MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5f2c341e235dbe728a9545c0e308f1c3a13c73505da2f72f07874cd63b07031. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f5f2c341e235dbe728a9545c0e308f1c3a13c73505da2f72f07874cd63b07031
SHA3-384 hash: 0247aab6a4d6c965f97d86bbc829cbdc45792c45681e163bd15587120bed138fb5aa0de08aacb28cb1f243e1c7c95a6f
SHA1 hash: 5c805afe83fd41d04bc3f119e1a635c2b1ae5f65
MD5 hash: 1b4ef34299d4b6b9d6c8af470be15953
humanhash: jupiter-ceiling-happy-oklahoma
File name:Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:627'200 bytes
First seen:2021-07-26 14:04:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:DNOsBgo0q4wMNzyFnlc9NUElXHfxtzQXZIZWbNRL4fadmW3sxj:ZOsBgo0q4wM1yFnluXZhMZIZWYf9H
Threatray 6'816 similar samples on MalwareBazaar
TLSH T187D4CFF1193E7B1BF49709BE20B150A329A044E9CC6DCBE4FB3351A7EF1A55B604478A
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-07-26 14:51:44 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/1cab74ae-d6c3-43cd-bb30-81d26d986e1e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/174164/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.953-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ec4b2482-a415-4536-805d-90f5413410fa
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/821835
Signature
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 454246 Sample: Proforma Invoice No.42037 d... Startdate: 26/07/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Sigma detected: Suspicious Double Extension 2->40 42 4 other signatures 2->42 10 Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exe 3 2->10         started        process3 file4 28 Proforma Invoice N...D.78116.pdf.exe.log, ASCII 10->28 dropped 52 Injects a PE file into a foreign processes 10->52 14 Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exe 10->14         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.ikran-parts.com 17->30 32 www.dfa6r5.com 17->32 34 2 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 colorcpl.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-26 14:05:08 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6xzmgqpcgxn6okfjkroa4mepdq5bhrzvaxnc64xqpb2m2y5qoayq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
02c3598e5f583ac0f0aa5d5c666095d1ab1cd02ebf8d23ad7db61f00da7b793a
Formbook
09f19a43e9a0b736e9fcd33359267340b91a2ccc376c8cda72fac9754c1493c0
Formbook
3f2cdc7783014a37d7ad61ee00c226d5221d4932f4113eb3590a9c9d0447b461
Formbook
5fc1f737492b4a7e01b1e2befa4e25b1a65c7a6a83b4ec419660d0c3c4894300
Formbook
78b11874a66b80ec78962b27c352a643d1a11c7f5cf9273f0db06df3f4f7e76c
Formbook
82de7428f30e703ae55105807dd3c3c19e2f8a377e7a5c2b925537a182d3a886
Formbook
88a9cfa636128b92a40156cdabb79f0058c7cf70bc392e60a9e8ec6c1090e6cf
Formbook
b35de004189f271fe754dd614e5fbbc299425f5aca9ebf1f935bf26696964853
Formbook
d0116b0ea676a655b1d55a2b7a79fb2585c1d04803e9d1d6f9cd1da15f789138
Formbook
e8be28fabd7cdb2d4e96137dae73bd9b227a86b654c696e9fd401cb37ec68267
Formbook
+ 6'806 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/210726-63nsf2waas/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
CustAttr .NET packer
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.elitegamerblog.com/gsg0/
Unpacked files
SH256 hash:
1fb0d1c7757240b953f11cdc24e010bbaff91da2702fe56862a12c4cb557657f
MD5 hash:
3165dacb51f4b6edfeaf829acd0bc2f2
SHA1 hash:
f783151b607fb33dc938e25ab9da03462ebb995e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/dde9c919-73ce-4f93-9a6b-0824411a9a91/
Parent samples :
88a9cfa636128b92a40156cdabb79f0058c7cf70bc392e60a9e8ec6c1090e6cf
f5f2c341e235dbe728a9545c0e308f1c3a13c73505da2f72f07874cd63b07031
SH256 hash:
3628ac467ab2381c0000c668cc45efd44fc009daedf2bc2f7ff5bbab21a5931c
MD5 hash:
31cc0c212112a192baabfcb4119591e4
SHA1 hash:
a78312e623c1bb1035b2cdbb1198f756f6e25834
Link:
https://www.unpac.me/results/dde9c919-73ce-4f93-9a6b-0824411a9a91/
SH256 hash:
97d2fa1d01b2f9a2199896e05e0cf60c14a9f41ef2d72e15fbb862b7afa08438
MD5 hash:
68463851c0e6fe7a254c99fae763d454
SHA1 hash:
4587a5371d88c296a0184fe47ee0c5245b187127
Link:
https://www.unpac.me/results/dde9c919-73ce-4f93-9a6b-0824411a9a91/
SH256 hash:
c395eaa86db0ac3a66259e1830a19fe2418f23c6923ff2f7c459898e16d18542
MD5 hash:
f812718b5a7ce2edb25f3135bd58d137
SHA1 hash:
39eb489107a477bd29999838bf6e276cb2766709
Link:
https://www.unpac.me/results/dde9c919-73ce-4f93-9a6b-0824411a9a91/
SH256 hash:
f5f2c341e235dbe728a9545c0e308f1c3a13c73505da2f72f07874cd63b07031
MD5 hash:
1b4ef34299d4b6b9d6c8af470be15953
SHA1 hash:
5c805afe83fd41d04bc3f119e1a635c2b1ae5f65
Link:
https://www.unpac.me/results/dde9c919-73ce-4f93-9a6b-0824411a9a91/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/f5f2c341e235dbe728a9545c0e308f1c3a13c73505da2f72f07874cd63b07031

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe f5f2c341e235dbe728a9545c0e308f1c3a13c73505da2f72f07874cd63b07031

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/174164/

Comments