MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8165688719f90b1ba956beb5f04d5aaa4afe8772fd38469f5a29efde6124546. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f8165688719f90b1ba956beb5f04d5aaa4afe8772fd38469f5a29efde6124546
SHA3-384 hash: bd1b24ee4131a8af6137e5bf514ec9882b045ada23de7aaecd5d76c0a7dabc6cfd3eaa87fc07d9d047f9093ce1ec0f91
SHA1 hash: 450ec0db42f16912b5b07bec99a721f986eba65e
MD5 hash: fd859a818ffb68aea0495950ef65cd5c
humanhash: zulu-minnesota-maryland-seventeen
File name:Payment Advice_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:800'256 bytes
First seen:2021-09-20 09:48:35 UTC
Last seen:2021-09-20 11:08:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:65MTddGQZsmtiK5oyZI2vAnJ3V65MNcpVm7kodtnQW9wNzKASN:d0+FoJqOyjVInQWgzKRN
Threatray 9'469 similar samples on MalwareBazaar
TLSH T10A05ADC17D47D89BF4DF2AB3986FC12011656E8D9161C73D2682BA2B55F331230ABE4E
File icon (PE):PE icon
dhash icon b282b8a4a6929e9e (23 x Formbook, 20 x AgentTesla, 9 x SnakeKeylogger)
Reporter cocaman
Tags:exe FormBook HSBC

Intelligence

File Origin
# of uploads :
2
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment Advice_pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-09-20 09:49:38 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/a741a343-f01a-4b7a-9bd6-70197cc3e5c9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189372/
Detection(s):
SecuriteInfo.com.Scr.Malcodegdn34.18292.14662.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/687cfbbb-dc8e-461e-9d1d-d28439d5ef73
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853903
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 486335 Sample: Payment Advice_pdf.exe Startdate: 20/09/2021 Architecture: WINDOWS Score: 100 29 www.cvacity.info 2->29 31 ic-54113400-0a7b2f-windowsupdate48.s.loris.llnwd.net 2->31 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 9 other signatures 2->55 10 Payment Advice_pdf.exe 3 2->10         started        signatures3 process4 file5 27 C:\Users\user\...\Payment Advice_pdf.exe.log, ASCII 10->27 dropped 57 Injects a PE file into a foreign processes 10->57 14 Payment Advice_pdf.exe 10->14         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 14->59 61 Maps a DLL or memory area into another process 14->61 63 Sample uses process hollowing technique 14->63 65 Queues an APC in another process (thread injection) 14->65 17 cmmon32.exe 14->17         started        20 explorer.exe 14->20 injected process9 dnsIp10 39 Self deletion via cmd delete 17->39 41 Modifies the context of a thread in another process (thread injection) 17->41 43 Maps a DLL or memory area into another process 17->43 45 Tries to detect virtualization through RDTSC time measurements 17->45 23 cmd.exe 1 17->23         started        33 www.khdoctor.com 107.149.148.115, 49815, 80 PEGTECHINCUS United States 20->33 35 www.springgrowmeanairway.net 66.96.162.147, 49809, 80 BIZLAND-SDUS United States 20->35 37 7 other IPs or domains 20->37 47 System process connects to network (likely due to code injection or exploit) 20->47 signatures11 process12 process13 25 conhost.exe 23->25         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f8165688719f90b1ba956beb5f04d5aaa4afe8772fd38469f5a29efde6124546/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 09:49:11 UTC
AV detection:
4 of 45 (8.89%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7alfncdrt6ildouvnpvv6bgvvksk72dxf7jyi2pvukpp3zqsivda._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
66c88e666d6a8c03122b527176a9ee1b5b9e24a2aa5a49563e242be179760228
Formbook
8b4049ea3937e355ad9a551795afcb621fb56991ffc6f1db746861acfd7d6a46
Formbook
936070bebeecb98fa897dd9b673c2e3e566d3a4d1a975e6bf819582e9f4d0bbe
Formbook
94e436107d0fb47e65907647813f1914e8c847f3d6045098e65d1bc56abf280f
Formbook
9998ff1d42d8af0fcc166bea36887eebf182e91d1816853d9f80e6cbbbaf9145
Formbook
9d5847197dc6764bc3ef98ab27c48b41b156f64da2a26798b2f3814682ce4a4d
Formbook
acf3df7da4bdf99226ab8574e15d1145e46e28605afdf660f1fb19b1d061c386
Formbook
bf299d24600936c9f0f4da127632a2a28c4f5243c23a87ee11a6a96b4d7727a2
Formbook
bf6ae876108b5fec915d91bd36d3ccd22c8593be29412521c32a4b3f11a757f0
Formbook
e7e775fb123a80ae7c57fa23883b060b3b333c4831d5272015c4751736bf2626
Formbook
+ 9'459 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:mimikatz family:xloader campaign:u86g loader rat
Link:
https://tria.ge/reports/210920-ltdmladeg6/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
mimikatz is an open source tool to dump credentials on Windows
Mimikatz
Xloader
Malware Config
C2 Extraction:
http://www.springgrowmeanairway.net/u86g/
Unpacked files
SH256 hash:
ead285841040f5a0511c1f03b88eebf3c1dd5be28985f8d32980740ead9e61f8
MD5 hash:
4ade146c479c72a09f68afa7f6a166c8
SHA1 hash:
1f38363f7e071805c5c787b55ed4d9637e835180
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/9c09a279-bc8e-405a-983c-d952e451e247/
Parent samples :
f8165688719f90b1ba956beb5f04d5aaa4afe8772fd38469f5a29efde6124546
9723d45f7d2f12bde692d804c9a7bebd2bb1f9142f7f3efadff7c4a87bc33841
8d8be917722d690ef358f41bb560c72285a73331b4cc1b975cc76dcaef68b912
SH256 hash:
cac8b347040a359c02ae5e658d3d76230c7dd7eb33505605ed0b9bc49ff268c7
MD5 hash:
71a894ff252c767b80d65ab1e54fda2b
SHA1 hash:
bcc4ff628585ca28b8b0f2c30e63049b910d4d49
Link:
https://www.unpac.me/results/9c09a279-bc8e-405a-983c-d952e451e247/
SH256 hash:
6092399ac1f2ef35ab3323fcfc6d3717ffac78e8a74f45be1e44fffe55d82b4f
MD5 hash:
f5cd4de6be16bd8c257914a7c022487a
SHA1 hash:
abe5c63b455d38a857631fbab2c3276955fc6373
Link:
https://www.unpac.me/results/9c09a279-bc8e-405a-983c-d952e451e247/
SH256 hash:
f00dca59ca97247e363bed65d53c0b805203687a5e8cac04dd37aedfcddfbb86
MD5 hash:
ae275557d2ce01eb1c8092262c1f391a
SHA1 hash:
2d02fc1a29309beb590a9d2da27a508c57141dd4
Link:
https://www.unpac.me/results/9c09a279-bc8e-405a-983c-d952e451e247/
SH256 hash:
f8165688719f90b1ba956beb5f04d5aaa4afe8772fd38469f5a29efde6124546
MD5 hash:
fd859a818ffb68aea0495950ef65cd5c
SHA1 hash:
450ec0db42f16912b5b07bec99a721f986eba65e
Link:
https://www.unpac.me/results/9c09a279-bc8e-405a-983c-d952e451e247/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/f8165688719f90b1ba956beb5f04d5aaa4afe8772fd38469f5a29efde6124546

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

ace 009976024005fe51227fe775348a66081e2d958178685929678ea0453c7e137f

Formbook

Executable exe f8165688719f90b1ba956beb5f04d5aaa4afe8772fd38469f5a29efde6124546

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 009976024005fe51227fe775348a66081e2d958178685929678ea0453c7e137f
Cape
Cape
https://www.capesandbox.com/analysis/189372/

Comments