MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a557dd45c97fa26c318728d77a46ea6b69afba06d1cbdc00975fe27492c5f17a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a557dd45c97fa26c318728d77a46ea6b69afba06d1cbdc00975fe27492c5f17a
SHA3-384 hash: 17d16544ea8e933c20fb4669fcc8d3e911b8f235fdb3407bc0119bbf54e5f4be845130f2eda67a7a43e6b5e3da03e7be
SHA1 hash: 7f6cc3851f4e778abad04e910849d81321b3112b
MD5 hash: ff3e0ab57af118dc198c22762d82a853
humanhash: batman-white-romeo-mango
File name:Payment_receipt-jpg.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:210'617 bytes
First seen:2021-02-26 07:31:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep 6144:r9X0GfRSkvYCzAZ58ry8dCtFPbdJ7zbNko:F0qNYEAU3CtFPDzhj
Threatray 3'977 similar samples on MalwareBazaar
TLSH 2A24126263E0D4FFD91A437119BB6D29EFE9E66532461B076B482BC9344202FF90F385
Reporter GovCERT_CH
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment_receipt-jpg.exe
Verdict:
Malicious activity
Analysis date:
2021-02-26 13:29:08 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/a7805fb6-6242-47e3-9a86-2499ab764f84

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/119356/
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Launching cmd.exe command interpreter
Sending a UDP request
DNS request
Sending an HTTP GET request
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/619471
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 358731 Sample: Payment_receipt-jpg.exe Startdate: 26/02/2021 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 8 other signatures 2->57 11 Payment_receipt-jpg.exe 11 2->11         started        process3 file4 33 C:\Users\user\AppData\...\q543aatx9th.exe, PE32 11->33 dropped 35 C:\Users\user\AppData\Local\Temp\9v3vv.dll, PE32 11->35 dropped 14 q543aatx9th.exe 1 11->14         started        process5 signatures6 67 Multi AV Scanner detection for dropped file 14->67 69 Maps a DLL or memory area into another process 14->69 71 Tries to detect virtualization through RDTSC time measurements 14->71 17 q543aatx9th.exe 14->17         started        20 conhost.exe 14->20         started        process7 signatures8 43 Modifies the context of a thread in another process (thread injection) 17->43 45 Maps a DLL or memory area into another process 17->45 47 Sample uses process hollowing technique 17->47 49 Queues an APC in another process (thread injection) 17->49 22 explorer.exe 17->22 injected process9 dnsIp10 37 mfsextract.com 34.102.136.180, 49759, 49771, 49776 GOOGLEUS United States 22->37 39 td-balancer-euw2-6-109.wixdns.net 35.246.6.109, 49770, 80 GOOGLEUS United States 22->39 41 24 other IPs or domains 22->41 59 System process connects to network (likely due to code injection or exploit) 22->59 26 chkdsk.exe 22->26         started        signatures11 process12 signatures13 61 Modifies the context of a thread in another process (thread injection) 26->61 63 Maps a DLL or memory area into another process 26->63 65 Tries to detect virtualization through RDTSC time measurements 26->65 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a557dd45c97fa26c318728d77a46ea6b69afba06d1cbdc00975fe27492c5f17a/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2021-02-25 07:30:20 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uvl52rojp6rgymmhfdlxurxknnu27oqg2hf5yaexl7rhjewf6f5a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
010192b5d3b3e85925fc312177759597b78fa7f6feb282cf3a743aae9f53067d
Formbook
0e1ec8c0b16042cc5f4e0c137f3939aa3e4a47096b32f1c2d41baf1a0d9aa177
Formbook
1382bae50eece1846b8d858d0f975b900eb1a5908f789333c55b1341b1b0d57b
Formbook
1c0a0e62b6945e4613b04e61cfc76b876d647b632ccf5d72d9d1e24fa967550f
Formbook
45fda70b08542ae52a8228a61e317973f42b477583841e384e9817d7d2dd3709
Formbook
5101663e1850401504dd1e56231725be9a3001ed01e99fa88d348b9511c52f4d
Formbook
561562923f5bb53f6113b9a15c60cf2755437556e9e48cdc3fc3ae7ebe0171a7
Formbook
b5e2b52a984579c7f0aa92d0acaa6eef67f06af5330857ba98a62345edd59908
Formbook
dc5f7d89ab2465597ff7fa9f544326613aeaab2afa6e2e457ba5fc0da15bd450
Formbook
de7e8ed0bd9ad8231adb43f89717a72375e29c9360e2b78bbc918992093bc217
Formbook
+ 3'967 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/210226-5jwyhp73ve/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.t-delivery.com/c8bs/
Unpacked files
SH256 hash:
402260747b0fbaa0dc8560c616b65cb758e13fd2da70627acbde9a214096c6c3
MD5 hash:
9bef44351dfbc499326ec37aa07dd912
SHA1 hash:
f288eecb36073a41976538233f949f0f2421cd94
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/bc1cab52-dd72-4818-bf38-f0bbb244cbce/
SH256 hash:
6b53d6fa4acf1b4c9d9c7409802f7777d034bc3a962153a8cd9d5fbca6f24afd
MD5 hash:
8d9bff9b3f3edf81661f9115855f4ade
SHA1 hash:
9cf878d442d2fc5126b1893486c2365684b2b9db
Link:
https://www.unpac.me/results/bc1cab52-dd72-4818-bf38-f0bbb244cbce/
SH256 hash:
c3e8fd48c7c175936dd9e7481c892ab5a3cd2aadeb643d264224c3dfe7095a89
MD5 hash:
d1e12e3c51fec6f539ae3fc7189ba4c9
SHA1 hash:
0de859143bf88344d8a3be60348e7a6f4e8d6ecf
Link:
https://www.unpac.me/results/bc1cab52-dd72-4818-bf38-f0bbb244cbce/
SH256 hash:
a557dd45c97fa26c318728d77a46ea6b69afba06d1cbdc00975fe27492c5f17a
MD5 hash:
ff3e0ab57af118dc198c22762d82a853
SHA1 hash:
7f6cc3851f4e778abad04e910849d81321b3112b
Link:
https://www.unpac.me/results/bc1cab52-dd72-4818-bf38-f0bbb244cbce/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

e7680bf3da532f3f49a6265e0ae4d7473d8b46e5c1281cf49873ce06d98f9d9a

Formbook

Executable exe a557dd45c97fa26c318728d77a46ea6b69afba06d1cbdc00975fe27492c5f17a

(this sample)

  
Dropped by
MD5 481140c66c8443aa0189c22073a62c1d
  
Dropped by
SHA256 e7680bf3da532f3f49a6265e0ae4d7473d8b46e5c1281cf49873ce06d98f9d9a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/119356/

Comments