MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae300b28b2240d11d01e9066a26a88349258d4016c41460604c9ff5bb64c9b6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae300b28b2240d11d01e9066a26a88349258d4016c41460604c9ff5bb64c9b6d
SHA3-384 hash: 57595fcd42c2dfebd224c1300c31d9b0135473f5aebb7ed85ed05ae945fbb96fda2f249d9fe3edc7b7ea662ce1ad6999
SHA1 hash: dac00f0068f3f97a71faf15577ce0c7d855ff691
MD5 hash: 9a308e1ea62b7ede8876e433178957d1
humanhash: earth-four-king-ink
File name:Pago pendiente.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:624'640 bytes
First seen:2024-04-23 12:18:43 UTC
Last seen:2024-04-23 12:19:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:6SnBB6f5+Zq7aXVZm/1u2eo45hx5BEW3piNHmbWW66T5Lp:6uB60q7yVYeD5hx5npgmbT66Tn
TLSH T15BD4121835563F95E03FABB5543A652003B1A57DF631E6EEDFC220D72C21F809A62B27
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
349
Origin country :
DE DE
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
Launching cmd.exe command interpreter
Moving a file to the Program Files subdirectory
Replacing files
Sending an HTTP GET request
Forced system process termination
Setting browser functions hooks
Forced shutdown of a system process
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6627a738c5dabc22b2065116/reports/cbcd9efd-eb73-43ba-93c2-cd102fdee78e/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/ae300b28b2240d11d01e9066a26a88349258d4016c41460604c9ff5bb64c9b6d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/de77ca03-bca2-453e-bd4a-434f79f32ead
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1430321
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430321 Sample: Pago pendiente.exe Startdate: 23/04/2024 Architecture: WINDOWS Score: 100 32 www.zgcple.info 2->32 34 www.wonderdread.cloud 2->34 36 14 other IPs or domains 2->36 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 50 9 other signatures 2->50 11 Pago pendiente.exe 4 2->11         started        signatures3 process4 signatures5 60 Writes to foreign memory regions 11->60 62 Allocates memory in foreign processes 11->62 64 Adds a directory exclusion to Windows Defender 11->64 66 Injects a PE file into a foreign processes 11->66 14 RegSvcs.exe 11->14         started        17 powershell.exe 23 11->17         started        process6 signatures7 68 Modifies the context of a thread in another process (thread injection) 14->68 70 Maps a DLL or memory area into another process 14->70 72 Sample uses process hollowing technique 14->72 76 2 other signatures 14->76 19 explorer.exe 94 7 14->19 injected 74 Loading BitLocker PowerShell Module 17->74 23 conhost.exe 17->23         started        process8 dnsIp9 38 www.tronbank.club 103.224.212.216, 49717, 80 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 19->38 40 k2securityhn.com 3.33.130.190, 49719, 49724, 80 AMAZONEXPANSIONGB United States 19->40 42 www.airzf.com 154.12.38.29, 49721, 80 UNMETEREDCA United States 19->42 52 System process connects to network (likely due to code injection or exploit) 19->52 25 control.exe 19->25         started        signatures10 process11 signatures12 54 Modifies the context of a thread in another process (thread injection) 25->54 56 Maps a DLL or memory area into another process 25->56 58 Tries to detect virtualization through RDTSC time measurements 25->58 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ae300b28b2240d11d01e9066a26a88349258d4016c41460604c9ff5bb64c9b6d
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ae300b28b2240d11d01e9066a26a88349258d4016c41460604c9ff5bb64c9b6d/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2024-04-23 12:11:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vyyawkfseqgrdua6sbtke2uigsjfrvabnraumbqezh7vxnsmtnwq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:gs12 rat spyware stealer trojan
Link:
https://tria.ge/reports/240423-pg6pdsgb64/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook payload
Formbook
Unpacked files
SH256 hash:
a2ba42ed48ec131b0b401c30a65855fb6e9cf95f8d95cec11b9c4a9b4d2eb32e
MD5 hash:
d37feecac71348dce1ea1abf653c2a5f
SHA1 hash:
296bbb93b782a4794f0a833f05c0fc5f8a21b3d3
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/8924e7f1-44af-4bf2-a8f5-05fcb9a53cea/
Parent samples :
7b692628c5a43cef1780ecd6223c6fa9e40a1e45932db8456738ecd61700544d
81f6e3ff9cc821300e30acd628d0579793806ebfb89941d04f9bc33998f9a851
ae300b28b2240d11d01e9066a26a88349258d4016c41460604c9ff5bb64c9b6d
b7def3af905789a4ecedcc226d91592d8bc758ce8c5458d62ef435707de8670f
SH256 hash:
68708ada6fc26e570215e5ceeac76b0e3fac00497936b50bb491b0676c89f7e1
MD5 hash:
8fb83ac0637f955a24a668bbd9067c2b
SHA1 hash:
c203fbaaff97f3328ec2d56dc37a2d5f3e3a8cd3
Link:
https://www.unpac.me/results/8924e7f1-44af-4bf2-a8f5-05fcb9a53cea/
SH256 hash:
d4134ffcf83e87373b8e71e1858658c23d1e659a213e2f9ad77e8d49811a55ef
MD5 hash:
c8680113692e98253dd8028c571a737a
SHA1 hash:
7dd703cb6d811970411e415f0106159a6d7800c7
Link:
https://www.unpac.me/results/8924e7f1-44af-4bf2-a8f5-05fcb9a53cea/
SH256 hash:
9d29ddb766975d283e42d47ee67fd1f3b88ddecf6defe6f408651984a1eb7313
MD5 hash:
fab0e6b2412a13709095243bcf12af07
SHA1 hash:
23ad8b746833f68dcad791f23f3c7f236af907bb
Link:
https://www.unpac.me/results/8924e7f1-44af-4bf2-a8f5-05fcb9a53cea/
SH256 hash:
ae300b28b2240d11d01e9066a26a88349258d4016c41460604c9ff5bb64c9b6d
MD5 hash:
9a308e1ea62b7ede8876e433178957d1
SHA1 hash:
dac00f0068f3f97a71faf15577ce0c7d855ff691
Link:
https://www.unpac.me/results/8924e7f1-44af-4bf2-a8f5-05fcb9a53cea/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ae300b28b224/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819
Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe ae300b28b2240d11d01e9066a26a88349258d4016c41460604c9ff5bb64c9b6d

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments