MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1edcffd58ccef4c9709f027948bb28d09b1aee267cdd9b1271f7136b37ebd94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1edcffd58ccef4c9709f027948bb28d09b1aee267cdd9b1271f7136b37ebd94
SHA3-384 hash: b2e80bf655b2a2888c954d2dc092dd6910753abd7c514c58f413c9c44b6ff48132fddd627b978dad36555bfa3b89ded8
SHA1 hash: ef25ac4047ccb1dae8836faf7df7a7234420556c
MD5 hash: a06b7622b66895bbe24c19fbcf78510b
humanhash: echo-jersey-early-nine
File name:PAYMENT CONFIRMATION.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:631'808 bytes
First seen:2023-05-02 08:13:07 UTC
Last seen:2023-05-02 21:17:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:mzmBW4qJkz+yZMPGDT8rLBQlbPVCfmuWbvrH8WC6yelmGGJid:smE4qJUOPGDTm8bNCfybvVCHelwJid
Threatray 2'696 similar samples on MalwareBazaar
TLSH T1E5D4DF426169DF4AFD3ADBF094A4FB8057F1B1B358E1D1211FF624CADAA5F100A4CA1B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter cocaman
Tags:exe FormBook QUOTATION

Intelligence

File Origin
# of uploads :
2
# of downloads :
275
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PAYMENT CONFIRMATION.exe
Verdict:
Malicious activity
Analysis date:
2023-05-02 08:16:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6b53cf58-93a7-414d-9f91-e89bf05a9f92

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/385996/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/6450c64a92903068e34f6bc0/reports/6ef2f18a-a2f7-4aad-bd68-6bc855b3c306/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d1edcffd58ccef4c9709f027948bb28d09b1aee267cdd9b1271f7136b37ebd94
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d92b2555-d624-47ab-a659-a06daaf18bcf
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1224437
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d1edcffd58ccef4c9709f027948bb28d09b1aee267cdd9b1271f7136b37ebd94/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-05-02 08:14:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2hw477kyztxuzfyj6atzjc5srue3dlxcm7g5tmjhd5ytnm36xwka._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
018c0b80b1914e2cbaf2de5b0e41a86e391fa88187fed25346adbec1eb5e3c45
Formbook
1c50b01cbeaf831465322319b5697cea9f857dc113127439230c86c68ebb6698
Formbook
70bcbadb3a0abc69b680eb0fdb9c28073dcac6cf7230c855c2bac00943d81485
Formbook
7d05369e7f8c3f1ae6e8e52d34c33707768c9d50c7cc688198f1e72bfebd2599
Formbook
833a839bf412c22e06f2a3c0622e460df8fc5edbf55cdad09e7b76d5d73dacaa
Formbook
8a1f57853b44e3702f2758a4ad46225af7fa0a847ee22b0a9f190be5c062869b
Formbook
c233b5359370a026201a1648489a3f1f91fd11cadb41e87ce45c60ea3a15f8f1
Formbook
cc6eac2e2359b08c5e5c37cafac26d252ca8f22992168fbf5c70a5471ed86ad6
Formbook
d40024a841668b3cb64cb894613ee64fb37288125d32ca3068007f70db30f1ed
Formbook
dc353de8e426e5a5934ca6cc0a3c164a6ac10599fc6341db12a9f7e7d3eb5f02
Formbook
+ 2'686 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230502-j4zayaac27/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
79ebbe5ccbc4bef9c07721cfaf0c733b4769382794482f40bff5967b7449a5be
MD5 hash:
98a5f3e48a3de289454230ea3acb45f4
SHA1 hash:
ed8dcd286132886bd0eeace8a46113d33ab55e85
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/7b889f2a-fb5c-4439-9f19-3741be3531bf/
Parent samples :
833a839bf412c22e06f2a3c0622e460df8fc5edbf55cdad09e7b76d5d73dacaa
d1edcffd58ccef4c9709f027948bb28d09b1aee267cdd9b1271f7136b37ebd94
a0944a8143c9b1520e9d4c27ba2a6699eafc3352c7fecee0039ab0f410b047ff
SH256 hash:
42794e99927f4dcc692783444afee095e410e921b69e479662a68a304944bee2
MD5 hash:
e4a429836c5a555a001edb23b188e764
SHA1 hash:
fb776d6c6d15b54a8be1119ed96c8a4ff92875c5
Link:
https://www.unpac.me/results/7b889f2a-fb5c-4439-9f19-3741be3531bf/
SH256 hash:
6d2e255843e4f2fb134a64a83e1d87c0ccea996d2a0b1e2d6ed7849b2f219b87
MD5 hash:
33a8fec50aa7e9d6229076e2197129c6
SHA1 hash:
a2f965e538d74ad7ce74d5b506f38cee9f1016b8
Link:
https://www.unpac.me/results/7b889f2a-fb5c-4439-9f19-3741be3531bf/
SH256 hash:
5bdc93dbbd638c141bf3ddd4e4976d31ab1fd76f7d334d83222268590b485248
MD5 hash:
b92c5e2a3fa1ca9bc944e4c9ed1abc9e
SHA1 hash:
88c739ea2cfdcebc98f554bee3ae116e4e1f6527
Link:
https://www.unpac.me/results/7b889f2a-fb5c-4439-9f19-3741be3531bf/
SH256 hash:
e5518e76f14e87bcc58a705c6f8f3a686cbffefc0e55985d17a067adfddf3688
MD5 hash:
920a2854e9c183ad2ef7d5543c296d38
SHA1 hash:
2c20da753bdf6f1a46261e2c132dd42f75c94229
Link:
https://www.unpac.me/results/7b889f2a-fb5c-4439-9f19-3741be3531bf/
SH256 hash:
8362a107d309eb065d84b5780573c9fd37827ff8f975eaa758b6cec1091172fc
MD5 hash:
c23099f8f63823b69870bfbf7749ecef
SHA1 hash:
2651b69408237d6854e68fc610ea8bb12acae4fd
Link:
https://www.unpac.me/results/7b889f2a-fb5c-4439-9f19-3741be3531bf/
SH256 hash:
d1edcffd58ccef4c9709f027948bb28d09b1aee267cdd9b1271f7136b37ebd94
MD5 hash:
a06b7622b66895bbe24c19fbcf78510b
SHA1 hash:
ef25ac4047ccb1dae8836faf7df7a7234420556c
Link:
https://www.unpac.me/results/7b889f2a-fb5c-4439-9f19-3741be3531bf/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d1edcffd58cc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 668f55824109256ffecdb327adf60445c65c941a61549c7fd3631b1cd7513de0

Formbook

Executable exe d1edcffd58ccef4c9709f027948bb28d09b1aee267cdd9b1271f7136b37ebd94

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 668f55824109256ffecdb327adf60445c65c941a61549c7fd3631b1cd7513de0
Cape
Cape
https://www.capesandbox.com/analysis/385996/
  
Dropped by
MD5 2802851fab9b500aded4701b69886a03

Comments