MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1d19cee2a05f48cedd6f1f7aa6eec9e27c00cedb7135d0187200b030b302c6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1d19cee2a05f48cedd6f1f7aa6eec9e27c00cedb7135d0187200b030b302c6d
SHA3-384 hash: 534e0207e13fb5f106e41b7b1595dadb7fe07c53b6d71c77c6eb308efb02303b10867a7956f90acde494a97534fdcf3d
SHA1 hash: 4a247ce1ca95ad10d0b9d55b67809c1919806f06
MD5 hash: 98aedfd4f74ec3722d09f791c05af9c8
humanhash: double-minnesota-zebra-stream
File name:Proforma Invoice.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:702'976 bytes
First seen:2023-08-28 07:52:58 UTC
Last seen:2023-09-04 09:30:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'453 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:pb23/gPrk7WIAdLIejT5iGP7J/gg2EHWhLl8lgSNCtuHKk:uwrkKHdL5YI7J/gg2EY5Og6N
Threatray 1'270 similar samples on MalwareBazaar
TLSH T102E4F140366C3B33E879DBF4102268100BF66C5B60BAEA4C8FD37AE72676F415A59D17
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter cocaman
Tags:exe FormBook INVOICE

Intelligence

File Origin
# of uploads :
3
# of downloads :
270
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Proforma Invoice.exe
Verdict:
No threats detected
Analysis date:
2023-08-28 07:55:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b7f4422a-1059-431f-827b-74325428d6d3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/444829/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Restart of the analyzed sample
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64ec525fb3b7d7c782d0917e/reports/20028b65-94b7-40c3-86ed-a934bffb28c3/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/c1d19cee2a05f48cedd6f1f7aa6eec9e27c00cedb7135d0187200b030b302c6d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f16161f7-bb01-4933-858c-2199942975e1
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1298502
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Deletes itself after installation
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1298502 Sample: Proforma_Invoice.exe Startdate: 28/08/2023 Architecture: WINDOWS Score: 100 35 Malicious sample detected (through community Yara rule) 2->35 37 Antivirus detection for URL or domain 2->37 39 Antivirus / Scanner detection for submitted sample 2->39 41 5 other signatures 2->41 9 Proforma_Invoice.exe 3 2->9         started        process3 signatures4 55 Injects a PE file into a foreign processes 9->55 12 Proforma_Invoice.exe 9->12         started        process5 signatures6 57 Maps a DLL or memory area into another process 12->57 59 Queues an APC in another process (thread injection) 12->59 15 mZKoRGYfKWAPWAsQaRCBb.exe 12->15 injected process7 process8 17 rundll32.exe 13 15->17         started        dnsIp9 27 www.usxqe6.cfd 17->27 43 System process connects to network (likely due to code injection or exploit) 17->43 45 Tries to steal Mail credentials (via file / registry access) 17->45 47 Tries to harvest and steal browser information (history, passwords, etc) 17->47 49 3 other signatures 17->49 21 explorer.exe 3 1 17->21 injected 25 mZKoRGYfKWAPWAsQaRCBb.exe 17->25 injected signatures10 process11 dnsIp12 29 inovaebook.online 162.240.81.18, 49781, 49782, 49783 UNIFIEDLAYER-AS-1US United States 21->29 31 www.usxqe6.cfd 142.4.124.174, 49767, 49769, 80 PEGTECHINCUS United States 21->31 33 13 other IPs or domains 21->33 51 System process connects to network (likely due to code injection or exploit) 21->51 53 Performs DNS queries to domains with low reputation 21->53 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c1d19cee2a05f48cedd6f1f7aa6eec9e27c00cedb7135d0187200b030b302c6d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-08-18 06:04:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yhizz3rkax2iz3ow6h32u3xmtyt4adhnw4jv2amheafqgczqfrwq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
14384560101a2899411222cff1fc0dc0cd3afdfc1cc57e810c0adadd415157dc
Formbook
1bf9eea6de3a59ee58e13e33175ffdd66c6ba4a187b4df949593853c43784afe
Formbook
4588c6ac02ddd81f8315af2307ec516f58400c555ecd74944a77964fbdd992c1
Formbook
45bebb479e4a722bfb0c85d398ff1c0372e1dc28acf05ecd21cf3a548cb4b79b
Formbook
4cd8d66fb0f643bf560702da7398ed5c27c1516ca15b7c9242f9583a162049a4
Formbook
80802d7e4597b03c737d2baa9bb2cb2a400f2c0546218cfa505d408ec5d99b15
Formbook
a7c55c55988c689f4950eec33581a2095c1dd6785cad65aa4418e67ca2bf9ea8
Formbook
ab85d237bee85a4e9d28f837e04d0d45ce410705e2dbdbe7c6c64f7716614d0a
Formbook
fed8358d2eb6cd687bb6f6a88b4f8bc01bd5dcf355535532718a0f04f1eff674
Formbook
+ 1'260 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230828-jqy31shb52/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
4949e7d1f7eb837cfcbd0bbc8bb4a2a8fc9831a5b4e2d8408cb526541836a60a
MD5 hash:
d2dc13318d650674a6502b5b1f9d6c52
SHA1 hash:
3e2b5248d34d7f3a107f5bfc0c05ad352ffc60cd
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/75697953-e29e-41f0-ad8f-43e7167c495b/
Parent samples :
4588c6ac02ddd81f8315af2307ec516f58400c555ecd74944a77964fbdd992c1
c1d19cee2a05f48cedd6f1f7aa6eec9e27c00cedb7135d0187200b030b302c6d
8a74737cd563828a070e74b5fa4af0eefc7a98cf8b52fcc0ee5db3c83a2d9cb0
SH256 hash:
070c57cdaca772c0a5d715a3ab4f0a998300c928a246b1f4c6b5361cf37fb5ab
MD5 hash:
cb53137e28f4435b25d1599935626614
SHA1 hash:
4c2845bc43667570b43f1dc7f33b7b516ff060cc
Link:
https://www.unpac.me/results/75697953-e29e-41f0-ad8f-43e7167c495b/
SH256 hash:
2ac2f55e15fd8da559f99925ceee9166ca978e94cbc53a5cb29bf02d0a76ac7f
MD5 hash:
1081db0b25581c7958e6fbff4d9aa64a
SHA1 hash:
bcb0e0fe844884a5b0d05cd3b0cc5fd7a5ff53b9
Link:
https://www.unpac.me/results/75697953-e29e-41f0-ad8f-43e7167c495b/
SH256 hash:
0448d13e5588b50edaa58c03610ab5ee6e1546d1ffed2b6097ccdb043eb52c75
MD5 hash:
0fe80bd915e74d5553c9c36977407ea8
SHA1 hash:
8ccd40fb0dab3fd5a65965c9d70ae76a6122a56d
Link:
https://www.unpac.me/results/75697953-e29e-41f0-ad8f-43e7167c495b/
SH256 hash:
aa3670a577d4c6a9de6032190f2e147ca39d1a7b7cdaeba6b29205da945ba9f5
MD5 hash:
b2ba69c87d0423b3ea3e23e0784e8dbd
SHA1 hash:
0131a3bdd22a942b42310e1f9bfcba786d077959
Link:
https://www.unpac.me/results/75697953-e29e-41f0-ad8f-43e7167c495b/
SH256 hash:
c1d19cee2a05f48cedd6f1f7aa6eec9e27c00cedb7135d0187200b030b302c6d
MD5 hash:
98aedfd4f74ec3722d09f791c05af9c8
SHA1 hash:
4a247ce1ca95ad10d0b9d55b67809c1919806f06
Link:
https://www.unpac.me/results/75697953-e29e-41f0-ad8f-43e7167c495b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c1d19cee2a05/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c1d19cee2a05f48cedd6f1f7aa6eec9e27c00cedb7135d0187200b030b302c6d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 7b004dd3597a83a76fe18e9e835a7aa46b1164bc6309f6b3b4a663ecaf1beb09

Formbook

Executable exe c1d19cee2a05f48cedd6f1f7aa6eec9e27c00cedb7135d0187200b030b302c6d

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 7b004dd3597a83a76fe18e9e835a7aa46b1164bc6309f6b3b4a663ecaf1beb09
Cape
Cape
https://www.capesandbox.com/analysis/444829/
  
Dropped by
MD5 3dad58acd89c8445e7825060d82a37e7

Comments