MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 963dbb31cbea52bfb5e071a35b2bcb6bf7705f5548fa7827ad9601215268f65c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 963dbb31cbea52bfb5e071a35b2bcb6bf7705f5548fa7827ad9601215268f65c
SHA3-384 hash: 5d72d0d9bc4646d458512d41c8fba5e17d39e03a0d05dac4edb0dccf21e412d922f8ed216bd9bddbab7b8e32d592bc6f
SHA1 hash: 1fa9fdee64d2e294698384792bdde624fe5e0b2d
MD5 hash: 7ba101bbbf7e1d44248a85609a8d4c80
humanhash: victor-grey-hydrogen-minnesota
File name:PAYMENT DETAILS COPY.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:715'776 bytes
First seen:2022-06-06 13:25:45 UTC
Last seen:2022-06-06 13:58:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'476 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:dS3FDdpbS4P2XLT/rFXil8Ltc0Yzp78j0+FZt6Ixi8suJGkpaU9A3BX5Z9z:dS1HbIXLT/9xLtU+j4IxsiGUaU9A15nz
Threatray 13'300 similar samples on MalwareBazaar
TLSH T1C7E4E03077AB5218C97B0BB50DB151C5177A7A7BBF04C61D286A120CED72B538B12BBB
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 10c0e0bc90909000 (12 x AgentTesla, 12 x Formbook, 7 x SnakeKeylogger)
Reporter cocaman
Tags:exe FormBook payment

Intelligence

File Origin
# of uploads :
2
# of downloads :
297
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
PAYMENT DETAILS COPY.exe
Verdict:
Malicious activity
Analysis date:
2022-06-06 13:35:02 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/c57ce7b3-f3cc-4da0-94c7-22fda1d32931

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/277045/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1366.714.14277.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/629e00ab824d74ef94f74d08/reports/a5cf89b1-f155-48f7-973a-8a3c1573e53c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e9ad6a9d-cb7f-4857-a42d-6c04f0fdfaac
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1007384
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 639880 Sample: PAYMENT DETAILS COPY.exe Startdate: 06/06/2022 Architecture: WINDOWS Score: 100 42 www.smonique.com 2->42 44 www.royalkingcourierandcargo.com 2->44 46 4 other IPs or domains 2->46 54 Snort IDS alert for network traffic 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 12 other signatures 2->60 9 PAYMENT DETAILS COPY.exe 7 2->9         started        signatures3 process4 file5 34 C:\Users\user\AppData\...\pYonVrdqZbbzfo.exe, PE32 9->34 dropped 36 C:\...\pYonVrdqZbbzfo.exe:Zone.Identifier, ASCII 9->36 dropped 38 C:\Users\user\AppData\Local\...\tmp3229.tmp, XML 9->38 dropped 40 C:\Users\...\PAYMENT DETAILS COPY.exe.log, ASCII 9->40 dropped 70 Writes to foreign memory regions 9->70 72 Adds a directory exclusion to Windows Defender 9->72 74 Injects a PE file into a foreign processes 9->74 13 RegSvcs.exe 9->13         started        16 RegSvcs.exe 9->16         started        18 powershell.exe 23 9->18         started        20 2 other processes 9->20 signatures6 process7 signatures8 76 Modifies the context of a thread in another process (thread injection) 13->76 78 Maps a DLL or memory area into another process 13->78 80 Sample uses process hollowing technique 13->80 82 Queues an APC in another process (thread injection) 13->82 22 netsh.exe 13->22         started        25 explorer.exe 13->25 injected 84 Uses netsh to modify the Windows network and firewall settings 16->84 86 Tries to detect virtualization through RDTSC time measurements 16->86 28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        process9 dnsIp10 62 Modifies the context of a thread in another process (thread injection) 22->62 64 Maps a DLL or memory area into another process 22->64 66 Tries to detect virtualization through RDTSC time measurements 22->66 48 www.carshop-funnel.com 103.224.182.242, 49801, 80 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 25->48 50 parkerest.com 198.54.121.148, 49853, 80 NAMECHEAP-NETUS United States 25->50 52 4 other IPs or domains 25->52 68 System process connects to network (likely due to code injection or exploit) 25->68 32 autochk.exe 25->32         started        signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/963dbb31cbea52bfb5e071a35b2bcb6bf7705f5548fa7827ad9601215268f65c/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-06-06 10:41:44 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
19 of 26 (73.08%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sy63wmol5jjl7npaogrvwk6lnp3xax2vjd5hqj5nsyascuti6zoa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0793dfe009772f771270e113edc94fc7a19fa5d7f53a3e858f9775319b9d536e
Formbook
19f5a2d97c62b9c69a31e8cd0dddc9e18c852158bc1dc00a664bace1cbe7c2a0
Formbook
441c12b87bca3daf36a571d93fa052b1cb47d9f6b1f80ef22ead84a1961ec66d
Formbook
613b5446494dbc42b570d8435ab8fd6d85a1b58a86235da24381b6cb74ec6fd9
Formbook
85c4a7b05bef2a96564ca886c9f331dd36422bbbe59dde525924b7f6c91eb0dc
Formbook
98b37948b3fb4073288074d09862819e5c1db1b53f5636f8427b2cd003bf3555
Formbook
a861c51fc6fba9da6fe8f42513395fef9f61b0ae69daa80fa9d695000608ed20
Formbook
fc753d6a1adb745147ae129b7745f4d5bdb7c02fcad71e96bb40b305ca0b45b8
Formbook
+ 13'290 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:few9 loader rat spyware stealer suricata
Link:
https://tria.ge/reports/220606-qph4qscggm/
Behaviour
Creates scheduled task(s)
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Reads user/profile data of web browsers
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Unpacked files
SH256 hash:
c61f01d1072eba99ba66193b69ff297eaefdce4843bf0a6654141eb83e15afd9
MD5 hash:
33c38355fba51df200b63fe7f02e73b0
SHA1 hash:
4a115afee559667be616dabd822874d0a3b41a34
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/5d381274-efe8-499c-ba01-c10a084b2d56/
SH256 hash:
cb71e2b62d8b0e9df63da7edd6dbef57564e37a4c1a5b661714d11e6ad73c55a
MD5 hash:
1b4b04ff385587334b1bc1ea4f6ff1ef
SHA1 hash:
f07dececa3860e8dc476f9e3c96055edca537883
Link:
https://www.unpac.me/results/5d381274-efe8-499c-ba01-c10a084b2d56/
SH256 hash:
47757e25dbaebca31a741a8a848cee243ac5eb1f8972a179e4ce693443ec1314
MD5 hash:
8534f4751609f9567f027eb5110c9b7a
SHA1 hash:
9a033fc3ea3a8ecb5f778d37d154d5006ffca84a
Link:
https://www.unpac.me/results/5d381274-efe8-499c-ba01-c10a084b2d56/
SH256 hash:
8e88aaa9014d04b1ef25dbcda8ddd06017be33b89c185a0ef60e84ce07d4aa82
MD5 hash:
dbcd32a3fceab5491cf57ec1d665f4d2
SHA1 hash:
5805fb72ee86ee4420fd14790b29ee0651d35def
Link:
https://www.unpac.me/results/5d381274-efe8-499c-ba01-c10a084b2d56/
SH256 hash:
963dbb31cbea52bfb5e071a35b2bcb6bf7705f5548fa7827ad9601215268f65c
MD5 hash:
7ba101bbbf7e1d44248a85609a8d4c80
SHA1 hash:
1fa9fdee64d2e294698384792bdde624fe5e0b2d
Link:
https://www.unpac.me/results/5d381274-efe8-499c-ba01-c10a084b2d56/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/963dbb31cbea/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/963dbb31cbea52bfb5e071a35b2bcb6bf7705f5548fa7827ad9601215268f65c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

ace 3697fc0b34e169667f1f2f4f2ab3fc8685908d3328b2f6f813336d324c73b929

Formbook

Executable exe 963dbb31cbea52bfb5e071a35b2bcb6bf7705f5548fa7827ad9601215268f65c

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 3697fc0b34e169667f1f2f4f2ab3fc8685908d3328b2f6f813336d324c73b929
Cape
Cape
https://www.capesandbox.com/analysis/277045/
  
Dropped by
MD5 bd2938553c3cd1d5e8db81cd0415b2be

Comments