MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef2967d3d123dfc575f3b565943fc7354bc76ebade5256392073d1383a317d5b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef2967d3d123dfc575f3b565943fc7354bc76ebade5256392073d1383a317d5b
SHA3-384 hash: 63fd969899221bea98e2e6fbdd4ca8622746248992be59b524b58642ec587cd0f96f37e4fa9b37f13db4e503149ef405
SHA1 hash: c60328e82e5aa581d1dee9bbfec4540fc6187f95
MD5 hash: 24a9db90c650de29f53ae8097593f956
humanhash: nevada-avocado-robin-nebraska
File name:Payment_advice.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:956'928 bytes
First seen:2023-03-22 14:18:47 UTC
Last seen:2023-03-29 06:29:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:lcyJUzBB8s++Ijo2bdurZb9xBfM5yScBuerx3SBNsXt5LZNTlfPSzl06/TgTU4Ws:W8s++Ij5epZMZGxWsFvSl06MFb
Threatray 2'324 similar samples on MalwareBazaar
TLSH T11F15021677A64B52C2BC97FC08E2A08057B57F362727EB0C6EC271CE0577B58CA52A53
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter cocaman
Tags:exe FormBook payment

Intelligence

File Origin
# of uploads :
5
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment_advice.exe
Verdict:
Suspicious activity
Analysis date:
2023-03-22 14:21:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cf4810b0-4827-4c42-bc68-524aaf6cbc36

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/376481/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
Reading critical registry keys
Launching a process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/641b0e58c60b3295f52ca1b3/reports/985fc941-d33c-4d7b-bc8d-107b88134f8e/overview
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/ef2967d3d123dfc575f3b565943fc7354bc76ebade5256392073d1383a317d5b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a13a25bc-1640-40c4-b66f-45f376c937fb
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1199434
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Deletes itself after installation
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 832338 Sample: Payment_advice.exe Startdate: 22/03/2023 Architecture: WINDOWS Score: 100 31 www.starauctioneerspro.com 2->31 37 Snort IDS alert for network traffic 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus detection for URL or domain 2->41 43 5 other signatures 2->43 9 Payment_advice.exe 3 2->9         started        signatures3 process4 file5 23 C:\Users\user\...\Payment_advice.exe.log, ASCII 9->23 dropped 53 Injects a PE file into a foreign processes 9->53 13 Payment_advice.exe 9->13         started        signatures6 process7 signatures8 55 Modifies the context of a thread in another process (thread injection) 13->55 57 Maps a DLL or memory area into another process 13->57 59 Sample uses process hollowing technique 13->59 61 Queues an APC in another process (thread injection) 13->61 16 explorer.exe 1 1 13->16 injected process9 dnsIp10 25 www.locationsbormes.com 45.114.105.2, 49709, 49710, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS China 16->25 27 carcosainvest.com 206.54.190.30, 49700, 49701, 80 WZCOM-US United States 16->27 29 9 other IPs or domains 16->29 33 System process connects to network (likely due to code injection or exploit) 16->33 35 Performs DNS queries to domains with low reputation 16->35 20 wscript.exe 13 16->20         started        signatures11 process12 signatures13 45 Tries to steal Mail credentials (via file / registry access) 20->45 47 Tries to harvest and steal browser information (history, passwords, etc) 20->47 49 Deletes itself after installation 20->49 51 2 other signatures 20->51
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ef2967d3d123dfc575f3b565943fc7354bc76ebade5256392073d1383a317d5b/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-03-22 14:19:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
31
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=54uwpu6repp4k5ptwvszip6hgvf4o3v23zjfmojaopitqorrpvnq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
001ae890e1b80cd37b13080c823b9f52f8acaf173a99b3e6c5ab5126017e958d
Formbook
180284f76be1f524875609de4bb4e02cb30a969a438bd871198830ec393afe0f
Formbook
35dc865c22873093d1417a28a5782b40e96ac3a890b51cb57dd89bedb23f1bfb
Formbook
591ea8c06daef587f239bbaa3d29cb46ccba25ccba58c324441efbaf4c5eb5d8
Formbook
8aa4a5feee91f2caa993c9624153ee2ecbe97098fc7470a5103c408376b2a12a
Formbook
90e86051c2fb04a3f6fda85273580abca9a9131fb5e32065f620c4410febe1af
Formbook
a7cddad106ee53356655fadfaeaf3b2845aa20de20fbc772cc81866d19993d3d
Formbook
+ 2'314 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230322-rmt9nabb5v/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
3668d1d177bca80b57e8454dfd3c470e09f10dae78a895c237c35be0d1dbde72
MD5 hash:
2f81821bc7f97428194db8b640eee0f1
SHA1 hash:
d1ae2f0f514fb2f04fc60e370315ad6150066aec
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/9d21472d-1260-4e70-bac3-669468b7a7b6/
Parent samples :
f26800ceadc29269e613381bba1757f90eafe27e79094e2a90531381001a12b1
180284f76be1f524875609de4bb4e02cb30a969a438bd871198830ec393afe0f
90e86051c2fb04a3f6fda85273580abca9a9131fb5e32065f620c4410febe1af
35dc865c22873093d1417a28a5782b40e96ac3a890b51cb57dd89bedb23f1bfb
ef2967d3d123dfc575f3b565943fc7354bc76ebade5256392073d1383a317d5b
c883e6286eeb6bf200ac5bf790b70ba5547f49d0fdc2b2626dccec7727fa7b70
SH256 hash:
9d75dfb194287fbae4ce18763ef3ec5a93bcf66c7139dbe5cadfbf51f9be8d07
MD5 hash:
1daf2c23732900154b7e3b5585a39211
SHA1 hash:
e1e060946f334b057af4cb32a93b5fb4663b123c
Link:
https://www.unpac.me/results/9d21472d-1260-4e70-bac3-669468b7a7b6/
SH256 hash:
85feecfde5072a9b6e186f634d9a2426970bf88af6366955bcb11b6adba9a741
MD5 hash:
2bcd15d3a3a173c705c08897e08cdcda
SHA1 hash:
f0f97f36a561e911ad811826ee9dc97257bef1d0
Link:
https://www.unpac.me/results/9d21472d-1260-4e70-bac3-669468b7a7b6/
SH256 hash:
d6e72f18826b5a98f039fd91034484b6fb7cab342cf865b1afd4b7330b292fd3
MD5 hash:
4221a1a82e91a9c42e0d8f8ef1a5dd82
SHA1 hash:
c3021e104823fe97751dfb66e693c1d42acac67c
Link:
https://www.unpac.me/results/9d21472d-1260-4e70-bac3-669468b7a7b6/
SH256 hash:
4e076f85a50a2f053aed635c2c07f44a57f86af0d230325bf908e4eb355a4e60
MD5 hash:
7a285a1473210f3ae312a7755ea328a7
SHA1 hash:
ad69990b6b1ac2b836bf2cbc46d269c8a463b037
Link:
https://www.unpac.me/results/9d21472d-1260-4e70-bac3-669468b7a7b6/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/9d21472d-1260-4e70-bac3-669468b7a7b6/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
ef2967d3d123dfc575f3b565943fc7354bc76ebade5256392073d1383a317d5b
MD5 hash:
24a9db90c650de29f53ae8097593f956
SHA1 hash:
c60328e82e5aa581d1dee9bbfec4540fc6187f95
Link:
https://www.unpac.me/results/9d21472d-1260-4e70-bac3-669468b7a7b6/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ef2967d3d123/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar fa6ee052c639fbe911409fe71bec0303d0c676863471f37ca192273470a8e04a

Formbook

Executable exe ef2967d3d123dfc575f3b565943fc7354bc76ebade5256392073d1383a317d5b

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 fa6ee052c639fbe911409fe71bec0303d0c676863471f37ca192273470a8e04a
Cape
Cape
https://www.capesandbox.com/analysis/376481/
  
Dropped by
SHA256 e2837aa05d8286bfc53782d9d36e120630e0118890813575966a5f6dccb02ae9
  
Dropped by
MD5 0d692d1e9c4616adca7c5e04a9cac687
  
Dropped by
MD5 f6347a5f4e1774ac215ae9e03dc57f46

Comments