MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4c0f021f7b7e196e3a5d8e324cb4084c14941c94d2aab667eb886464948b44a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a4c0f021f7b7e196e3a5d8e324cb4084c14941c94d2aab667eb886464948b44a
SHA3-384 hash: 9a23f654c147f53256d4a0d7c193885690b625c6393f0955e626b8501fc1de30422a14b1b2175391a129c3e5540788c4
SHA1 hash: a2be2155f5a8fcc885805d088b964672a5abef50
MD5 hash: 5fa3b6700fa5579d6267af0b8da3de8c
humanhash: mango-green-oxygen-wolfram
File name:Balance Transfer Payment.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:262'646 bytes
First seen:2021-09-30 12:24:45 UTC
Last seen:2021-09-30 13:06:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:F8LxBscPjN8LDMQ56GnbUxp9KeRU59PJEueqJNDBJ2YWrR:/cPjN8/MPGb8hO9PKuewNDBJfuR
Threatray 9'884 similar samples on MalwareBazaar
TLSH T14A4412533690C8E7D672A3306DB7EF79F2FD92145461BA074BE4ADEB19141CA0B0B2C6
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter GovCERT_CH
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
2
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/193614/
Detection(s):
SecuriteInfo.com.Zum.Androm.1.13447.8072.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Creating a window
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b5a2e2f0-a2ea-45ee-ab19-4dbca2199cfa
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/861946
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 494381 Sample: Balance Transfer Payment.exe Startdate: 30/09/2021 Architecture: WINDOWS Score: 100 31 www.vicoob.com 2->31 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 9 other signatures 2->45 11 Balance Transfer Payment.exe 17 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\ojmvaffkweq.dll, PE32 11->29 dropped 55 Injects a PE file into a foreign processes 11->55 15 Balance Transfer Payment.exe 11->15         started        signatures6 process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 15->57 59 Maps a DLL or memory area into another process 15->59 61 Sample uses process hollowing technique 15->61 63 Queues an APC in another process (thread injection) 15->63 18 explorer.exe 15->18 injected process9 dnsIp10 33 www.luodedurven.quest 37.123.118.150, 49895, 49897, 80 UK2NET-ASGB United Kingdom 18->33 35 www.onlineexitpoll.com 217.160.0.237, 49898, 80 ONEANDONE-ASBrauerstrasse48DE Germany 18->35 37 7 other IPs or domains 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 msiexec.exe 18->22         started        signatures11 process12 signatures13 49 Self deletion via cmd delete 22->49 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a4c0f021f7b7e196e3a5d8e324cb4084c14941c94d2aab667eb886464948b44a/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-09-30 12:25:10 UTC
AV detection:
14 of 45 (31.11%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=utapaipxw7qzny5f3drsjs2aqtausqojjuvkwzt6xcdemskiwrfa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0c22acaa973cbb781aea92dc1fb5a8c7cc1fd2abd403f2a6b9703f8f1e1c8657
Formbook
1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24
Formbook
50c6754cbbd313acc6a250182439a1191d8f8318f0794feea75bd647b6205f7a
Formbook
6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c
Formbook
75772375acbcfb6cb668fc2449671a6a83afe1434184ac7c01fd895825fcf5e6
Formbook
909b2ca8fbea2b6c03ccf3d90e0416b12df094fcf02c47fbf59839a9ce105538
Formbook
9fd6d5c3553557a9cb263962d71901a681aaa50f3808436b7dff7c4c97289b5e
Formbook
a7acd97fcff334160640901d977010aa55397f5a6da375ab38bcb1622b800f7d
Formbook
cf3038247c7a2a5779f655fdf594bdad56b22d198b6edb1c3197b84d9c4f153a
Formbook
d079479dd85fb94fe08f6cd70cfff35e39c14294174a8ed6f9b480ffc1cbc9b2
Formbook
+ 9'874 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:s8ne loader rat suricata
Link:
https://tria.ge/reports/210930-plmgbahghq/
Behaviour
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.urbanfashionstore.com/s8ne/
Unpacked files
SH256 hash:
82dd9580861c59ad38ea896496392c38d84dd09c02d45c0f16d97325849da98b
MD5 hash:
0de23826b219c12fef4351c9e6a1e38b
SHA1 hash:
d956fc51b16e2505016e5d198b77c6d98bc9879d
Link:
https://www.unpac.me/results/8f801ab7-fa54-4bce-a835-c35fb6a65712/
SH256 hash:
a4c0f021f7b7e196e3a5d8e324cb4084c14941c94d2aab667eb886464948b44a
MD5 hash:
5fa3b6700fa5579d6267af0b8da3de8c
SHA1 hash:
a2be2155f5a8fcc885805d088b964672a5abef50
Link:
https://www.unpac.me/results/8f801ab7-fa54-4bce-a835-c35fb6a65712/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.47
Link:
https://yomi.yoroi.company/submissions/a4c0f021f7b7e196e3a5d8e324cb4084c14941c94d2aab667eb886464948b44a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe a4c0f021f7b7e196e3a5d8e324cb4084c14941c94d2aab667eb886464948b44a

(this sample)

  
Dropped by
xloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/193614/

Comments