MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf71631457bec8633d10c816bfa914ef51bee4acda9a37c2613697976a21decb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf71631457bec8633d10c816bfa914ef51bee4acda9a37c2613697976a21decb
SHA3-384 hash: 49e36406c0530de4db6b610afd11dbe99f4bc3f53982451b4e8ac12d17410e934b86295905e1df2d79dbfb8ab48f0410
SHA1 hash: feef635ed40ebe4433775162448093a4c9bd8ae5
MD5 hash: 6b345cea35b215d9ec425e8e296d0a69
humanhash: xray-california-batman-arkansas
File name:Proof Of Payment & Proforma Invoice.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:256'457 bytes
First seen:2023-03-08 15:25:49 UTC
Last seen:2023-03-08 16:37:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 429 x GuLoader)
ssdeep 6144:vYa6ax8wmLesKidsPTAuYezNsrlHt0YW7oZD:vYcmwmLeFkzezNuttJWkZ
Threatray 2'343 similar samples on MalwareBazaar
TLSH T15144124873C0C49BD47386712B3A4E7BDAD6A5256A8459071F306F5CBF21992EE0E3E3
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Proof Of Payment & Proforma Invoice.exe
Verdict:
Malicious activity
Analysis date:
2023-03-08 15:27:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b4bfebf4-90e6-42ae-8926-4d41c4b72504

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/372618/
Detection(s):
SecuriteInfo.com.FileRepMalware.28711.12310.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Launching the process to change network settings
Sending a custom TCP request
Searching for synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Unauthorized injection to a recently created process
Launching a process
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process by context flags manipulation
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6408a90bf1a68c396b2dbc65/reports/bbc9a2ba-e1b2-4113-9cc2-360cc4bbe15a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/bf71631457bec8633d10c816bfa914ef51bee4acda9a37c2613697976a21decb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4ac13f48-faca-4dfe-9628-99b5f2b70d1d
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1189638
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample has a suspicious name (potential lure to open the executable)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 822515 Sample: Proof_Of_Payment_&_Proforma... Startdate: 08/03/2023 Architecture: WINDOWS Score: 100 33 Snort IDS alert for network traffic 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Antivirus detection for URL or domain 2->37 39 5 other signatures 2->39 9 Proof_Of_Payment_&_Proforma_Invoice.exe 19 2->9         started        process3 file4 25 C:\Users\user\AppData\Local\Temp\jueyus.exe, PE32 9->25 dropped 12 jueyus.exe 9->12         started        process5 signatures6 51 Antivirus detection for dropped file 12->51 53 Multi AV Scanner detection for dropped file 12->53 55 Maps a DLL or memory area into another process 12->55 15 jueyus.exe 12->15         started        process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 15->57 59 Maps a DLL or memory area into another process 15->59 61 Sample uses process hollowing technique 15->61 63 Queues an APC in another process (thread injection) 15->63 18 explorer.exe 3 6 15->18 injected process9 dnsIp10 27 carfactsandfigures.com 37.97.254.27, 49756, 49758, 49762 TRANSIP-ASAmsterdamtheNetherlandsNL Netherlands 18->27 29 www.hclivestockllc.com 91.195.240.94, 49730, 80 SEDO-ASDE Germany 18->29 31 10 other IPs or domains 18->31 41 System process connects to network (likely due to code injection or exploit) 18->41 22 wlanext.exe 13 18->22         started        signatures11 process12 signatures13 43 Tries to steal Mail credentials (via file / registry access) 22->43 45 Tries to harvest and steal browser information (history, passwords, etc) 22->45 47 Modifies the context of a thread in another process (thread injection) 22->47 49 Maps a DLL or memory area into another process 22->49
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bf71631457bec8633d10c816bfa914ef51bee4acda9a37c2613697976a21decb/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-03-08 09:11:22 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
19 of 25 (76.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x5ywgfcxx3eggpiqzall7kiu55i35zfm3kndpqtbg2lzo2rb33fq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1a82b5f2c6d3897569544939dfae30457d05924c8811f009d0cd1540319ea90c
Formbook
27092cac933ddf8f3790ad2cfdd8bb8ffa80adec09f96f4acb2b3ee24ee2157e
Formbook
39156092712f27714fed918a43876cd6b85c9ad6d3ab6b96fe22e49eb2f34346
Formbook
3c081233757b9e6b0c3b74db106fb9778b2bcef8a708fc642f3e2c4e6eb74410
Formbook
492cabb55a2f649ce32194e8f9737a51f071b370bc9cd527aa8cd0b844ee7ea8
Formbook
5f2de407396cfb921e5db52d5efb0fbfd44e7257630b079e02f83a1ed61ab4b4
Formbook
6769905302dd965b16c74da2c0a5633dd4cbfe5c8879a5db6a7322d53d668533
Formbook
8aa4a5feee91f2caa993c9624153ee2ecbe97098fc7470a5103c408376b2a12a
Formbook
d8e71f4f6c001ff40cdc03fff232d097a103a4413b8e74ecb9a333b8a2d6a436
Formbook
f4a6e60a7ee010bef6cb4ea0d9548d48ca5d7415336feff957eed8c043ead2b1
Formbook
+ 2'333 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230308-st6rpsag6z/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
719df9e2b8c5cfa3224343e5ed35e23631f90a8b2f8d3d792e6bd3a67da4f799
MD5 hash:
01b6d47080868c886c77a3cf78a83268
SHA1 hash:
3708f99e34fe14a5793be441c756d9825bff1182
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/ac208faf-f820-409d-aadf-925f9238032f/
Parent samples :
bf71631457bec8633d10c816bfa914ef51bee4acda9a37c2613697976a21decb
77a41bcc3afa2f5e690bb8ba00a7d099eaa5bfd9a19e5973a70a0139467c25aa
SH256 hash:
6a5c1119b791b67e50ace96d6e686e99bca12f290cdb2b66d88ad8bb671d7352
MD5 hash:
ded9f915f01e78189fb9e9b6478e20e0
SHA1 hash:
8d5b011abb769e005463248d27361ad3726f1a2b
Link:
https://www.unpac.me/results/ac208faf-f820-409d-aadf-925f9238032f/
SH256 hash:
a4d36d0b005f9d9207f1551c377eb1bed3db80fff75e30077589db1e31f357ba
MD5 hash:
4e9d8a6ee5deac1d178b56fc8696db1b
SHA1 hash:
0b4200d0b7de1f9ee7bc32c51374d13443137833
Link:
https://www.unpac.me/results/ac208faf-f820-409d-aadf-925f9238032f/
SH256 hash:
bf71631457bec8633d10c816bfa914ef51bee4acda9a37c2613697976a21decb
MD5 hash:
6b345cea35b215d9ec425e8e296d0a69
SHA1 hash:
feef635ed40ebe4433775162448093a4c9bd8ae5
Link:
https://www.unpac.me/results/ac208faf-f820-409d-aadf-925f9238032f/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bf71631457be/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bf71631457bec8633d10c816bfa914ef51bee4acda9a37c2613697976a21decb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/372618/

Comments