MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92e01cf56625e95b0d5c7f0706403ddcb068bdcd82e82a45ed9c296f0df394d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 92e01cf56625e95b0d5c7f0706403ddcb068bdcd82e82a45ed9c296f0df394d4
SHA3-384 hash: 6463237613cde26a05db6cd7e70a740c15e32ac46ff0e8b6d1fe2edef2d6a7e7257f2e778a194faad5452d3b2149c67c
SHA1 hash: 5ac0c2da3f14031dfc86843bf2c8edc07e50af18
MD5 hash: 996c8542a72835aadb275977ca35c28c
humanhash: jig-missouri-pasta-michigan
File name:Payment 9.10000 USD.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:955'392 bytes
First seen:2021-03-22 15:17:14 UTC
Last seen:2021-03-23 18:03:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:IAeJca1Ltn3uXo3p+jzY9hknmWztNOCz7:kca1Ltn3uXoZ+jkHknhiCz7
TLSH 7015BF6D21151B27C4388FF268D16693E7B8AD1A35A5C705CCC1B2D513BAB53388FA8F
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
5
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment 9.10000 USD.exe
Verdict:
Malicious activity
Analysis date:
2021-03-22 15:24:03 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/a050b35f-7904-49f3-b66c-f38cf0044f3a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/125976/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.DOX.genEldorado.25499.26175.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
DNS request
Sending an HTTP GET request
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6263adc0-094d-40d7-845e-15bf32de78db
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/648027
Signature
.NET source code contains very large strings
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 372976 Sample: Payment 9.10000 USD.exe Startdate: 22/03/2021 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 12 other signatures 2->52 10 Payment 9.10000 USD.exe 6 2->10         started        process3 file4 34 C:\Users\user\AppData\...\jDHdEwUqXH.exe, PE32 10->34 dropped 36 C:\Users\user\AppData\Local\...\tmp32B8.tmp, XML 10->36 dropped 38 C:\Users\user\...\Payment 9.10000 USD.exe.log, ASCII 10->38 dropped 56 Injects a PE file into a foreign processes 10->56 14 Payment 9.10000 USD.exe 10->14         started        17 schtasks.exe 1 10->17         started        19 Payment 9.10000 USD.exe 10->19         started        signatures5 process6 signatures7 64 Modifies the context of a thread in another process (thread injection) 14->64 66 Maps a DLL or memory area into another process 14->66 68 Sample uses process hollowing technique 14->68 70 Queues an APC in another process (thread injection) 14->70 21 explorer.exe 14->21 injected 25 conhost.exe 17->25         started        process8 dnsIp9 40 meenaconstruction.com 103.14.97.80, 49751, 80 TRUNKOZ-INTrunkozTechnologiesPvtLtdIN India 21->40 42 e6onlinetour.com 107.161.71.196, 49742, 80 IWEB-ASCA Canada 21->42 44 21 other IPs or domains 21->44 54 System process connects to network (likely due to code injection or exploit) 21->54 27 systray.exe 21->27         started        signatures10 process11 signatures12 58 Modifies the context of a thread in another process (thread injection) 27->58 60 Maps a DLL or memory area into another process 27->60 62 Tries to detect virtualization through RDTSC time measurements 27->62 30 cmd.exe 1 27->30         started        process13 process14 32 conhost.exe 30->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/92e01cf56625e95b0d5c7f0706403ddcb068bdcd82e82a45ed9c296f0df394d4/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-03-22 15:16:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=slqbz5lgexuvwdk4p4dqmqb53sygrponqlucurpntquw6dptstka._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210322-tf1ls4drda/
Behaviour
Creates scheduled task(s)
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.nutrigabrielacarvalho.com/m8es/
Unpacked files
SH256 hash:
813b2a3275b6e9e92254644e5932b0571f0e5239a1be1b44da464c24a04891cc
MD5 hash:
8582bafea8ed35ae55fb11a4fa80cd6d
SHA1 hash:
6e60cf3412001c3c98241ef86944b8402557434f
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/91c5e91a-4dd8-48dd-8790-adac5c045700/
Parent samples :
2dc07e970dd5581d1bd22d69e454dceda70d8f87cc84757f86c094b2fdb7f985
92e01cf56625e95b0d5c7f0706403ddcb068bdcd82e82a45ed9c296f0df394d4
SH256 hash:
9c594248b35f35e099d5e868be9d84b792d859a13a8af2fca17ad68e88a94803
MD5 hash:
62d178de1e975750c2cf9f4df66e5835
SHA1 hash:
7bac1a0ce82c0916a0947640e8c5624b31fa6e3d
Link:
https://www.unpac.me/results/91c5e91a-4dd8-48dd-8790-adac5c045700/
SH256 hash:
fdccaed76f7279e6b8cc1579dadeed03fa1b8d1adcdfbcac585a68da168366d5
MD5 hash:
8b603b23caf00139206f293eb741a9f0
SHA1 hash:
1cc90aec7ce07b13930fe0c088fe3cd155b3ea07
Link:
https://www.unpac.me/results/91c5e91a-4dd8-48dd-8790-adac5c045700/
SH256 hash:
92e01cf56625e95b0d5c7f0706403ddcb068bdcd82e82a45ed9c296f0df394d4
MD5 hash:
996c8542a72835aadb275977ca35c28c
SHA1 hash:
5ac0c2da3f14031dfc86843bf2c8edc07e50af18
Link:
https://www.unpac.me/results/91c5e91a-4dd8-48dd-8790-adac5c045700/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/92e01cf56625e95b0d5c7f0706403ddcb068bdcd82e82a45ed9c296f0df394d4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/125976/

Comments