MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa5511f4b07ca39be9b04bee49a2b103cf827a207d316d4d41bad9cede43c9bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa5511f4b07ca39be9b04bee49a2b103cf827a207d316d4d41bad9cede43c9bc
SHA3-384 hash: f2ec73a59cc727b65e0bee45b6363e894b21be410c7b18cf897d2cb28199737ed92baf72ade6ab69e0a014c8443b9247
SHA1 hash: 0cb7a1174cf5d5a7089c8ed585c5e670974b9048
MD5 hash: 5cda0b468d4136fb19e1f79c258acbb9
humanhash: sad-orange-lithium-alpha
File name:Payment Advice.gz.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:379'080 bytes
First seen:2022-01-19 12:21:53 UTC
Last seen:2022-01-19 14:02:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 1536:V7PvzvDyfSNbzhU47FEdSGVS9ZID9khfC3+bLrubMDugyVAB3Zfcpn+1MVoyJPkp:V7PvzWuXFEdSAeSD9jITDug/5GfqPA+
Threatray 12'740 similar samples on MalwareBazaar
TLSH T16A84EDF9E7E34693F8315A36CB91433461327EC9A4E45DF645C8BA2C4E302DE921E96C
File icon (PE):PE icon
dhash icon 31f0c0b2b2c0f071 (8 x Formbook, 7 x AgentTesla, 4 x AsyncRAT)
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
165
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/220604/
Detection(s):
SecuriteInfo.com.Artemis5CDA0B468D41.25095.17243.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching a process
Creating a file
Searching for synchronization primitives
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe obfuscated overlay packed
Link:
https://www.filescan.io/uploads/61e802710f8c757253cc548c/reports/e75a5f4c-b3f0-4c8c-b081-8e8fada0ddc5/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/2c279bfa-46dc-4e09-8e75-6ce4d8fe848b
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/923418
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fa5511f4b07ca39be9b04bee49a2b103cf827a207d316d4d41bad9cede43c9bc/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-19 11:21:57 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
12
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7jkrd5fqpsrzx2nqjpxetivraphye6rapuyw2tkbxlm45xsdzg6a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
204831bda7d04f0905f7bf0c39e45b3772935726d8a436ee9703a19098b37e21
Formbook
230f53c0367ccdf77ff1f665ea66fcb2e6bb18c999b798980d8e0c9c19421eb3
Formbook
6bd5fda97afe76f3d6cc66ffac1350e77256315e151364355af9ee6d56be8ebf
Formbook
6d722da095632d50aa49b4749a4e7db323889aee6fad1ecc2c5dd999e63c645e
Formbook
7206a2aa27d3bb73daca20e7327a3e4cc2f66940e27cda04d3e8440450617596
Formbook
75e51d5e7662ad2c7ee23822ebf5246ce2d3257734ef87883f57bbcffe13c5d2
Formbook
9050768f69225078f05d535401510a5b361dd071430e40639e869c7247621908
Formbook
b24fe0dd0ec4d61ac6903f6579d59dcffd17d0e002c96803a551aa3ab17367ef
Formbook
d277fc7f7001598fc7730b3bfec96ce2749f616d64fe20bcd403a599b1bc7c2c
Formbook
+ 12'730 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:be4o loader rat suricata
Link:
https://tria.ge/reports/220119-pjxjhahffp/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
fa5511f4b07ca39be9b04bee49a2b103cf827a207d316d4d41bad9cede43c9bc
MD5 hash:
5cda0b468d4136fb19e1f79c258acbb9
SHA1 hash:
0cb7a1174cf5d5a7089c8ed585c5e670974b9048
Link:
https://www.unpac.me/results/09933ca7-3cef-463d-806b-d636d7ab5188/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/fa5511f4b07c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/fa5511f4b07ca39be9b04bee49a2b103cf827a207d316d4d41bad9cede43c9bc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz b0b986ed5654b0bc08243773c2c57558c3d1e1158f6744eafd7c9357bf2d401c

Formbook

Executable exe fa5511f4b07ca39be9b04bee49a2b103cf827a207d316d4d41bad9cede43c9bc

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 b0b986ed5654b0bc08243773c2c57558c3d1e1158f6744eafd7c9357bf2d401c
Cape
Cape
https://www.capesandbox.com/analysis/220604/

Comments