MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6898c482bc4fe5f113713ef217dd26b9c537906272347f69d85b5029f7cc401. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6898c482bc4fe5f113713ef217dd26b9c537906272347f69d85b5029f7cc401
SHA3-384 hash: 20f8aff559a4b65023ecf203ef5af06f82ac4b4a3e30f4aed976c2821bda77319247b2e0ad3d82f892628332b11f5f45
SHA1 hash: 8a9681f6fbd36ab461f10d263cf35dc9b531e491
MD5 hash: cdf9376a5a9c71a805e57949d2baf367
humanhash: stream-enemy-angel-michigan
File name:Bank confirmation-slip.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:761'856 bytes
First seen:2023-06-07 09:27:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'653 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:4RP2B0xTGlxNqvNu2hZ+nUEsn9yCzf6dlh4PZl/1qW6tEcdsRzdg1belSmrJR:MPLaVUH999yKfTPZl/1qpNsxK1it
Threatray 3'099 similar samples on MalwareBazaar
TLSH T171F42394B72BC02FC29B2FB40C44A77661FC82C6FEB2D3171E4BA6A9DB17D25004575A
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 0060696969714410 (13 x AgentTesla, 7 x SnakeKeylogger, 7 x Loki)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
259
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Bank confirmation-slip.exe
Verdict:
Malicious activity
Analysis date:
2023-06-07 09:31:39 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/c657bc88-5401-4c44-a24f-cd1fe024f4f7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/396323/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67308093.21732.12014.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64804da721808a121067e5cf/reports/e652c230-6b12-4cd0-874c-6abfd1fd79fc/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/d6898c482bc4fe5f113713ef217dd26b9c537906272347f69d85b5029f7cc401
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/737dacb4-06cf-4996-a83e-9e7816a119fe
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1250198
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 883233 Sample: Bank_confirmation-slip.exe Startdate: 07/06/2023 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 7 other signatures 2->44 10 Bank_confirmation-slip.exe 3 2->10         started        process3 file4 30 C:\Users\...\Bank_confirmation-slip.exe.log, ASCII 10->30 dropped 54 Tries to detect virtualization through RDTSC time measurements 10->54 56 Injects a PE file into a foreign processes 10->56 14 Bank_confirmation-slip.exe 10->14         started        17 Bank_confirmation-slip.exe 10->17         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 19 explorer.exe 1 14->19 injected process8 dnsIp9 32 www.jxgxjx.com 19->32 34 www.compasss.store 19->34 36 2 other IPs or domains 19->36 46 System process connects to network (likely due to code injection or exploit) 19->46 23 WWAHost.exe 19->23         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 23->48 50 Maps a DLL or memory area into another process 23->50 52 Tries to detect virtualization through RDTSC time measurements 23->52 26 cmd.exe 1 23->26         started        process13 process14 28 conhost.exe 26->28         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d6898c482bc4fe5f113713ef217dd26b9c537906272347f69d85b5029f7cc401/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-30 06:59:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
23 of 37 (62.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=22eyysblyt7f6ejxcpxsc7osnoofg6ige4rup5u5qw2qfh34yqaq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1168c66115568c14523cc4659547af756df33815b971e519d0a7c09f56903ec6
Formbook
154da40b848da265e6339dc5773113f75d1b7922b1273a9e6ee6782e33b6b6e4
Formbook
16c87c0de9538e8cac5d187949b3fe9b1a11ee1ed2bcdcc726ea47115d6701e1
Formbook
3bcc7e2a22fd283ad188e24bd4dd4cc6180f2fc907de59cc3c952b89507bfed0
Formbook
880b7f96797851986e0dfb579afb707a7529f1adf9cce67efb7534d4003b8aa7
Formbook
9e392cb448daf1882dac5f6fbc0d736c76bed78befee2c8b513241b8ed6a95a0
Formbook
aaaf94eb867796b731871a3503f707d089aa3103d7fc388fc696997b343c4dda
Formbook
b1dac250b790090d75044bf149fb5e5372fed13d4c44999e4653a159d96c63b0
Formbook
fb9e9215deca3e197ebc03f3e84fd2c02fed5cb14ae31c5693dfd7a8727b9443
Formbook
+ 3'089 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:qf9d rat spyware stealer trojan
Link:
https://tria.ge/reports/230607-lfbk3saa4y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
a644df3a3f883aa8e6f1c19a4848a27919ddc351abaa19bdc8ecbe2469b30fd1
MD5 hash:
8f816e6d821eed7a8764512acba328b9
SHA1 hash:
09e10c623664b4c4dab64c4f60e2cc82ec09da26
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/97414ff6-d453-4b57-8407-8354dda96739/
Parent samples :
d6898c482bc4fe5f113713ef217dd26b9c537906272347f69d85b5029f7cc401
ea94d610bc585bff2eee7d9cf22efc6e6d9c45e01cf5fa63ccab509593b65408
SH256 hash:
76a8204aad8ad154676b69b82431fecc2a81f5a0e67eac50ce001193275f0c66
MD5 hash:
5940afb25a0dcb883d1e883596fb169e
SHA1 hash:
ea0010fb0856594de53a1d5bb291c7ed037171ca
Link:
https://www.unpac.me/results/97414ff6-d453-4b57-8407-8354dda96739/
SH256 hash:
2e8e6b579a470f1f1e8a8fee2851978908d422ccfa8b04cb2b2fc884029f263d
MD5 hash:
b6e5010de51c88b870ff6ef1664758df
SHA1 hash:
ab99268ef8969842cf7418331a461fb6a2ef7761
Link:
https://www.unpac.me/results/97414ff6-d453-4b57-8407-8354dda96739/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/97414ff6-d453-4b57-8407-8354dda96739/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
f65d6c87102a18d7897c08ba82697e0b4808a8307b584d25a42aea016a41e7f8
MD5 hash:
7299310139d8fd6d9f2c067d13b3824e
SHA1 hash:
3bbc1160b82f289b5e8683d790a2ec1263998930
Link:
https://www.unpac.me/results/97414ff6-d453-4b57-8407-8354dda96739/
SH256 hash:
d6898c482bc4fe5f113713ef217dd26b9c537906272347f69d85b5029f7cc401
MD5 hash:
cdf9376a5a9c71a805e57949d2baf367
SHA1 hash:
8a9681f6fbd36ab461f10d263cf35dc9b531e491
Link:
https://www.unpac.me/results/97414ff6-d453-4b57-8407-8354dda96739/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d6898c482bc4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/d6898c482bc4fe5f113713ef217dd26b9c537906272347f69d85b5029f7cc401

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe d6898c482bc4fe5f113713ef217dd26b9c537906272347f69d85b5029f7cc401

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/396323/

Comments