MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da71d9fb0819e03f746b90c5a210b4abae34e92fff2ca83bbc3165c516530faa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: da71d9fb0819e03f746b90c5a210b4abae34e92fff2ca83bbc3165c516530faa
SHA3-384 hash: 6c4ee8fd3bb4f40df1bf1a9b6495072cae3144e01d26ce789dc1c333f1cc0b7231906242a4cbea2cbf70b41fffee28c0
SHA1 hash: 40ab7ab42aefd054049a76e3560c0961f1938dfc
MD5 hash: 1ef97e52ad2e034effd7d8d5d96f15d0
humanhash: five-uniform-burger-sodium
File name:Extracto Bancario.pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:248'533 bytes
First seen:2022-04-15 09:56:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (730 x GuLoader, 452 x Formbook, 295 x Loki)
ssdeep 6144:HNeZmqJxKme8SevwoOY85Olmo1XC4lt8E5dP7LMZXvXiv0:HNlQrMevwD5clQ4ltlV7LAvz
Threatray 14'971 similar samples on MalwareBazaar
TLSH T1923412987BF8D5E3C4B35A710E7AE3B2193A552105741317B3A02E5E3CA2682CF5F791
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter proxylife
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
398
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Extracto Bancario.pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-04-15 09:59:18 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/2eb93a1f-9788-4155-ba83-49158aa3976c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/263970/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Searching for synchronization primitives
DNS request
Setting browser functions hooks
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/13960/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62594170eab80a7a6c1b1322/reports/b358e665-2163-460d-9db5-f4b9e0a5a997/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/408e4f75-ceb4-4552-8e40-ef5a0ff733cf
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/977366
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Uses netstat to query active network connections and open ports
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 609853 Sample: Extracto Bancario.pdf.exe Startdate: 15/04/2022 Architecture: WINDOWS Score: 100 36 www.marsolucionesdigitales.online 2->36 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 5 other signatures 2->54 12 Extracto Bancario.pdf.exe 18 2->12         started        signatures3 process4 file5 34 C:\Users\user\AppData\Local\...\ckukofox.exe, PE32 12->34 dropped 15 ckukofox.exe 12->15         started        process6 signatures7 64 Antivirus detection for dropped file 15->64 66 Multi AV Scanner detection for dropped file 15->66 68 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 15->68 70 2 other signatures 15->70 18 ckukofox.exe 15->18         started        process8 signatures9 40 Modifies the context of a thread in another process (thread injection) 18->40 42 Maps a DLL or memory area into another process 18->42 44 Sample uses process hollowing technique 18->44 46 Queues an APC in another process (thread injection) 18->46 21 explorer.exe 18->21 injected process10 signatures11 56 Uses netstat to query active network connections and open ports 21->56 24 NETSTAT.EXE 21->24         started        process12 signatures13 58 Modifies the context of a thread in another process (thread injection) 24->58 60 Maps a DLL or memory area into another process 24->60 62 Tries to detect virtualization through RDTSC time measurements 24->62 27 explorer.exe 2 160 24->27         started        30 cmd.exe 1 24->30         started        process14 dnsIp15 38 192.168.2.1 unknown unknown 27->38 32 conhost.exe 30->32         started        process16
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/da71d9fb0819e03f746b90c5a210b4abae34e92fff2ca83bbc3165c516530faa/
Threat name:
Win32.Trojan.NSISInject
Create hunting rule
Status:
Malicious
First seen:
2022-04-11 18:44:17 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
30 of 42 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3jy5t6yidhqd65dlsdc2eefuvoxdj2jp74wkqo54gfs4kfstb6va._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0c66120f301e6e13d6b760c5a63f36aed5fd338626a5abfab3f3750b7302d992
Formbook
4a7aa26a59cccaa38181f61e413214368bd2cb3b8aa9c93c8694cc7d37591a3f
Formbook
62a133737bf99458c62e6566242f54858beced700c8285b8e77b856166a6ec05
Formbook
62cb6977571673131e19fb967260bbe11d225a79197cba0f78ced3cf9b0b2fea
Formbook
88eed605657dcc9cc542b4a3850b49e5ee83ffa39120c04669fb9f1d53955c43
Formbook
9109f3ebb2adae9285c464b1b111e41d7f2a77ce8f686d98110d788786ef9b70
Formbook
bc09ecf5cb6364f4d053ec0420282fa6e7a1649a8a5ca2af2ca933aa27f8b90c
Formbook
c026113c33af8599afd82bb769c25eea7ac5f1212576c4306347a54a8fd5ed1b
Formbook
c85c442c146ddd1260403ccbc446badd1beb7a0128dc68e7bdefcddb8f34d6eb
Formbook
+ 14'961 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220415-lyxahabeb7/
Unpacked files
SH256 hash:
ca1d17c24d4f504c3675bc7558934300932e414866767ba2445111e758916b06
MD5 hash:
ae071e8fb7f43c197b2cde3300bd1f20
SHA1 hash:
1ade5730656f57fb4db360e9741de26df5faad96
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/434febd7-3b1d-4344-8757-986b52db4a3c/
Parent samples :
da71d9fb0819e03f746b90c5a210b4abae34e92fff2ca83bbc3165c516530faa
24dd23ff5571c43d67c500e87d63530a4de6dccd8ca27122178d5c410e195611
ae780be61afe538f90e40159595af388df5a27131b650c229f9eaf5e362f21a1
SH256 hash:
370786701addc96e35b1a4e955d8eb7c5cced70777f2320244019607e5e89681
MD5 hash:
0fde385148d294f2907a0ac07877ef2d
SHA1 hash:
681b7801a6e4210ec76f308b785954c80c823a0e
Link:
https://www.unpac.me/results/434febd7-3b1d-4344-8757-986b52db4a3c/
SH256 hash:
da71d9fb0819e03f746b90c5a210b4abae34e92fff2ca83bbc3165c516530faa
MD5 hash:
1ef97e52ad2e034effd7d8d5d96f15d0
SHA1 hash:
40ab7ab42aefd054049a76e3560c0961f1938dfc
Link:
https://www.unpac.me/results/434febd7-3b1d-4344-8757-986b52db4a3c/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/da71d9fb0819/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/da71d9fb0819e03f746b90c5a210b4abae34e92fff2ca83bbc3165c516530faa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:t0_1
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/263970/

Comments