MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fbcd0824d723107fbf65f4d82506544ff6514364e745242e74a8d7f86d16575f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fbcd0824d723107fbf65f4d82506544ff6514364e745242e74a8d7f86d16575f
SHA3-384 hash: d7a1b6243cc42736bc594e0d53235d88b450c9502085e89d5b4aa824c0301272aff365abd04ba1aff11bd9ef3ab42c8d
SHA1 hash: 107fdd58bfa83415e8359e22dcd3710a006e4dfc
MD5 hash: a0eae724a324d168ea7f600be5ca3984
humanhash: maine-solar-cola-magnesium
File name:Payment Remittance Advice.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:587'264 bytes
First seen:2023-05-08 17:31:47 UTC
Last seen:2023-05-13 22:54:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:xnrTfq5uTjWegOT/oWiT9iIf7G7LyvNr/jh0uILNS0T:xnXfqoTKdweT9io7kLk5/jy/LN
Threatray 2'806 similar samples on MalwareBazaar
TLSH T192C412D0B1F68AD7E81E8EF4297CB941137271A794C8D6C84F35608857F7B416E88A1F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 285430d4d0305428 (10 x Loki, 7 x AgentTesla, 6 x SnakeKeylogger)
Reporter cocaman
Tags:exe FormBook payment

Intelligence

File Origin
# of uploads :
2
# of downloads :
266
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Payment Remittance Advice.exe
Verdict:
Malicious activity
Analysis date:
2023-05-08 17:35:08 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/ec852ce8-9fc6-4e85-b8a7-de3f873f5653

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/387582/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Searching for synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker comodo darkkomet packed
Link:
https://www.filescan.io/uploads/645932146bfa3326714e2dfc/reports/5c72b554-157e-4cd4-8cdd-42da65035c4a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/fbcd0824d723107fbf65f4d82506544ff6514364e745242e74a8d7f86d16575f
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c04145ee-78ff-4d63-a1a9-c220f41e8bca
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1228530
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 861491 Sample: Payment_Remittance_Advice.exe Startdate: 08/05/2023 Architecture: WINDOWS Score: 100 37 www.estymuelsintegrated.africa 2->37 45 Snort IDS alert for network traffic 2->45 47 Multi AV Scanner detection for domain / URL 2->47 49 Found malware configuration 2->49 51 9 other signatures 2->51 11 Payment_Remittance_Advice.exe 3 2->11         started        signatures3 process4 file5 35 C:\...\Payment_Remittance_Advice.exe.log, ASCII 11->35 dropped 61 Tries to detect virtualization through RDTSC time measurements 11->61 63 Injects a PE file into a foreign processes 11->63 15 Payment_Remittance_Advice.exe 11->15         started        18 Payment_Remittance_Advice.exe 11->18         started        20 Payment_Remittance_Advice.exe 11->20         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 Queues an APC in another process (thread injection) 15->71 22 explorer.exe 1 15->22 injected process9 dnsIp10 39 tea-ignite.net 45.79.171.66, 49684, 80 LINODE-APLinodeLLCUS United States 22->39 41 digitalmagazine.online 76.223.105.230, 49683, 80 AMAZON-02US United States 22->41 43 3 other IPs or domains 22->43 53 System process connects to network (likely due to code injection or exploit) 22->53 26 chkdsk.exe 22->26         started        29 autochk.exe 22->29         started        signatures11 process12 signatures13 55 Modifies the context of a thread in another process (thread injection) 26->55 57 Maps a DLL or memory area into another process 26->57 59 Tries to detect virtualization through RDTSC time measurements 26->59 31 cmd.exe 1 26->31         started        process14 process15 33 conhost.exe 31->33         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fbcd0824d723107fbf65f4d82506544ff6514364e745242e74a8d7f86d16575f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-08 07:46:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7pgqqjgxemih7p3f6tmckbsuj73fcq3e45csiltuvdl7q3iwk5pq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0b89806418ec582854a24adb93fba607c7f27938f2b653a081aefd1a5e419e4f
Formbook
2069c3254c5a28daea136f39db600c179ba421e70f71cdd5765575012eb42d42
Formbook
3674a39f9ada533ddff15f070a08cb1b9761877d5193e86b215811214250a394
Formbook
6afbb9ebc94ae5fbc1a98207af3ce84dec75c243605ebbd6b15b721165e4130a
Formbook
7d0fdf3abd56e00933c0fa8cf573b948a4c9d85248915249f1909e6775f75e75
Formbook
7e17d20032413cfa6dc32271e7a386b32a4cc79744171f9f2d9b895444c5e110
Formbook
a79e68bc2d8643ff603ce0333efb343924760abc43edcc450c124fe4b9142c75
Formbook
bd407e66453e00d96368122b1d8761c995aa3a9606995dbd46ec1629debb18ed
Formbook
cc9fd84fffa1811ef3177586d7c6aee88dc4dc5412fd658ee4bb36ff934eec01
Formbook
f0ce6536bd8f80c0ee0ff1a246fd8447514906a38d4d24ec0d373c814180f9fb
Formbook
+ 2'796 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:in62 rat spyware stealer trojan
Link:
https://tria.ge/reports/230508-v39wtsdf2x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
a3abd2c84affc850b509a0cc8d1296c93e7984cebdf95011ca97761bdfd6cf39
MD5 hash:
f8da6933624301c9deb2fcade90a42b8
SHA1 hash:
5667dbcd5a831a60fa9a4a277f87516a422a8496
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/78459414-d7c8-4d19-866c-089cfc0b98ea/
Parent samples :
fbcd0824d723107fbf65f4d82506544ff6514364e745242e74a8d7f86d16575f
70d1125e7b5eeec17ca0248a72e7ea949bb78364928423d5ec062bd4e7eb825a
SH256 hash:
c7fa9e3994ff3da6e81016afdf6b2b565938f21aac445cc3c999b34d484e2e84
MD5 hash:
1c2350d5d1afb4a06f6fd2d1424b9589
SHA1 hash:
81d0add13500940bc6780ac4432135509ee777be
Link:
https://www.unpac.me/results/78459414-d7c8-4d19-866c-089cfc0b98ea/
SH256 hash:
358ee2a7d69e8cbdd40f339dd46e801372fc44e404a997b6aac0f5dd2dcafb5f
MD5 hash:
7f33ec72ec8b8c11bd5451740fead685
SHA1 hash:
6aa415848190ddf5e8f9fc050f31457f9202fb84
Link:
https://www.unpac.me/results/78459414-d7c8-4d19-866c-089cfc0b98ea/
SH256 hash:
80decb2b83eecaabbda79428789ff211893bdd7c3d4c8cc9232bcce5e9b6c291
MD5 hash:
4a76c3d242eb9830223aa9c384589df2
SHA1 hash:
438e332fa1e6c16677dab795d2553a78981b3e79
Link:
https://www.unpac.me/results/78459414-d7c8-4d19-866c-089cfc0b98ea/
SH256 hash:
7d4d2727af16bd43a8b84684fcf9471ffac7adb5a99bab3476951c16dcdfa4c3
MD5 hash:
48f25f70764858909ab7fa96721f9d01
SHA1 hash:
1a8628d1c7ea6cf1d06dbfc58cbca14d32139fbd
Link:
https://www.unpac.me/results/78459414-d7c8-4d19-866c-089cfc0b98ea/
SH256 hash:
fbcd0824d723107fbf65f4d82506544ff6514364e745242e74a8d7f86d16575f
MD5 hash:
a0eae724a324d168ea7f600be5ca3984
SHA1 hash:
107fdd58bfa83415e8359e22dcd3710a006e4dfc
Link:
https://www.unpac.me/results/78459414-d7c8-4d19-866c-089cfc0b98ea/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fbcd0824d723/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fbcd0824d723107fbf65f4d82506544ff6514364e745242e74a8d7f86d16575f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

7z b2c8cd267b139c47bf4f07eb05e61cb39ec80db15de627adcce7051189665820

Formbook

Executable exe fbcd0824d723107fbf65f4d82506544ff6514364e745242e74a8d7f86d16575f

(this sample)

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/387582/
  
Dropped by
SHA256 b2c8cd267b139c47bf4f07eb05e61cb39ec80db15de627adcce7051189665820
  
Dropped by
MD5 fde5052283982b31e8affce41a047ef3

Comments