://www.capesandbox.com/analysis/162671/

Comments