MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de169c8e113efa4b4899ce2031442d81b243354cab40e8175dbefa7166c371d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 4 File information Comments

SHA256 hash:	de169c8e113efa4b4899ce2031442d81b243354cab40e8175dbefa7166c371d1
SHA3-384 hash:	357621711f1e57b681ef2d54e698ae638401bba9c0941a9b381a3d79eef39aef94adc57db31bf4fad45158430fb9d75f
SHA1 hash:	e04e710ca88703eefe34049bb2d8b58392030461
MD5 hash:	886f9714d4d09a7f78320d55c1aa4ac4
humanhash:	fillet-undress-nineteen-july
File name:	PAYMENT SLIP.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	514'560 bytes
First seen:	2022-05-16 09:58:04 UTC
Last seen:	2022-05-16 10:56:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:x6P8Tv/020nUptS6+s7yQycA1FBSvsQnMm:xz7RgUptSbs7N5CFInv
Threatray	13'521 similar samples on MalwareBazaar
TLSH	T1C6B4E06F9359C109ECA47937C8FBA3217704BE515273D33B68E2289BD827BEA7D40254
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	182b4d5d84f0f0b2 (9 x Formbook, 8 x AgentTesla, 6 x RemcosRAT)
Reporter	GovCERT_CH
Tags:	exe FormBook xloader

Intelligence

File Origin

# of uploads :

# of downloads :

214

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PAYMENT SLIP.exe

Verdict:

Suspicious activity

Analysis date:

2022-05-16 10:13:36 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/1a293218-1723-4151-acb9-7e6c6c3356b3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/271007/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/6282203bfd71ca8b2ee48dfe/reports/03ade4cc-88e0-4798-a610-6fefe4fdbf62/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1bd4a4d8-0d22-42bc-8202-ee4cb938a2b9

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/994776

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/de169c8e113efa4b4899ce2031442d81b243354cab40e8175dbefa7166c371d1/

Threat name:

ByteCode-MSIL.Trojan.Tnega

Status:

Malicious

First seen:

2022-05-15 22:50:12 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3yljzdqrh35ewsezzyqdcrbnqgzegnkmvnaoqf25x35hczwdohiq._file

Verdict:

malicious

Label(s):

formbook

Formbook

3a4c026f2e3c450b18931610d6a795ffe504c41ca1d4bf7d26c5a7a57abcf389

Formbook

3b10fd5bae448476e22cca9c4b9b12263c089af68ebfeb7159ddaf2f4ec3e7bc

Formbook

54d3a5ab9cf83b63a50a382b1f3fe4f2bdc03620744b9ecdee74723415fccd9d

Formbook

6f0508408689f77795e27f5320115355744c6b7d02cf59197dae8646bc73f267

Formbook

92757225e0960360fecddb2347f8c20601ff12479207486d4a5b46a1322dbb12

Formbook

b81070ab1c53b68f110a8127a7b1bc7fc83d9726c50e787949cac94f809bd92d

Formbook

cee2290e27d378faacd5a9ab5fc579e912c1ecee9db29e4e79d8b9cd7ee10c94

Formbook

dae8588b604d0728a1a1ecc77096197a34ed1b22ae7de69a53f39b59e6574ffd

Formbook

+ 13'511 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:64pf loader rat

Link:

https://tria.ge/reports/220516-lz2xdaahhk/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Xloader Payload

Xloader

Unpacked files

SH256 hash:

0d92a09f1b6946d88728fc49c5634f3694d45a18f356ab94c7da5a7cdb0e1ff9

MD5 hash:

bf0d230ca78c93d2b76e91f0921c9787

SHA1 hash:

572b025b63a41c4d0919454ce9baf44c04f4c71d

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/84fc9f57-88a5-4b11-b2c0-92a1716bd66f/

SH256 hash:

7bea2156af18fe606c79b41b781de850c475005b8df881c1afbb14021d31e7a4

MD5 hash:

c8d41031a4b0329370c0ee1ad7c46367

SHA1 hash:

e444348594dc6f784a4a0ff3a199a845d40420af

Link:

https://www.unpac.me/results/84fc9f57-88a5-4b11-b2c0-92a1716bd66f/

SH256 hash:

28167cc096a19b18f3f6be0298a6802c51ef9dba0c08f285c3102cf4756219e0

MD5 hash:

6531d9299d3e5a21ae3a3519bf6031df

SHA1 hash:

9a89f11ac1ab9d4f6a4f7c205231762b2c73169a

Link:

https://www.unpac.me/results/84fc9f57-88a5-4b11-b2c0-92a1716bd66f/

SH256 hash:

4f4c95f38ca6cf77ba9a797691bac6cb1541cb20a61c70b5f78364fa9b66a361

MD5 hash:

98899a6b0eea699847770eecc1f4c775

SHA1 hash:

26afb2d09e2781f80812242b7bb3e0dab1d6d48d

Link:

https://www.unpac.me/results/84fc9f57-88a5-4b11-b2c0-92a1716bd66f/

SH256 hash:

de169c8e113efa4b4899ce2031442d81b243354cab40e8175dbefa7166c371d1

MD5 hash:

886f9714d4d09a7f78320d55c1aa4ac4

SHA1 hash:

e04e710ca88703eefe34049bb2d8b58392030461

Link:

https://www.unpac.me/results/84fc9f57-88a5-4b11-b2c0-92a1716bd66f/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/de169c8e113e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.54

Link:

https://yomi.yoroi.company/submissions/de169c8e113efa4b4899ce2031442d81b243354cab40e8175dbefa7166c371d1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Typical_Malware_String_Transforms Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

Rule name:	Typical_Malware_String_Transforms_RID3473 Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research