MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c2d1359274d63fa192cfa5e08e73328b47170d2be743dee89bae0555eef65ace. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c2d1359274d63fa192cfa5e08e73328b47170d2be743dee89bae0555eef65ace
SHA3-384 hash: d090d6c9710d73d87242879c5337b8693a8b860957b322af37160ef58fdfba1b777149de1acfbd47c14faaec0cd74452
SHA1 hash: 226308c36c0a4f7b63a46e470f0d79c217c03a07
MD5 hash: c59007226b76f19d81731c274478a91f
humanhash: mexico-helium-two-utah
File name:Payment advice.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:679'936 bytes
First seen:2023-01-25 10:10:19 UTC
Last seen:2023-07-18 18:34:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:20Q4KjkKYrubiXG+IF8zIqW5temxhjejvnapEOfr52oj1fpiC0mn/Yic4:oolr6Ue87W5tem2jAlr5lVwic4
Threatray 16'676 similar samples on MalwareBazaar
TLSH T13AE412365758DE3BC9BC10F83012654102FFE2137206EF856CF9A1F5A4D3BE29B6265A
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter cocaman
Tags:exe FormBook payment

Intelligence

File Origin
# of uploads :
2
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment advice.exe
Verdict:
Malicious activity
Analysis date:
2023-01-25 10:12:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3eb9a99e-9868-4647-b245-d41eac755012

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/356667/
Detection(s):
Porcupine.Trojan.Spy.MSIL.Noon.gen.79377.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Launching a process
Creating a file
Launching the process to change network settings
Searching for synchronization primitives
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/63d1003696add6d1cf488651/reports/84aaec84-4944-4302-8de0-500c04d8aa76/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2124d2f0-97eb-4324-b098-1d6c432af432
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1158600
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 791337 Sample: Payment advice.exe Startdate: 25/01/2023 Architecture: WINDOWS Score: 100 34 Snort IDS alert for network traffic 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus detection for URL or domain 2->38 40 8 other signatures 2->40 8 Payment advice.exe 3 2->8         started        process3 file4 22 C:\Users\user\...\Payment advice.exe.log, ASCII 8->22 dropped 50 Writes to foreign memory regions 8->50 52 Injects a PE file into a foreign processes 8->52 12 RegSvcs.exe 8->12         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 12->54 56 Maps a DLL or memory area into another process 12->56 58 Sample uses process hollowing technique 12->58 60 Queues an APC in another process (thread injection) 12->60 15 explorer.exe 6 12->15 injected process8 dnsIp9 24 www.wylvxing.com 156.227.6.30, 80 THINKDREAM-AS-APThinkDreamTechnologyLimitedHK Seychelles 15->24 26 salvastorie.com 195.110.124.133, 49702, 49703, 49704 REGISTER-ASIT Italy 15->26 28 8 other IPs or domains 15->28 30 System process connects to network (likely due to code injection or exploit) 15->30 32 Performs DNS queries to domains with low reputation 15->32 19 wscript.exe 13 15->19         started        signatures10 process11 signatures12 42 Tries to steal Mail credentials (via file / registry access) 19->42 44 Tries to harvest and steal browser information (history, passwords, etc) 19->44 46 Modifies the context of a thread in another process (thread injection) 19->46 48 Maps a DLL or memory area into another process 19->48
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c2d1359274d63fa192cfa5e08e73328b47170d2be743dee89bae0555eef65ace/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-01-24 11:37:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ylitletu2y72dewpuxqi44zsrndrodjl45b552e3vycvl3xwllha._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1451a0db83b9e0d83eac9a040a5058e9d4aeb54d484c5dae698c3ce0c002ffb0
Formbook
17310a407cf725a962dffd7d620f9bc625331a3b82f4588f882ceffd859ba13e
Formbook
293fd960e74b47494bc97ded006d308f638e49d5886e664957331a4d1e67ea7e
Formbook
718d93188640d8dd5261f070a4b0df7575e9c4ecaf2e7b7146305f7a53bab9c6
Formbook
a0df91a61a543458ecb209576eb6db6db9e282848d9ee7b278717221887939df
Formbook
c71d80598f7d508be65e817fccefce6868b2a49efa99745f9a9a0d7a5bb68937
Formbook
ea5cc541f270957672194a8f4c941dc614c46082d7d0e5edd64567a510aa6b1b
Formbook
fe8dfa5a692cbfdcc238b360d8e7e2f07b673d7d7645d9d2a2eabd245213457c
Formbook
+ 16'666 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion spyware stealer
Link:
https://tria.ge/reports/230125-l7xmmaff73/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Unpacked files
SH256 hash:
09f3685c8a818b441a2ee503fafb8cd2769b706894c74cf58c90bc95f150f347
MD5 hash:
1155e199da96f28cef0b8111e5418c39
SHA1 hash:
c3231ec3577153dae44d3d3b51b12690eda569bd
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/bd1dcd2b-da9c-4b3c-902e-6d21a00e4e1f/
Parent samples :
c2d1359274d63fa192cfa5e08e73328b47170d2be743dee89bae0555eef65ace
9acc3924e91114f56f97f09bf2ed965fa25dd33ec382ebf1eafd95c9c69baee8
db0ce498e89e73428a0d1325a91da911e0b369615e4c1d22d5c8d17a8e5475f8
SH256 hash:
78681dc6602a5a32bc503c9a8245520e3f0051cce1c3a510d1145c280b392e47
MD5 hash:
a69dd954de2bdc349746ab522d38aaae
SHA1 hash:
1cacd5c91419147998ef506414c5cc0a14e99df7
Link:
https://www.unpac.me/results/bd1dcd2b-da9c-4b3c-902e-6d21a00e4e1f/
SH256 hash:
94c2ba257a21a0eb4527346753abdedc7bb2fe3aa72d20642546994626602129
MD5 hash:
874dcc6be499121b1425bfdff1f8ad46
SHA1 hash:
66f83bedc73876b77e152c604b8214bde86d965e
Link:
https://www.unpac.me/results/bd1dcd2b-da9c-4b3c-902e-6d21a00e4e1f/
SH256 hash:
7b2018eb14855c4490915fa2c5bc1a2b7e04afb41d3a5b49af9e2cc64212ff68
MD5 hash:
8e6519d0297af3c154a1171664060f95
SHA1 hash:
2ca2db6c14f34817f24051f8c9180eeff18f0258
Link:
https://www.unpac.me/results/bd1dcd2b-da9c-4b3c-902e-6d21a00e4e1f/
SH256 hash:
c2d1359274d63fa192cfa5e08e73328b47170d2be743dee89bae0555eef65ace
MD5 hash:
c59007226b76f19d81731c274478a91f
SHA1 hash:
226308c36c0a4f7b63a46e470f0d79c217c03a07
Link:
https://www.unpac.me/results/bd1dcd2b-da9c-4b3c-902e-6d21a00e4e1f/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c2d1359274d6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/c2d1359274d63fa192cfa5e08e73328b47170d2be743dee89bae0555eef65ace

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 6f517346dda6fb2c2ebb5daa79accf165e866ec394a3bec9983b96a372cdfcda

Formbook

Executable exe c2d1359274d63fa192cfa5e08e73328b47170d2be743dee89bae0555eef65ace

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 6f517346dda6fb2c2ebb5daa79accf165e866ec394a3bec9983b96a372cdfcda
Cape
Cape
https://www.capesandbox.com/analysis/356667/
  
Dropped by
MD5 fbc616e48a9bf3df5358dc4b7091cd50

Comments