MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca31bf22e81cd78167c74ed368d9e6ffd06a189dacf22e4b007bcb452f5636d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca31bf22e81cd78167c74ed368d9e6ffd06a189dacf22e4b007bcb452f5636d4
SHA3-384 hash: 6d5843f1064fdad432085e9bffe708488a53f2de7ea29df9cd3382faf8c978ec356d3d6f5c1397dc0372642bc33af06f
SHA1 hash: 9112cb83359d88fde19f16290020fe813ba46b46
MD5 hash: c11b21f5c4adcab958c7706cd38f5697
humanhash: shade-muppet-alpha-jupiter
File name:invoice.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:392'704 bytes
First seen:2020-11-20 08:03:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c35b119ed93d2da3d4093a6e2ea9517c (2 x AgentTesla, 1 x MassLogger, 1 x Formbook)
ssdeep 6144:/ZzdCjALkRnJtNyToqsnq80C56Q+uKY911qvkBBPMPAvgDfsH5YwVFIovJgu+D0/:/ZzdCcknyToq20C5vKE11qvaBPTqsHfL
Threatray 3'047 similar samples on MalwareBazaar
TLSH B484E02135C2C072D273027219F99B3166BDBC620F669ACBA7D84F2E9B351D07736762
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: host.gtoolswebmail.ga
Sending IP: 52.152.234.132
From: Rachel Pattersonr<rachel.patterson@sgs.com>
Subject: Re:Attached Image
Attachment: SSG PROPOSED BUDGET.img (contains "invoice.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
160
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
DNS request
Sending an HTTP GET request
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/543830
Signature
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 321016 Sample: invoice.exe Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Yara detected FormBook 2->39 41 4 other signatures 2->41 10 invoice.exe 2->10         started        process3 signatures4 49 Maps a DLL or memory area into another process 10->49 51 Tries to detect virtualization through RDTSC time measurements 10->51 13 invoice.exe 10->13         started        process5 signatures6 53 Modifies the context of a thread in another process (thread injection) 13->53 55 Maps a DLL or memory area into another process 13->55 57 Sample uses process hollowing technique 13->57 59 Queues an APC in another process (thread injection) 13->59 16 explorer.exe 13->16 injected process7 dnsIp8 27 laborexchanges.com 34.102.136.180, 49764, 80 GOOGLEUS United States 16->27 29 rmcfoods.com 109.73.164.114, 49767, 80 DIMENOCUS United Kingdom 16->29 31 5 other IPs or domains 16->31 33 System process connects to network (likely due to code injection or exploit) 16->33 20 control.exe 16->20         started        signatures9 process10 signatures11 43 Modifies the context of a thread in another process (thread injection) 20->43 45 Maps a DLL or memory area into another process 20->45 47 Tries to detect virtualization through RDTSC time measurements 20->47 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ca31bf22e81cd78167c74ed368d9e6ffd06a189dacf22e4b007bcb452f5636d4/
Threat name:
Win32.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2020-11-20 08:04:09 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ziy36ixidtlycz6hj3jwrwpg77iguge5vtzc4syappfukl2wg3ka._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1d52a0e43063bbfa96ddef498339a154c08950af5766bd160219751742b3d89f
Formbook
4747e3d90198171f10ab973d32e0cbf1f679148832d1d10a6ec99a340b0a307f
Formbook
48759dee612da5c1b36dfe7ce569a64c3e6528210ca830993cba1996db55ea87
Formbook
5d23faa05258eb51b196fee00263dc5e4556a37301d312563843a7ac8494ee19
Formbook
79f15bc55fcc0e2f863a81accfb76b601531a909ebf009d57176dd18edf46d7d
Formbook
a806993bf26058dc6cbe82f305945d97dcf5b316115c672774950bcc0626a38d
Formbook
b801afb5529bee671ee0219b95450122f641260b372695c89d7bdc5c2c227b65
Formbook
e5a94739fb1f6d7a06f6b9eb529037c9ab0d59be424d4b99c63651360d7ded3f
Formbook
eb4e7cd83e6986a52a3ad673a6994c6e917dd6bc70adfbccdf2c1a5348b72a0b
Formbook
efaa9091d5aa1f64ae3b3c1258e90d5bb346e25e75ae3c4530ea9346380e2158
Formbook
+ 3'037 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201120-s3nvv6blts/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.zgzjxt.com/saf0/
Unpacked files
SH256 hash:
ca31bf22e81cd78167c74ed368d9e6ffd06a189dacf22e4b007bcb452f5636d4
MD5 hash:
c11b21f5c4adcab958c7706cd38f5697
SHA1 hash:
9112cb83359d88fde19f16290020fe813ba46b46
Link:
https://www.unpac.me/results/971574be-f792-4ac1-b733-a277ff0d1ece/
SH256 hash:
6a9bf25cc9dc3ee3e4bab0a1666af40cd813a899d542e15ba3a9f81bcb7a7dbe
MD5 hash:
9c2d9f677b9c0372ee43f3e8208d8dc1
SHA1 hash:
3120b891316570f19854a808dfe7bb0c2a2a698f
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/971574be-f792-4ac1-b733-a277ff0d1ece/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

img 47884b2bbba39ac0e96bdcb96956a71eb626db9c6f59d528f2c7a6995761ef13

Formbook

Executable exe ca31bf22e81cd78167c74ed368d9e6ffd06a189dacf22e4b007bcb452f5636d4

(this sample)

  
Dropped by
MD5 30a472e1e7c9261d5c373d5f9d67cffa
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 47884b2bbba39ac0e96bdcb96956a71eb626db9c6f59d528f2c7a6995761ef13

Comments