MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d699748002a4cf4d6250e0aca08e4de6e687f39a9f946171a57f573410be3d25. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d699748002a4cf4d6250e0aca08e4de6e687f39a9f946171a57f573410be3d25
SHA3-384 hash: 29153547bfcb93be71520866fcaa0c2c89afe363ae1851fb927d28aa8d15cf71e114a5f138d52c94fe43b2425527f132
SHA1 hash: 208f2b66e3eb6e96d66c9791c769d139fcc0f8c1
MD5 hash: 25c7090d1bbb69bbb099fb6808844c67
humanhash: november-xray-beer-avocado
File name:Pending Payment for June-July.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:246'869 bytes
First seen:2021-08-19 02:34:00 UTC
Last seen:2021-08-19 04:49:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f86f9a1397ea2f648b8914df9ad78914 (4 x Formbook, 2 x Loki)
ssdeep 6144:gXwImyer8POyjxj/Cw00jhvQfYHwhCxxrGo:IwImBgN/xpKfNCxRR
Threatray 4 similar samples on MalwareBazaar
TLSH T167340291C72D4788E058C0B14B6D90352E68AD7A591F0E9F6B81394F5CBA8D3E077B3B
dhash icon 64f4d4d4ecf4d4d4 (82 x SnakeKeylogger, 34 x AgentTesla, 24 x Formbook)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Pending Payment for June-July.exe
Verdict:
Malicious activity
Analysis date:
2021-08-19 02:37:02 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/e4b201ef-96dd-4efd-8d45-ffc1c64e5400

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/180491/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.9942.19075.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2bc6abe9-b500-479d-ad77-3c2260726e40
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/835467
Signature
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d699748002a4cf4d6250e0aca08e4de6e687f39a9f946171a57f573410be3d25/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-08-19 02:35:07 UTC
AV detection:
14 of 46 (30.43%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=22mxjaacuthu2ysq4cwkbdsn43tip442t6kgc4nfp5ltief6husq._file
Verdict:
unknown
Similar samples:
1736c3f3d740011ba6f6d8f18def38d20f0bcbf88c3f69821db18578bc00590a
Formbook
179d1cf7266d0149e967f7e6829ed485e3bb73e75ffbce4883111f2595845c85
Formbook
9f8faf1ca8d3262940620bcb00487188e8657336cc3cb498ba4ad90ae96a59af
Formbook
e72dab4f75cd19899422ecf38de195bf487f0f9d2b0ccad98c13a48e9d782e97
Formbook
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:b6cu loader rat suricata
Link:
https://tria.ge/reports/210819-p9tlwd1f5e/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.xn--marketingrevolucin-61b.com/b6cu/
Unpacked files
SH256 hash:
68a49f8d55aecf2551c16097b302614bcd617a3d1b565f37cd45a92993d0f065
MD5 hash:
1bfe6840b1414ec3315aa2735431fb71
SHA1 hash:
f6e382e2d534b5edc965d5053b6a4c63488e4c43
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/543b72e0-243f-4540-962a-6b792686984f/
Parent samples :
93f0775c5a5512759f85db7b3d1c4b3ee7049369cd0dcd1d4f778626621bfa0c
5b7a858563dfd290658d183a0d1c101e39a9dda3327e84c11ef12bc873cb98b9
d699748002a4cf4d6250e0aca08e4de6e687f39a9f946171a57f573410be3d25
52aaa20eef4d75bb209ef1d632a3e5a894358ebbd5ae9e18262868209fa30b7c
8b4049ea3937e355ad9a551795afcb621fb56991ffc6f1db746861acfd7d6a46
4f611f4466203533e8cd92ac4c802d90ab056c928bcec7c470b8d61570dfc967
bd015a47e8e376d7cfb70b5ebc81328a9c3a3cdc45d03635b107c106555d55a4
45278d169fd9dfd30355570aec0c04c274d71eec2543d0b33e7e2a641ea93eb7
2ab54e46be8e8a1b7e66be9bed5492e2cb5c4112e548442e209954affc2dc374
8c84e97b71aa8d34be8742cd4b6c0b86abdfb92379b099465eb751b0882efb23
43368f8d0f777c8f0a9fb5dc2ec89f131275873935098ff8a12be41cd2161ecf
c71e73a5006f03bf63ad6099f034a3d19a130a6893979c43318eca2cb6bfd224
e4c51cfe125602ab5cd33e751d121395c59599055a8294a5234c37a399ddf582
7da12f9f66e5a7ee4f9a6a025c6c3a1464ea85d0d805d2f7e85537c24a4ad6c0
c8e7193944ede931e488cd5e85554447e4da772455bad4a8e8b40840d9a5f8e9
d6fa87fb59dbf4de1d1d0af1062a41e6a9620b682ecdfc0eb91856e28b9ea1de
0c5e61b415a6ebd50f07b9a3eab5bb7fd6b501715e9f3968c4ea2dbc7323f189
9b2ccbdf764922ff44a99056461539087a21d4ace577956e8659ca65eb5015d1
SH256 hash:
d699748002a4cf4d6250e0aca08e4de6e687f39a9f946171a57f573410be3d25
MD5 hash:
25c7090d1bbb69bbb099fb6808844c67
SHA1 hash:
208f2b66e3eb6e96d66c9791c769d139fcc0f8c1
Link:
https://www.unpac.me/results/543b72e0-243f-4540-962a-6b792686984f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.13
Link:
https://yomi.yoroi.company/submissions/d699748002a4cf4d6250e0aca08e4de6e687f39a9f946171a57f573410be3d25

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe d699748002a4cf4d6250e0aca08e4de6e687f39a9f946171a57f573410be3d25

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/180491/

Comments