MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4d22706033b31cb83ad489480e3ab88ad44e700560d42139995af8a1d45abc3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4d22706033b31cb83ad489480e3ab88ad44e700560d42139995af8a1d45abc3
SHA3-384 hash: 4a2d025331c6c422c14f64013ecc2ab5684ad5f125a1b3f9b174e40652e14cf0018c6eb56d1fd02b1b49737f221d92bd
SHA1 hash: 65ab4bec12c2e1944b36fd9e3a4e1ad61f2f3819
MD5 hash: d3df8002e83a73dd908e6799169a8bc5
humanhash: uncle-potato-alpha-bluebird
File name:bank payment.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'427'968 bytes
First seen:2021-04-12 18:02:37 UTC
Last seen:2021-04-13 07:42:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:QXZgUYZFL2bSz7BN33/ksC0eWGLBgpkFhHdCpdaKMXGqZUyW7Mz02x:y2RSbShN33stWGy69NKMZrHd
Threatray 14 similar samples on MalwareBazaar
TLSH D565121133E88749E0BE9B741C31954813F1F506EB32D60E7E91699D1E72B828737BAB
Reporter TeamDreier
Tags:FormBook

Intelligence

File Origin
# of uploads :
4
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bank payment.exe
Verdict:
Malicious activity
Analysis date:
2021-04-12 18:03:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bad349bf-0587-4b07-ba65-53f719488df0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/133828/
Detection(s):
SecuriteInfo.com.Scr.Malcodegdn30.28034.10493.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/673450
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 385674 Sample: bank payment.exe Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 48 www.wecare4therich.com 2->48 50 wecare4therich.com 2->50 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Sigma detected: Scheduled temp file as task from temp location 2->64 66 7 other signatures 2->66 12 bank payment.exe 7 2->12         started        signatures3 process4 file5 44 C:\Users\user\AppData\Local\...\tmpDB58.tmp, XML 12->44 dropped 46 C:\Users\user\AppData\Roaming\CqKeeHu.exe, PE32 12->46 dropped 82 Writes to foreign memory regions 12->82 84 Injects a PE file into a foreign processes 12->84 16 RegSvcs.exe 6 12->16         started        20 schtasks.exe 1 12->20         started        signatures6 process7 file8 42 C:\Users\user\AppData\Roaming\suSwVklf.exe, PE32 16->42 dropped 56 Tries to detect virtualization through RDTSC time measurements 16->56 58 Injects a PE file into a foreign processes 16->58 22 RegSvcs.exe 16->22         started        25 schtasks.exe 1 16->25         started        27 conhost.exe 20->27         started        signatures9 process10 signatures11 74 Modifies the context of a thread in another process (thread injection) 22->74 76 Maps a DLL or memory area into another process 22->76 78 Sample uses process hollowing technique 22->78 80 Queues an APC in another process (thread injection) 22->80 29 explorer.exe 22->29 injected 33 conhost.exe 25->33         started        process12 dnsIp13 52 www.ynabvn.com 89.32.150.238, 49772, 80 HOSTERIONRO Romania 29->52 54 www.jubawu.com 29->54 86 System process connects to network (likely due to code injection or exploit) 29->86 35 msiexec.exe 29->35         started        signatures14 process15 signatures16 68 Modifies the context of a thread in another process (thread injection) 35->68 70 Maps a DLL or memory area into another process 35->70 72 Tries to detect virtualization through RDTSC time measurements 35->72 38 cmd.exe 1 35->38         started        process17 process18 40 conhost.exe 38->40         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d4d22706033b31cb83ad489480e3ab88ad44e700560d42139995af8a1d45abc3/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2021-04-12 17:29:04 UTC
AV detection:
4 of 48 (8.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2tjcobqdhmy4xa5njckiby5lrcwujzyakyguee4zswxyuhkfvpbq._file
Verdict:
unknown
Similar samples:
0726eef18a27b6e019baa87d12d004efc1e0fb42169acedb5a56fee6d39d8946
Formbook
1cf2c4b90a84ce31c99a4b74ed546b17b2332a868f75293f237ea0bb0a5835c4
Formbook
40377adc190ad001ea80a3e8bbc32aedc3bf77bcc8954baa1808bd8ae9c322a0
Formbook
4ac0c7eebfc249cfcc200ff60ee5b1f2d7e4d6fb45544961f5ba7a7650f43a7f
Formbook
5501a072a478f1b6c6045154d4b3e5c102c5da98041f503d80b8a2b50bb6b85b
Formbook
5ef4f1d59492644372e4de91586798adb788432987848730694be8db0f968008
Formbook
69b433882a0be8350987589222a1b677cb948d1efea4e523b878a778bad33d4a
Formbook
6d13e70c1d1771bcbaedb34b5d89ea697d09cc78b3ed1a972def7dfd8a8f9325
Formbook
c4bd358aa9e15948a2713549f109f65124e5911aefa709e921da094aac16a163
Formbook
f3bb0f029466577eb6ae2f65253d518335a8d4b7862454445d32a8339499614d
Formbook
+ 4 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210412-3ylr9kdh2n/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
5e0f3da625a479a5e7e807b5f09c889d95474139410b312ba3a39bcb05976729
MD5 hash:
3d20c2ea9ac04e1707f853bb1780bc18
SHA1 hash:
805e90b023eb92d44bbe11daefce6edbe872cb74
Link:
https://www.unpac.me/results/c1963f1a-903f-4009-92d8-ad362fea4566/
SH256 hash:
d4d22706033b31cb83ad489480e3ab88ad44e700560d42139995af8a1d45abc3
MD5 hash:
d3df8002e83a73dd908e6799169a8bc5
SHA1 hash:
65ab4bec12c2e1944b36fd9e3a4e1ad61f2f3819
Link:
https://www.unpac.me/results/c1963f1a-903f-4009-92d8-ad362fea4566/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/d4d22706033b31cb83ad489480e3ab88ad44e700560d42139995af8a1d45abc3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/133828/

Comments