MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d11ae1d5e09d63aa386479af620faf3b9053d12e6d3a8a1353aba274fef2153e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d11ae1d5e09d63aa386479af620faf3b9053d12e6d3a8a1353aba274fef2153e
SHA3-384 hash: 7ecf5e1306c0d77f5f944ff8d1e62876fb10ef587683fe0da3f871d5e267e4e824ee0b21cf0dc8dc2523bf17aca52a9f
SHA1 hash: 03871d02b78f0d185ff2d376a15cd397f6e50301
MD5 hash: 4350101d8ef8750d85b60a2ccb5921fa
humanhash: football-kitten-west-arkansas
File name:Payment_Advice.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:548'864 bytes
First seen:2020-11-05 18:52:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:5FWjTGFtnHxy2Xnvm+NVd0Gy8ELGKgg5zd6xbDpwGi:54jTGFtnHsYnvm+Nb0GyJasd6tDLi
Threatray 2'855 similar samples on MalwareBazaar
TLSH CEC4F1BC07D9C99AD57E6779E430215043B0F4027913EF1EEA9CA4BC2CB37C18AA7566
Reporter abuse_ch
Tags:exe FormBook HSBC


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: ws68.host4g.com
Sending IP: 190.210.9.44
From: HSBC Advising Service <advising.service.18357096.919332.3139007866@mail.hsbcnet.hsbc.com>
Subject: Payment Advice - Advice Ref:[GLVA30957354] / ACH credits / Customer Ref:[APQCL9597] / Second Party Ref:[BPQC14692021]
Attachment: Payment_Advice.rar (contains "Payment_Advice.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/83526/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a file
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d11ae1d5e09d63aa386479af620faf3b9053d12e6d3a8a1353aba274fef2153e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-05 05:45:04 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2enodvpatvr2uodepgxwed5phoifhujonu5iue2tvorhj7xscu7a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
70f4d4292ae1e84f9aba35df12e510161a98d453697ed8ce4bebb5fabdb71232
Formbook
805024bdbd61ad0a7a280c42f98c89da5563c2498ed768971ddc74dca126e591
Formbook
ac4d58dc0ca5617911f7ff52953cec2eac9249963dbce3b2f682aeb6eb1baa77
Formbook
b3420cc90cce972045db0377a5c383ce049652650946b0c84f27280a7dbd1e38
Formbook
bfbf73201037462acf28b231212bc311a923ca797168533c3b4d233686f335ef
Formbook
cecc7bc9b39a859e18945a6c8528af86b9d74a20ca74cd629ef03afdc6ab08a4
Formbook
d8eca36ecff579ceffbd778ab8c8949a94d4967e1c0965988b2a68671f1915ef
Formbook
e38e6ac839b8009c1c6d467ed4206f912c39a15af7a1fa7ba4a2a854e441fe50
Formbook
e6d2c97461c6aac9ea130eaa96f9927b57998c04b5e7573a555caa729178a70c
Formbook
fa1c05c7ea1e94e08982755ca1d13051a6cd334fa3e93aa98b5bcc2ebb910f59
Formbook
+ 2'845 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201105-pyxqqq59an/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.dagadia.com/pna/
Unpacked files
SH256 hash:
d11ae1d5e09d63aa386479af620faf3b9053d12e6d3a8a1353aba274fef2153e
MD5 hash:
4350101d8ef8750d85b60a2ccb5921fa
SHA1 hash:
03871d02b78f0d185ff2d376a15cd397f6e50301
Link:
https://www.unpac.me/results/a8cdaffc-af64-408d-bdcb-9c7f1a568ee1/
SH256 hash:
01ac429a5d1749002e13f981568add51cccc92e92bb34c07045194edebbc0da4
MD5 hash:
6a1aac554ae77ec4c3def587434a3626
SHA1 hash:
1a18127d39e1159539a8f7ccd846036aa1718281
Link:
https://www.unpac.me/results/a8cdaffc-af64-408d-bdcb-9c7f1a568ee1/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/a8cdaffc-af64-408d-bdcb-9c7f1a568ee1/
SH256 hash:
54c3df6913981f76fc2ab51f908a03a9ba1b32050fd1c188ac59c2fb1ba3885a
MD5 hash:
90365cef80f43a7964048bade10ed398
SHA1 hash:
fe6fd765f9d375c42bef300d41c7b230cb06e4d9
Link:
https://www.unpac.me/results/a8cdaffc-af64-408d-bdcb-9c7f1a568ee1/
SH256 hash:
93c5b27938fa31044ae3611e93bbdf457e79af23f4b707608dd7b2c2278bebe6
MD5 hash:
d746ab6b3d5ad16da1c18b37f2dfacff
SHA1 hash:
2780d3ab625248af6cc987bb402a750cddaba217
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/a8cdaffc-af64-408d-bdcb-9c7f1a568ee1/
Parent samples :
e6d2c97461c6aac9ea130eaa96f9927b57998c04b5e7573a555caa729178a70c
ac4d58dc0ca5617911f7ff52953cec2eac9249963dbce3b2f682aeb6eb1baa77
d11ae1d5e09d63aa386479af620faf3b9053d12e6d3a8a1353aba274fef2153e
ded4435057919aa79f8453db4172ffd89198323fa247e70daa418a7a21136df2
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d11ae1d5e09d63aa386479af620faf3b9053d12e6d3a8a1353aba274fef2153e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

cf43a7c19d31df25f597c4cbff7c74da

Formbook

Executable exe d11ae1d5e09d63aa386479af620faf3b9053d12e6d3a8a1353aba274fef2153e

(this sample)

  
Dropped by
MD5 cf43a7c19d31df25f597c4cbff7c74da
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/83526/

Comments