MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a580ab61d55ab77a9c8cc5cf6b548b3c0c7a0a7ad1dc081ec5e90f37066d1445. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a580ab61d55ab77a9c8cc5cf6b548b3c0c7a0a7ad1dc081ec5e90f37066d1445
SHA3-384 hash: d34d8bec1d438d88070957f221c60ce9fdde4675dc0b18ca705f320f14ac0ba49dab7b5e22a33adfe62575878cdd2889
SHA1 hash: e3d5973e19c416eb25e9b5520c906f957347bbaf
MD5 hash: c4b1f1cc91c61633e94a7952bfd4a925
humanhash: pasta-montana-butter-cup
File name:Proforma invoice 416484 Documents.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:655'360 bytes
First seen:2022-05-11 08:17:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 12288:Dp9pzJd100USIS3IQNyvYp7O7ydKgtPUwWIya402jwTKVZ4p:DTz483IQ0oKyUgNU502jVY
Threatray 13'656 similar samples on MalwareBazaar
TLSH T1C4D4120522E8EB71D1BF3F74647930185FB8BD6AB43BE32D4EC0688D29567A149247B3
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.3% (.SCR) Windows screen saver (13101/52/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e0d2e25945ba9cf0 (15 x AgentTesla, 9 x Formbook, 7 x Loki)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/269629/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/627b717c40f9dd937eec0826/reports/5ebaa70e-92d2-4c63-9a12-2cbdd71f4c17/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/729e9fb8-93c6-496d-ad1e-95d75fa6c1cf
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/991687
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 624183 Sample: Proforma invoice 416484 Doc... Startdate: 11/05/2022 Architecture: WINDOWS Score: 100 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus detection for URL or domain 2->50 52 12 other signatures 2->52 10 Proforma invoice 416484 Documents.exe 7 2->10         started        process3 file4 38 C:\Users\user\AppData\Roaming\isSiLJOU.exe, PE32 10->38 dropped 40 C:\Users\user\AppData\Local\...\tmpB89E.tmp, XML 10->40 dropped 42 Proforma invoice 4...4 Documents.exe.log, ASCII 10->42 dropped 56 Adds a directory exclusion to Windows Defender 10->56 58 Injects a PE file into a foreign processes 10->58 14 Proforma invoice 416484 Documents.exe 10->14         started        17 powershell.exe 22 10->17         started        19 schtasks.exe 1 10->19         started        21 2 other processes 10->21 signatures5 process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 14->60 62 Maps a DLL or memory area into another process 14->62 64 Sample uses process hollowing technique 14->64 66 Queues an APC in another process (thread injection) 14->66 23 explorer.exe 14->23 injected 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        process8 dnsIp9 44 www.xg998.com 103.224.212.220, 49838, 80 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 23->44 54 System process connects to network (likely due to code injection or exploit) 23->54 31 cmmon32.exe 23->31         started        signatures10 process11 signatures12 68 Self deletion via cmd delete 31->68 70 Modifies the context of a thread in another process (thread injection) 31->70 72 Maps a DLL or memory area into another process 31->72 74 Tries to detect virtualization through RDTSC time measurements 31->74 34 cmd.exe 1 31->34         started        process13 process14 36 conhost.exe 34->36         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a580ab61d55ab77a9c8cc5cf6b548b3c0c7a0a7ad1dc081ec5e90f37066d1445/
Threat name:
ByteCode-MSIL.Trojan.AveMariaRAT
Create hunting rule
Status:
Malicious
First seen:
2022-05-11 06:04:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uwakwyovlk3xvhemyxhwwvelhqghuct22hoaqhwf5ehtobtncrcq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
499fb85e548a134abdf18b6a9d149b9c4f2bf9b0f534dd4c86e600180fb19bf9
Formbook
58d325351b79f84d68ef5586de43ec3708fc0e142a83007fddbd7a05c20021ce
Formbook
5c4b6b6b72e020bea0a32b9ca0542bd404e91eff6344648aae077ad332593744
Formbook
7b3be400d99b473afc9f2bdf46477b61736a71db20cd9d1137b0cab4d4aaeff9
Formbook
b0719b23f521e380ea76a06aaee77d34b506ef96890542072101950ccffeac32
Formbook
b3d586ea6f954e72cd9c39838dece4a7e019d7f1916f0984da816d107d03ffe3
Formbook
eba97a314b1c02ecdd75fe691c6883b214dc0b239d0ba39b7d578162b5218ad0
Formbook
ffb2ebccfae79f8c1d5911d41e549a8f876a10708053a4f3a3dbc2ec0e04be48
Formbook
+ 13'646 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:o18j rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220511-j69vfsahdl/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
81621c2cb0534047140e930dec3f56c8a82b4da0edbdd4735d7b2aac0f1cd0d9
MD5 hash:
30fc22115bbbad0a22eab88dec072c92
SHA1 hash:
afc7cee2d35fc21c0a8ae21009f0856309abc345
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/b0948be9-54e6-45c9-af18-430dd2e4f4fb/
Parent samples :
0052550949ab904c6378bf94738d19eaddf7a1f4f1c99d4d75789566f9e95440
b3d586ea6f954e72cd9c39838dece4a7e019d7f1916f0984da816d107d03ffe3
a580ab61d55ab77a9c8cc5cf6b548b3c0c7a0a7ad1dc081ec5e90f37066d1445
SH256 hash:
c206122a7336385be557580c114ac0923192f61bc8f77aa58c898135438399f9
MD5 hash:
6c9e813248a01432890c476813d210b8
SHA1 hash:
fd54aa3af58fc3a88cb3fd6753d773cd6c51b7f8
Link:
https://www.unpac.me/results/b0948be9-54e6-45c9-af18-430dd2e4f4fb/
SH256 hash:
3c2b60c80f322f749a4f8e5b5a46b96c737dd6171e8ee728f193958d7da74346
MD5 hash:
a237fa48922043c1205bcdf23c71eeb8
SHA1 hash:
8e4036e93a55bd4073d7c2977c3daec41aec5159
Link:
https://www.unpac.me/results/b0948be9-54e6-45c9-af18-430dd2e4f4fb/
SH256 hash:
9cd7f63f3506744edec9be922dd3f8b7355a859be1c4ca19214ebaac9336d1ff
MD5 hash:
bf30ffa5bf9cb2b375221c4174266495
SHA1 hash:
30502023ad543e73c7c89c086b05bba97e5625c6
Link:
https://www.unpac.me/results/b0948be9-54e6-45c9-af18-430dd2e4f4fb/
SH256 hash:
a580ab61d55ab77a9c8cc5cf6b548b3c0c7a0a7ad1dc081ec5e90f37066d1445
MD5 hash:
c4b1f1cc91c61633e94a7952bfd4a925
SHA1 hash:
e3d5973e19c416eb25e9b5520c906f957347bbaf
Link:
https://www.unpac.me/results/b0948be9-54e6-45c9-af18-430dd2e4f4fb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a580ab61d55ab77a9c8cc5cf6b548b3c0c7a0a7ad1dc081ec5e90f37066d1445

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe a580ab61d55ab77a9c8cc5cf6b548b3c0c7a0a7ad1dc081ec5e90f37066d1445

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/269629/

Comments