MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d797bbe1f6d58628e5c9d45b38c10ff983064c3230f3222ffa3a17a80172be94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d797bbe1f6d58628e5c9d45b38c10ff983064c3230f3222ffa3a17a80172be94
SHA3-384 hash: 34215f7541236ded96943b4dd88fcdadc0f2e08b49befba3d019f7ae4fae4549e600529b51648824201f049657911e9e
SHA1 hash: d0301ea7bb0e59df147952b39d7b8661f17ec8a9
MD5 hash: d86b6cbadadc853df7822d2b228710ad
humanhash: nebraska-paris-double-chicken
File name:Quotation_05052021.Pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:801'792 bytes
First seen:2021-05-05 18:23:28 UTC
Last seen:2021-05-05 19:03:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:SVwNden+QYvY5C1Ijh7oU9AK/w1WEEP5:SGo6jwFoUykxEQ
Threatray 5'011 similar samples on MalwareBazaar
TLSH 4A0512781B881A62D52F177C29BCC4402FF5B626C6A3FB1E7FD025771FA67A08325660
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.624-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/712372
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 405112 Sample: Quotation_05052021.Pdf.exe Startdate: 05/05/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 8 other signatures 2->42 10 Quotation_05052021.Pdf.exe 3 2->10         started        process3 file4 28 C:\Users\...\Quotation_05052021.Pdf.exe.log, ASCII 10->28 dropped 54 Tries to detect virtualization through RDTSC time measurements 10->54 56 Injects a PE file into a foreign processes 10->56 14 Quotation_05052021.Pdf.exe 10->14         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 14->17 injected process8 dnsIp9 30 islamicaudiobooks.net 46.23.69.44, 49728, 80 UK2NET-ASGB United Kingdom 17->30 32 www.puresed.com 194.145.196.19, 49731, 80 TELECOM-HKHongKongTelecomGlobalDataCentreHK unknown 17->32 34 19 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 46 Performs DNS queries to domains with low reputation 17->46 21 systray.exe 17->21         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d797bbe1f6d58628e5c9d45b38c10ff983064c3230f3222ffa3a17a80172be94/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-05-05 18:24:11 UTC
AV detection:
10 of 47 (21.28%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=26l3xypw2wdcrzoj2rntrqip7gbqmtbsgdzsel72hil2qalsx2ka._file
Verdict:
malicious
Similar samples:
1c2c212dbad3b81d9c6225c3a9f9f6211b10782d228a090f9aa4f038b0270663
Formbook
298b7204317915aa463fecd43ee99abbb9020e993dc0ffdcc5e382d0f590a7b8
Formbook
3ba0da5db0ccdbabdfd7e95fe24a1c43056b77893dc6c589ede0a2a4ba365cce
Formbook
5ee7421dbf8127f1c6ff086299b2a1c638ca26a61a649f1cb61230814d0ff4e8
Formbook
6657aeabd5ded830361aad9112749d785fc0fbe46121daeb7acb23cd841274ed
Formbook
a9c3d37d324e9b6a0ebf9f9369c68cc288117edc4657d086b0fbc0cbafee9e64
Formbook
c494dceddfa1c8c6944a93f902c641ab5f99352ba48b81849e576f7da353314c
Formbook
c9afe6904407e9b60e73edf93efbd932b6725f0f4f33306117ffc9854c21cae2
Formbook
f2a1b48f82208d3d1bf4e613fd7c6a16f63c96ebb2c31ed502ec67cb6768b2f6
Formbook
f96442a26d160132827a3b109acadaf4aad9dab625939103677cc93783c93ea6
Formbook
+ 5'001 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210505-vjtbkh5b1s/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.themessymarketingpodcast.com/ihmh/
Unpacked files
SH256 hash:
bdf79e57b5574f9bafb56f6d0592f5ee429df7eb0ad536fbdb4f2956aae36f87
MD5 hash:
826b29e2a141b055a5491c9d7dc6eea7
SHA1 hash:
af4201362b8603bf7e4b6e2ead1cfb610dd7c0a9
Link:
https://www.unpac.me/results/6ffbc7ca-2b0c-4e80-93e1-1dd5f119673f/
SH256 hash:
d797bbe1f6d58628e5c9d45b38c10ff983064c3230f3222ffa3a17a80172be94
MD5 hash:
d86b6cbadadc853df7822d2b228710ad
SHA1 hash:
d0301ea7bb0e59df147952b39d7b8661f17ec8a9
Link:
https://www.unpac.me/results/6ffbc7ca-2b0c-4e80-93e1-1dd5f119673f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/d797bbe1f6d58628e5c9d45b38c10ff983064c3230f3222ffa3a17a80172be94

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments