MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa5548a9ee7fbe66cbff5c8488bd260ee5377818faac895fecf519fc0bdf453b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa5548a9ee7fbe66cbff5c8488bd260ee5377818faac895fecf519fc0bdf453b
SHA3-384 hash: 32db2791a7426d670e85b1244494716580af0f15d976f3e38c1ae1aca0a00b41ed76458989e7201216a5f6959ad7414e
SHA1 hash: 416b2f17848b34a0702c12a67aea5043744dbb79
MD5 hash: 7e38c251f8674b4a84ae086b1321f32e
humanhash: grey-washington-delta-green
File name:Invoice.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'256'960 bytes
First seen:2023-03-06 07:39:52 UTC
Last seen:2023-03-06 09:39:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:+fMOEAlI3MzSSV93tU+MHIdysV7trTaEJssXySEZ1UPsjxp+HwSqwwK+Xeyn:+UYdSShUj8trOzsXy3Z1UPsjTuwK+u+
Threatray 2'187 similar samples on MalwareBazaar
TLSH T1EB45A82809FC0AF24571F1FD9FE4E753BD8488E6AB049D99C2838B89555391720AFD3E
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
194
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Invoice.exe
Verdict:
Malicious activity
Analysis date:
2023-03-06 07:41:32 UTC
Tags:
stealer formbook trojan
Link:
https://app.any.run/tasks/ce4b5997-08de-4ac4-a288-48f0ff7090be

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/371795/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a file
Searching for synchronization primitives
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/640598d3f110781a3903ab8f/reports/bad0d39c-f346-4e8e-a3c1-e0399995d0b6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/aa5548a9ee7fbe66cbff5c8488bd260ee5377818faac895fecf519fc0bdf453b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9506bea8-e0b9-45ad-9c96-e1f201fc0b41
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1187554
Signature
Antivirus detection for URL or domain
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 820430 Sample: Invoice.exe Startdate: 06/03/2023 Architecture: WINDOWS Score: 100 29 Malicious sample detected (through community Yara rule) 2->29 31 Antivirus detection for URL or domain 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 3 other signatures 2->35 8 Invoice.exe 3 2->8         started        process3 file4 21 C:\Users\user\AppData\...\Invoice.exe.log, ASCII 8->21 dropped 11 RegSvcs.exe 8->11         started        process5 signatures6 45 Modifies the context of a thread in another process (thread injection) 11->45 47 Maps a DLL or memory area into another process 11->47 49 Sample uses process hollowing technique 11->49 51 Queues an APC in another process (thread injection) 11->51 14 explorer.exe 3 6 11->14 injected process7 dnsIp8 23 www.42230.org.wcdnga.com 163.171.128.148, 49742, 49743, 49744 QUANTILNETWORKSUS European Union 14->23 25 matrukrupacc.com 216.10.248.111, 49716, 80 PUBLIC-DOMAIN-REGISTRYUS India 14->25 27 10 other IPs or domains 14->27 53 System process connects to network (likely due to code injection or exploit) 14->53 18 wscript.exe 13 14->18         started        signatures9 process10 signatures11 37 Tries to steal Mail credentials (via file / registry access) 18->37 39 Tries to harvest and steal browser information (history, passwords, etc) 18->39 41 Modifies the context of a thread in another process (thread injection) 18->41 43 Maps a DLL or memory area into another process 18->43
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa5548a9ee7fbe66cbff5c8488bd260ee5377818faac895fecf519fc0bdf453b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-03-04 02:07:11 UTC
AV detection:
25 of 37 (67.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vjkurkpop67gns77lscirpjgb3sto6ay7kwisx7m6um7yc67iu5q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
27715b211a7693bd15a4580b6ee1e9b9d01c2b1142170b47888b7be538ecb084
Formbook
375023474e1cf7831eae2918f7dd925a8fbc310986a063a00d91a31a07f15f7c
Formbook
402c82df5bcd852868c74eb4d801ac2d33c9361a942eb56020614afe147eab21
Formbook
4adcc8ef0f0f441cf8e44f0c3c446f620409dbf79353811fa4d6526c6752f6ae
Formbook
7fd5172067f790c21d11dc37987f04bbe9e4c04038074b788ac79bcc83c06f1a
Formbook
c448049c359c9ada55dbdefbb772020aa3962804d485ccf52adefb3a2030e3fb
Formbook
d1613f6ca68cdd7b490e9c42b1abc4b5c71aadf146977bdfc3f4d33d2d33159d
Formbook
+ 2'177 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230306-jhjclabb58/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
ef3c7bf77e06f90c5fee8f82de30d15cde347504601a2f4a4da5c808fda3d146
MD5 hash:
d721abd1774d5d25c516645d1613380b
SHA1 hash:
1d6ea57141f658bfbcbfa9f30cff02639897a9bd
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/ab7871c5-cff5-40a6-8e87-312140325f95/
Parent samples :
7fd5172067f790c21d11dc37987f04bbe9e4c04038074b788ac79bcc83c06f1a
375023474e1cf7831eae2918f7dd925a8fbc310986a063a00d91a31a07f15f7c
d1613f6ca68cdd7b490e9c42b1abc4b5c71aadf146977bdfc3f4d33d2d33159d
e92f7d954c97723d975ffb5d04438494d692c6bd3b552a24d826e13ae6252ef4
aa5548a9ee7fbe66cbff5c8488bd260ee5377818faac895fecf519fc0bdf453b
ac8157f89fe4d01eb6e009147f4e6a3b64ebd924af77f4c4999b7dba22b53e4d
13c4ed220256fb2dfb95631c042d9eadf977bd2dc5e4aa0898ab99bd16d33ef7
07ea5734d5a27eec2e18629559643c25f87676c8f81f9abe12aebf742dead0d1
07843e27993206a92d9e0bfbb249332fcfedad068bec8f7f7f3f318654c7910c
ae2e5e556f6fab620a62ed8dfe072e73ebff0a207177e48cb3b65253055205d4
ac61c80f02e15eb3705836ff8dc9d81543eb0e26059d4aaa9b0895c716deafe4
b153cca3bac87165e94ba9851a895ee316e0b9876795c1216388715a01b45674
179b98e2cb16a094755f853ae892b47948a8b6a83e7ca050d520e113ff180b2f
1bf1d7519eb3538201392d2bc32be1ebf4e2cd720d637bc94a67d0765f6a645a
fe7957318166dd7147d4b7b42360f9369f0657308fa68f929d573d4ac99aed9d
40d4375902fce141fe2e90e675790acb6b8f3d98fb2a53a90aa18cbd629a51ef
SH256 hash:
c5f46eae4c3daf89f723d9a0ed54928319b429e8e6b7e090b6d9887a7f8ef56a
MD5 hash:
efb0011b5da4e019d914f3c0ab18f002
SHA1 hash:
0be02538e44f1a12f5b61d90c94f9bd20c562813
Link:
https://www.unpac.me/results/ab7871c5-cff5-40a6-8e87-312140325f95/
SH256 hash:
d8ec03c34a5f3bd93effeafc2e078ade5df75d468dae5208937c69be4fecfe7f
MD5 hash:
cd4b7952d18e1459bae379e5da7f6afb
SHA1 hash:
e09367a20c19427dae20b53cbe761d1b21272c36
Link:
https://www.unpac.me/results/ab7871c5-cff5-40a6-8e87-312140325f95/
SH256 hash:
6d678b55a4d3af5f601db79a132e0899a958dc3a964da8915a6882ce97270fc1
MD5 hash:
76dd419aca549f4ac0dfba86270c8fbc
SHA1 hash:
b7c91952736c9135a17aedc1df73e8ded355bcb0
Link:
https://www.unpac.me/results/ab7871c5-cff5-40a6-8e87-312140325f95/
SH256 hash:
de1a48bd1e50cb91601815e11206c895ac24551bcbfd6248675452d137c672e6
MD5 hash:
b19bff74ae97cbad38dd6a723b08aec9
SHA1 hash:
a35877f85862fecb74debe18f08265ce5f4ebfa6
Link:
https://www.unpac.me/results/ab7871c5-cff5-40a6-8e87-312140325f95/
SH256 hash:
a46998f03ca372f55fec7e4d4de698c5d128eea00502975bf7c337b0d3372640
MD5 hash:
2f5d6edb1b87947812a05ab362fe9a27
SHA1 hash:
4a48608fa247541aae9d2d31b85a2d6c9d191f82
Link:
https://www.unpac.me/results/ab7871c5-cff5-40a6-8e87-312140325f95/
SH256 hash:
aa5548a9ee7fbe66cbff5c8488bd260ee5377818faac895fecf519fc0bdf453b
MD5 hash:
7e38c251f8674b4a84ae086b1321f32e
SHA1 hash:
416b2f17848b34a0702c12a67aea5043744dbb79
Link:
https://www.unpac.me/results/ab7871c5-cff5-40a6-8e87-312140325f95/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aa5548a9ee7f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/aa5548a9ee7fbe66cbff5c8488bd260ee5377818faac895fecf519fc0bdf453b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe aa5548a9ee7fbe66cbff5c8488bd260ee5377818faac895fecf519fc0bdf453b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/371795/

Comments