MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1267aae5c95df8b4063e1abdb244550e680aefda480b43604492a07906fc59e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1267aae5c95df8b4063e1abdb244550e680aefda480b43604492a07906fc59e
SHA3-384 hash: 8f426e16fe513a574e417558cebc0847905525c5463e791b80ef42f5910764b9813effc2b49def7e5c9acc8433aea830
SHA1 hash: 4296a5ae46ba34b1b04197fb0c868e4a4a39ec72
MD5 hash: 91ac26a215fc5c87319e92564dc2ee28
humanhash: solar-march-moon-shade
File name:Hsbc Scan copy 3547856788 Pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:719'360 bytes
First seen:2021-07-20 12:05:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 67d179cc1bd8024cb66801d5092fedd2 (2 x Formbook, 1 x NetWire, 1 x RemcosRAT)
ssdeep 12288:JFMJS2qUretr/3cd/iWu5n6jRGCjJMLmqRRSsE7/Ssdpk6dz:JFModTMdxuFAkqYmq7S1764z
Threatray 6'090 similar samples on MalwareBazaar
TLSH T10BE4AE77A2E049B2C26B263C8D4B3374596D7F532D18E9555FF22E5CEB3A743342A082
Reporter abuse_ch
Tags:exe FormBook HSBC

Intelligence

File Origin
# of uploads :
1
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Hsbc Scan copy 3547856788 Pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-07-20 12:13:19 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/9323054a-995f-442a-acb7-6c17d9207821

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/172798/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader40.47661.23216.27909.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/16556855-5b43-4aff-a47c-afd639074869
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/818899
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 451306 Sample: Hsbc Scan copy 3547856788 Pdf.exe Startdate: 20/07/2021 Architecture: WINDOWS Score: 100 45 www.hareemshareem.com 2->45 47 www.amazingutahhome.com 2->47 49 amazingutahhome.com 2->49 71 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 Yara detected FormBook 2->75 77 3 other signatures 2->77 11 Hsbc Scan copy 3547856788 Pdf.exe 1 19 2->11         started        signatures3 process4 dnsIp5 55 cdn.discordapp.com 162.159.130.233, 443, 49711, 49713 CLOUDFLARENETUS United States 11->55 43 C:\Users\Public\Libraries\...\Cmvdlau.exe, PE32 11->43 dropped 99 Writes to foreign memory regions 11->99 101 Allocates memory in foreign processes 11->101 103 Creates a thread in another existing process (thread injection) 11->103 105 Injects a PE file into a foreign processes 11->105 16 mobsync.exe 11->16         started        19 WerFault.exe 20 9 11->19         started        file6 signatures7 process8 signatures9 57 Modifies the context of a thread in another process (thread injection) 16->57 59 Maps a DLL or memory area into another process 16->59 61 Sample uses process hollowing technique 16->61 63 2 other signatures 16->63 21 explorer.exe 2 16->21 injected process10 signatures11 79 Uses ipconfig to lookup or modify the Windows network settings 21->79 24 Cmvdlau.exe 13 21->24         started        28 Cmvdlau.exe 13 21->28         started        30 ipconfig.exe 21->30         started        32 mstsc.exe 21->32         started        process12 dnsIp13 51 cdn.discordapp.com 24->51 81 Multi AV Scanner detection for dropped file 24->81 83 Machine Learning detection for dropped file 24->83 85 Writes to foreign memory regions 24->85 34 ieinstal.exe 24->34         started        53 cdn.discordapp.com 28->53 87 Allocates memory in foreign processes 28->87 89 Creates a thread in another existing process (thread injection) 28->89 91 Injects a PE file into a foreign processes 28->91 37 ieinstal.exe 28->37         started        93 Modifies the context of a thread in another process (thread injection) 30->93 95 Maps a DLL or memory area into another process 30->95 97 Tries to detect virtualization through RDTSC time measurements 30->97 39 cmd.exe 1 30->39         started        signatures14 process15 signatures16 65 Modifies the context of a thread in another process (thread injection) 34->65 67 Maps a DLL or memory area into another process 34->67 69 Sample uses process hollowing technique 34->69 41 conhost.exe 39->41         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a1267aae5c95df8b4063e1abdb244550e680aefda480b43604492a07906fc59e/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-07-20 12:06:07 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uethvls4sxpywqdd4gv5wjcfkdtiblx5usalinqejevapedpywpa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0c3748f23fb4ade0edb0e497f0f39adc528cec04ac7530e15e3f5baad6b69567
Formbook
33f0d367ae282d4c9b9a6acbfefd3e86999eb84fc65c43d99f1de1b95c1f80af
Formbook
3979a76f278cc417a50932f048516b0168237b6b4ca108ef779fec69b1bc0c0d
Formbook
92258f992fbf15509591d96b11cb50eda41cf0c19f35fdd089c311ca5eace947
Formbook
b120686883591f5a09157eb0fbfb502d4ee834ca717f9b77ab6bd9d0f85eb353
Formbook
c31cfb4fc17ad48af21bc13020fd46ba29e9761aba5a256965eeab9366b689c1
Formbook
c65e9659dc7d97331803b2137d4d7e0a47869eca75d718ea9f92397dcd68eb55
Formbook
dfeee5d9c053d15545731ee40402ff950beff2e55760d7187ef13675810cc288
Formbook
ef4fb21fec01aa193370b1ac7551aa759765b4e289f781b67d762e61335c7e41
Formbook
+ 6'080 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader persistence rat
Link:
https://tria.ge/reports/210720-8vjh26sfcn/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.ker-huella.com/synv/
Unpacked files
SH256 hash:
3c89381eb5d9bc9b2cc8835190944650d0fab08f3f5bd80e7d60c805c34f85a3
MD5 hash:
046256d9fc63f3f656d8a381e787ccdd
SHA1 hash:
d60bbe23be14e9acd5d9f718ce5686dbcf65e518
Link:
https://www.unpac.me/results/387b3c38-6db3-47a2-893e-b6fc2ff263e8/
SH256 hash:
a1267aae5c95df8b4063e1abdb244550e680aefda480b43604492a07906fc59e
MD5 hash:
91ac26a215fc5c87319e92564dc2ee28
SHA1 hash:
4296a5ae46ba34b1b04197fb0c868e4a4a39ec72
Link:
https://www.unpac.me/results/387b3c38-6db3-47a2-893e-b6fc2ff263e8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a1267aae5c95df8b4063e1abdb244550e680aefda480b43604492a07906fc59e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe a1267aae5c95df8b4063e1abdb244550e680aefda480b43604492a07906fc59e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/172798/

Comments