MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c34886d629b199ebcda6f6fef7fcbf5f48ba3153c6789708639b0c37d4ac5487. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c34886d629b199ebcda6f6fef7fcbf5f48ba3153c6789708639b0c37d4ac5487
SHA3-384 hash: 0b163e9b53e47f301db1243528a2caab106f864306d7ca4f2a5533f80a337a28ee91b9a90944728bb9986691448bc480
SHA1 hash: 10f1ec8f4a1ce70546a4ca25965b606ea2bc20ae
MD5 hash: d5949e2ad723b184d5622ce746b0177b
humanhash: delaware-mexico-pluto-item
File name:INVOICE.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:311'986 bytes
First seen:2022-04-06 17:12:33 UTC
Last seen:2022-04-06 17:48:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 6144:RNeZ2KnbGYu/gc3BOsNExg7ncENT33uRh9Y/qAMJJdLZ+cb4YO:RNpKnyXgcxOsNEEcENT33uNIqbJB4cbW
Threatray 14'762 similar samples on MalwareBazaar
TLSH T17464DF8761C09077E8C60E760821C45D5A5F7CEC2CB7427A73DC3BA92AFFA8D7649906
File icon (PE):PE icon
dhash icon 68ec61e8e871b230 (7 x Formbook)
Reporter GovCERT_CH
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
2
# of downloads :
266
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/261465/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.39441244.11702.21820.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/12887/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe lokibot overlay packed python shell32.dll virus
Link:
https://www.filescan.io/uploads/624dca2c40ce5db9f41d5ca4/reports/318a1aca-5b43-41eb-ab4e-8349afcc937f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e1817bd1-fa70-4905-9cd2-1ae42b8ef7b7
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/971717
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 604203 Sample: INVOICE.exe Startdate: 06/04/2022 Architecture: WINDOWS Score: 100 32 www.columbusrx.com 2->32 48 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->48 50 Multi AV Scanner detection for domain / URL 2->50 52 Found malware configuration 2->52 54 8 other signatures 2->54 11 INVOICE.exe 18 2->11         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\...\oryvzibei.exe, PE32 11->30 dropped 14 oryvzibei.exe 11->14         started        process6 signatures7 66 Multi AV Scanner detection for dropped file 14->66 68 Uses netstat to query active network connections and open ports 14->68 70 Tries to detect virtualization through RDTSC time measurements 14->70 17 oryvzibei.exe 14->17         started        process8 signatures9 40 Modifies the context of a thread in another process (thread injection) 17->40 42 Maps a DLL or memory area into another process 17->42 44 Sample uses process hollowing technique 17->44 46 Queues an APC in another process (thread injection) 17->46 20 NETSTAT.EXE 17->20         started        23 explorer.exe 17->23 injected process10 dnsIp11 56 Modifies the context of a thread in another process (thread injection) 20->56 58 Maps a DLL or memory area into another process 20->58 60 Tries to detect virtualization through RDTSC time measurements 20->60 26 cmd.exe 1 20->26         started        34 www.boardsnourhood.com 108.167.189.23, 49784, 80 UNIFIEDLAYER-AS-1US United States 23->34 36 firstparkcondos.com 138.197.170.240, 49780, 80 DIGITALOCEAN-ASNUS United States 23->36 38 5 other IPs or domains 23->38 62 System process connects to network (likely due to code injection or exploit) 23->62 64 Performs DNS queries to domains with low reputation 23->64 signatures12 process13 process14 28 conhost.exe 26->28         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c34886d629b199ebcda6f6fef7fcbf5f48ba3153c6789708639b0c37d4ac5487/
Threat name:
Win32.Trojan.Xloader
Create hunting rule
Status:
Malicious
First seen:
2022-04-06 09:33:44 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yneinvrjwgm6xtng637pp7f7l5elumktyz4jocddtmgdpvfmksdq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
07bed83b3f7c13154a148f82ceac3fe9f68a7995ed5a939e91427e611bfaa863
Formbook
37381387ba545bb59dfd52eca6574b037020b32ffb1eb9d97419791ac6832b2e
Formbook
4748460c7c757eda69a0340104939b382231567cf559315494901fe2b122900c
Formbook
75362f20dab8d57db3ade6427e647b0bc01d8345ccfa9781d5778877f04f7fb5
Formbook
ba47d548d20732c621ab2fa56d5276a838de12667e1c0355bcf3dbb1466889b3
Formbook
d36d73e78b048c34b8ed4b2c1035f27c0c1857ae8eb5f1167942981139138b35
Formbook
d89ceaf1e34dd42cef063ecb6b8e219479f276c6cc30e2ab6ae8c881a8d60633
Formbook
d9fbe8e59e8dcf5231168ed35a3ad0c8c448eb888eca02c9b898d5961899e839
Formbook
e5b723d9a13e6fec23839823866253128dbe758c31082616ca89cf55d35a3998
Formbook
f75fa96a8fe88dc2fffd64208705d26fb980db33afff6b872f34e1f9034e0363
Formbook
+ 14'752 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader campaign:mwfc loader persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220406-vrge5scddl/
Behaviour
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
Adds policy Run key to start application
Executes dropped EXE
Xloader Payload
Formbook
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
46e09aa8f1d737799195f4baf4d4bc2c12f51d81656ccc3448f4d1af6b6e3e25
MD5 hash:
8b09b3046673f2354802096d6217e392
SHA1 hash:
50083ef5695b64704b4f50a7bf7a24cab5d746be
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/fb793961-c5ea-4ae2-ab94-6db75f276019/
Parent samples :
719d886691ce91e7cbf30951199fb337e7ed2d1bae4c381a57da2d3802594be2
ba47d548d20732c621ab2fa56d5276a838de12667e1c0355bcf3dbb1466889b3
c0c29923af2f1b96665b03ba9ad6b7d68a0c1b8cfb4e42767656d9d3b0a5dec0
f75fa96a8fe88dc2fffd64208705d26fb980db33afff6b872f34e1f9034e0363
d36d73e78b048c34b8ed4b2c1035f27c0c1857ae8eb5f1167942981139138b35
d89ceaf1e34dd42cef063ecb6b8e219479f276c6cc30e2ab6ae8c881a8d60633
ed6f5a03bca21156bbdd4119ab88c31234eb1a3114552451a7d8af201279e908
07bed83b3f7c13154a148f82ceac3fe9f68a7995ed5a939e91427e611bfaa863
4ad33db217cd28e94e816da762375ed676740f21eee05f60be7785b27665cfbd
86fe5597dcc6944c5615838866eb7d68d212bc87200c9ea1a2e244755d8fe410
21e0f4a6f5733e2bfb4ba603957244392e641f596d9df3f6900d5efa5b895afd
ce80df3a4bc48726d4cb9365247b06678da7972d8473a159b1db32fb66f48a82
2bfa8e78bd3e83e2f442a4c560af71c366044893a85b15aff2f3d7d4c67636cf
d9fbe8e59e8dcf5231168ed35a3ad0c8c448eb888eca02c9b898d5961899e839
37381387ba545bb59dfd52eca6574b037020b32ffb1eb9d97419791ac6832b2e
4748460c7c757eda69a0340104939b382231567cf559315494901fe2b122900c
8b0d428152973c0f0bb8279f50524cbe0f2d809593fc6095bff2c29ab581fe2f
95bc06b53614e506be16b2ab8b0841e48fbb95796e86c2052e104d0a485a1b91
d65780164a77ce22c797194c56063b03c1c4975987604aa4a35184d62f0b068a
f35b19f498e527a1a8eca51ec82221c55c2f969efb59b2c0b6cff0f3e0e852f6
5c443a90ff238f83c70b95defcd8dc990289072c42e47ec7749905037add8040
799b39cfe67e2f5219fcdb37a5e82ab96e3456273b05d8ccf2eab60aa2ca6fa8
e5b723d9a13e6fec23839823866253128dbe758c31082616ca89cf55d35a3998
c34886d629b199ebcda6f6fef7fcbf5f48ba3153c6789708639b0c37d4ac5487
a6d8e8caf01f8c13d014eb8b8bf7f55b453d7084d709efa0e98d43c8290feed8
d28d578ee53e1d9bd5eaad8bd5772098ad8909f8ccb3c22a47da9a53857637f9
bb2c94169afa24fc9d064b5fd6878c9547693eb917850844c417716ec5269718
fba3315dff9db2942ea64b91b77cf06855e83b1eed9199cfed679b08f65f9f69
SH256 hash:
60b3f54da2275f4e7062a18ad72b413db3826d00170a859ec533fb1328758594
MD5 hash:
0361a9f359f0e790728f7233f15a24ba
SHA1 hash:
316941b24d00b64baf38a76e3a44596a6bdbef37
Link:
https://www.unpac.me/results/fb793961-c5ea-4ae2-ab94-6db75f276019/
SH256 hash:
5849308dd5cc86feeb9deb68f71e1347e5f2f71d6ca4d7551a6bfcbee489c35b
MD5 hash:
67c8e9d37b0c5c51b01d302d2d2813ec
SHA1 hash:
af7be7a18d58642844b12745f4db13061388a7b4
Link:
https://www.unpac.me/results/fb793961-c5ea-4ae2-ab94-6db75f276019/
SH256 hash:
c34886d629b199ebcda6f6fef7fcbf5f48ba3153c6789708639b0c37d4ac5487
MD5 hash:
d5949e2ad723b184d5622ce746b0177b
SHA1 hash:
10f1ec8f4a1ce70546a4ca25965b606ea2bc20ae
Link:
https://www.unpac.me/results/fb793961-c5ea-4ae2-ab94-6db75f276019/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_Formbook_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe c34886d629b199ebcda6f6fef7fcbf5f48ba3153c6789708639b0c37d4ac5487

(this sample)

  
Dropped by
xloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/261465/

Comments