MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b87ec1a86d0c11e1183ec3de93241427e393f0016ff662fe6c9d98af2faf22d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	b87ec1a86d0c11e1183ec3de93241427e393f0016ff662fe6c9d98af2faf22d5
SHA3-384 hash:	6522c3831b626f05bd743e24b69db6e5c87df11da90af9beccfe1622a672e9b5ad0dc5ba3c2e49cb3b84af5e084e1575
SHA1 hash:	ceeb08b5411a56c0fc98388bc427b9aa563d8967
MD5 hash:	36efa9e34b8055b9e54572997f85099a
humanhash:	emma-salami-mars-pluto
File name:	Invoice B9800177.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	643'072 bytes
First seen:	2022-07-06 07:52:52 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:rX2iNZEn27lG1ZGG5Xd2V0p7r0+vgUsMxsxSch5rs1zLn5vMRDlt:z1vjQGGJLp7TvgUsnSchhs1X5
TLSH	T174D42332F6B10350D53922F35972416027FA3EA5C561CB099DECB6FA9CF5AC8404B5EB
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.3% (.SCR) Windows screen saver (13101/52/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	GovCERT_CH
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

252

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Launching the process to change network settings

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62c53f60dd037e2703336002/reports/5d5ba108-7500-4c85-ab50-d4e8706c9489/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8812d191-baba-4db6-aa37-1787b59b2d74

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1025408

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/b87ec1a86d0c11e1183ec3de93241427e393f0016ff662fe6c9d98af2faf22d5/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2022-07-06 01:43:30 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xb7mdkdnbqi6cgb6yppjgjaue7rzh4abn73gf7tmtwmk6l5pelkq._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

xloader

Score:

10/10

Tags:

family:formbook family:xloader loader persistence rat spyware stealer suricata trojan

Link:

https://tria.ge/reports/220706-jqy31sadbl/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Checks computer location settings

Deletes itself

Reads user/profile data of web browsers

Adds policy Run key to start application

Xloader Payload

Formbook

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Unpacked files

SH256 hash:

c68fa893d17d98b8c919eaba02c3f12b99875fecc33f48c5809ab14d58a781ff

MD5 hash:

8a525c03e6a606594ea9f0a1aa0b9aec

SHA1 hash:

795e7df4ebe76a875ca6adcc903548e7701f53e5

Link:

https://www.unpac.me/results/5c2c9351-b451-4fc1-a29f-dbf3c0cd5055/

SH256 hash:

3b59fe180dd50e3f3d4fdcbdd4e7a2d4e3e1c85ae43cb4f3716c4be41e9ec2ae

MD5 hash:

9ea556e333e216a65aa09c102f36004f

SHA1 hash:

814c07f1dc68bd61840384aac3aa8346d9f8148f

Link:

https://www.unpac.me/results/5c2c9351-b451-4fc1-a29f-dbf3c0cd5055/

SH256 hash:

70bb4f8aa7d0a33f8206f78c845fa2bd686c2a0f2b3bd50cd0b6b887a45398ca

MD5 hash:

30d61a3a3e26c2bca2eb766990132d7c

SHA1 hash:

94f9742d5f21b13f7d8d194fe938193cbb6a0d4d

Link:

https://www.unpac.me/results/5c2c9351-b451-4fc1-a29f-dbf3c0cd5055/

SH256 hash:

7218a887196d45329a76b34a75b322a332a74bad284e9935682c5e4444f25beb

MD5 hash:

92b56a4eb49754d53a5a96e9ea4e09b3

SHA1 hash:

f8c46193eda9ae78d46a80cb0396d1d3e03b176e

Link:

https://www.unpac.me/results/5c2c9351-b451-4fc1-a29f-dbf3c0cd5055/

SH256 hash:

adea027bd878f0e995c0066eb20764c3cd065056426063bb73e47cf4f2d58739

MD5 hash:

9881dfdc199c551f76dc404cc9fc9364

SHA1 hash:

626e6981aa2e0075950a9ea92c3d96a9ca088a83

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/5c2c9351-b451-4fc1-a29f-dbf3c0cd5055/

Parent samples :

18ce13c9dc11ab8d14b603076b0d6f3141dd415314be89264c8ff742f01a13a1
b87ec1a86d0c11e1183ec3de93241427e393f0016ff662fe6c9d98af2faf22d5
985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc
80752d3336e20d9b4cea4b4fc36fe2f455e4546a12525cf485e38281072c3633
077d4640e51e8a6cb8b05aafa60f5cb061619f556bed260481f2d537a57515d8
89f8e3f130e2c71f420c6c4a600167a5f76d1adf449b8d3e3d0b9af4d0006c2a
0e915f97c1e12598162ad86bde86879e640daa63cf463fc75302aab6a24c3b15
14017a5f9a46c97ba874b288cb1f56a9ce838a0f91c12d8fbfa4265cef0d312d
e216eb87e85cc5c7e5445d1ff94cf9790c62824c1fc5ca2a3e20f19d54d88ab5
e7cd0bf17d9a651f004222e85511d00d5ab27e21e0a47e9359263caa1280a28d
0e32bb72c1ef51858b7183050fccef196f8dd829796954dbe9a8fbcd65dc5021
d55b3acb7fbeaf698e8b940f755c1363224663da98feee5abf93872e979460e9
24cf298cfd5fd4bd6ffdbd3607aee52a39b3bf4db5123e403c05aae37f485058
58ffed8f3b25296ea15a8f5fe71625db5c1ebad7776b4aa5df441cd0246213e2
d08a604bd1b6b5b1ad0ba58434c156f6efde6b6a81d7956473b6d0731061e788
84cb97d382c34756564d3565524daf43425be7505178379782e50d1ba85b2334
44d486a7d9defaa2ed04fa0f3c7ab9973a8370e432fdb90c9418e3694fa65b2c
3a0f3af2723394a157e27c2f71dffa3c54802ae1cf4a5cff78a835afeffdf8c9
ff0c4eb94aa281998aa21d84093a51f525583bb2d333b9c02ea0599f3791e21a
eafff11f17167c7af139e43f9bffdb251cd5eec87d92cc93f0095b0f3eb38996
ad5003b210c5ed8b9de400328290e3955bdb07de23731475934c299a52dc6e98
9a3a97e6801259fb5c604f364434f5c96c519dc979be88f69488a87e3b1fbd2d
546d510fae0de29da545eda3203b4a47ea41ba27f8f134c0fe902a776ca6a054
10503ccee19c440f294f4e4833b8df43f2f8f4620f4af3f01dd0a74b11fed33c
fabf08da20fd8737e3fa9f8955422c8b12d14ca6d99fd16d13cdf5eedea58c46
fc359222307f4fb7aa112c091da0ed90481dea090ae53c9578cada9689da5319
5dd3a0a56d55816a0ffa7a9f2feb75613a68bd2ba9f145bd69ea616e8b8c9c9e
aecb569ce42aa96a5b4cdc6e4c2042bafe867bef4c51f0120ac81b09edb865e6

SH256 hash:

b87ec1a86d0c11e1183ec3de93241427e393f0016ff662fe6c9d98af2faf22d5

MD5 hash:

36efa9e34b8055b9e54572997f85099a

SHA1 hash:

ceeb08b5411a56c0fc98388bc427b9aa563d8967

Link:

https://www.unpac.me/results/5c2c9351-b451-4fc1-a29f-dbf3c0cd5055/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b87ec1a86d0c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/b87ec1a86d0c11e1183ec3de93241427e393f0016ff662fe6c9d98af2faf22d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe b87ec1a86d0c11e1183ec3de93241427e393f0016ff662fe6c9d98af2faf22d5

(this sample)

Dropped by

formbook

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample