MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e932695b2e7c04d9e57d7e5e0f3e928898621bcc8657c9d3203b9383c640a325. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e932695b2e7c04d9e57d7e5e0f3e928898621bcc8657c9d3203b9383c640a325
SHA3-384 hash: 2cf458b612858a43a496f73cafcda18e4ca952e0c305743f2c90915a3f64239e1e5e0671ca1615f2fa532b4618e5fdd2
SHA1 hash: 840670782743ab63dbbab41d0a9938aeebf49b53
MD5 hash: 1a92e38cd10e466f4523a5983cc18252
humanhash: iowa-moon-undress-asparagus
File name:Bank Iformation_PDF.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'622'016 bytes
First seen:2022-05-02 13:07:08 UTC
Last seen:2022-05-02 13:36:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:LnaHCwHojY7LJ4Uh5iyIzlP5h/4KRbwmRUXTJegqcCDmg3:LnCnh4NfzJ/4KnClxqf
Threatray 15'157 similar samples on MalwareBazaar
TLSH T14D758E9D711071DFC857E0B2DA685C64AA217CBA531B4603903739BEAB7D887CF580FA
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter GovCERT_CH
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
2
# of downloads :
268
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Bank Iformation_PDF.exe
Verdict:
Malicious activity
Analysis date:
2022-05-02 13:09:05 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/68413e0b-06a7-45ee-b177-e3d56de702c4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/268222/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.12032.15595.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
control.exe obfuscated packed
Link:
https://www.filescan.io/uploads/626fd7b437afaeff09beff65/reports/b88f15f2-3c6f-4544-92a2-99b5e00e63cf/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/56289f10-c631-474a-8411-bccafae9661d
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/986501
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 618997 Sample: Bank Iformation_PDF.exe Startdate: 02/05/2022 Architecture: WINDOWS Score: 100 31 www.waleeddabash.com 2->31 33 www.autopartsauctionhouse.com 2->33 41 Snort IDS alert for network traffic 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 11 other signatures 2->47 11 Bank Iformation_PDF.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\...\Bank Iformation_PDF.exe.log, ASCII 11->29 dropped 61 Injects a PE file into a foreign processes 11->61 15 Bank Iformation_PDF.exe 11->15         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 18 explorer.exe 15->18 injected process9 dnsIp10 35 kafindapay.com 108.179.232.42, 49804, 80 UNIFIEDLAYER-AS-1US United States 18->35 37 www.ontactfactory.com 118.67.131.217, 49809, 80 CLEAR-AS-APClearNetworksPtyLtdAU Korea Republic of 18->37 39 5 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 51 Uses netstat to query active network connections and open ports 18->51 22 NETSTAT.EXE 18->22         started        signatures11 process12 signatures13 53 Self deletion via cmd delete 22->53 55 Modifies the context of a thread in another process (thread injection) 22->55 57 Maps a DLL or memory area into another process 22->57 59 Tries to detect virtualization through RDTSC time measurements 22->59 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e932695b2e7c04d9e57d7e5e0f3e928898621bcc8657c9d3203b9383c640a325/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-02 09:15:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
62
AV detection:
25 of 41 (60.98%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5ezgswzopqcntzl5pzpa6pusrcmgeg6mqzl4tuzahojyhrsaumsq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
15f6f8d6c24f2a386dfa3331b075e27e0541fcee3af502a28c49e9c3b7441d4b
Formbook
5a6ac40a3c393c4a3feff2030b34b6493215f0e855588f585fdb768529a3deae
Formbook
6ff40b2ed84520e3135881c7a31a49f2a0952e1ed7a9739527b1619bcb6ec8f8
Formbook
898b47cb2e4d16a7325de16aae14c3c66894467ece923e706c186ee9ab75799b
Formbook
8c1de309eaa9d9a48f92587f93f88304ae1aa48aee62e7ede11893f1ca61775e
Formbook
b5857293816febc37b61e19218f1bb8e52bc6adbcf4e9e13f6fe849ee0370118
Formbook
c0e6b0b4e80d36f0872fe01ed20cc5a6d17083f6d11ff93cc5ccc841dd43aa33
Formbook
c8c237f5b4d985add596774c36156c4fa9ee54d44ec544528c64b1c10bd163ea
Formbook
+ 15'147 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:gias loader rat suricata
Link:
https://tria.ge/reports/220502-qc7xbsafe8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Blocklisted process makes network request
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
61c8ee4157a481b7ccdb296decfa1bab7ffa49ae9f2a6b3b5d8256f94662d33f
MD5 hash:
aafbc06986e217b8a650160ba3de715f
SHA1 hash:
a7000b78216daa82f67ed73606e21bd92bc84759
Link:
https://www.unpac.me/results/e24fddac-5e2e-438f-aca5-9925c19d112b/
SH256 hash:
3c573e38b7b6f1dd9163ae200f20ed73cf6d0d2a323e191045a165d755fd98f1
MD5 hash:
aeabd18ca5620f9e15aa1f5e9cc511e7
SHA1 hash:
b7bc6e1782c35f093ec5655d4ae759f6a534c621
Link:
https://www.unpac.me/results/e24fddac-5e2e-438f-aca5-9925c19d112b/
SH256 hash:
338e29a6b4ad47cc207ccec75aa8d144bd638f2f8fb05750883489f7476ba4c7
MD5 hash:
17f8feaff48fce4fc518b83afea16651
SHA1 hash:
70477523115ed9e8e984d5743711d290c2a0f46e
Link:
https://www.unpac.me/results/e24fddac-5e2e-438f-aca5-9925c19d112b/
SH256 hash:
f447967012d8252590062ae372f6c7f449ebaeffdf2f6c65ccaa5e34a0262afe
MD5 hash:
7c9cb8a67fa13561444f376c24fb2c1f
SHA1 hash:
197e6328d9526fc5c7179b032b9458542c8c7edd
Link:
https://www.unpac.me/results/e24fddac-5e2e-438f-aca5-9925c19d112b/
SH256 hash:
e932695b2e7c04d9e57d7e5e0f3e928898621bcc8657c9d3203b9383c640a325
MD5 hash:
1a92e38cd10e466f4523a5983cc18252
SHA1 hash:
840670782743ab63dbbab41d0a9938aeebf49b53
Link:
https://www.unpac.me/results/e24fddac-5e2e-438f-aca5-9925c19d112b/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e932695b2e7c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/e932695b2e7c04d9e57d7e5e0f3e928898621bcc8657c9d3203b9383c640a325

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe e932695b2e7c04d9e57d7e5e0f3e928898621bcc8657c9d3203b9383c640a325

(this sample)

  
Dropped by
xloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/268222/

Comments