MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc19eafdcfe6ae03a37ac61ee6fc5fb2c1cf57172c2754dce4aefc3c8a35c976. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc19eafdcfe6ae03a37ac61ee6fc5fb2c1cf57172c2754dce4aefc3c8a35c976
SHA3-384 hash: 60e9ad4ed98cf9937bf4e1470f264891db459b27f5bf9ad07dee44a3f58a75e38e45ffb6fd9bf727614799d7cd716bb5
SHA1 hash: 17ca3bef3ae04189eceeebe632370d6bc50be398
MD5 hash: d753dee4705e0bb9f02ec31e875c8fa5
humanhash: lamp-winner-sodium-mike
File name:bank slip_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'515'520 bytes
First seen:2021-05-24 15:47:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:NsK0RrgusqQLbMxGalstBc4lFW5quSsqGPyGy:G9Rps/LOJGGquSsLPly
Threatray 24 similar samples on MalwareBazaar
TLSH 1F65EF2D612EF126C1A8C2794AC5983BE841DF3730307D65ECD73B896739E41B99227E
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bank slip_pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-05-25 01:38:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/80767235-c5de-43b1-a199-e3dc94e61182

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Porcupine.MSIL.GenKryptik.FFMW.100541.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/790922
Signature
.NET source code contains very large strings
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 423318 Sample: bank slip_pdf.exe Startdate: 25/05/2021 Architecture: WINDOWS Score: 100 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Antivirus detection for URL or domain 2->63 65 11 other signatures 2->65 10 bank slip_pdf.exe 7 2->10         started        process3 file4 43 C:\Users\user\AppData\...\CUCpkFRxst.exe, PE32 10->43 dropped 45 C:\Users\...\CUCpkFRxst.exe:Zone.Identifier, ASCII 10->45 dropped 47 C:\Users\user\AppData\Local\...\tmpCFD0.tmp, XML 10->47 dropped 49 C:\Users\user\...\bank slip_pdf.exe.log, ASCII 10->49 dropped 75 Writes to foreign memory regions 10->75 77 Allocates memory in foreign processes 10->77 79 Injects a PE file into a foreign processes 10->79 14 RegSvcs.exe 6 10->14         started        18 schtasks.exe 1 10->18         started        signatures5 process6 file7 51 C:\Users\user\AppData\Roaming\suSwVklf.exe, PE32 14->51 dropped 89 Tries to detect virtualization through RDTSC time measurements 14->89 91 Injects a PE file into a foreign processes 14->91 20 RegSvcs.exe 14->20         started        23 schtasks.exe 1 14->23         started        25 RegSvcs.exe 14->25         started        27 conhost.exe 18->27         started        signatures8 process9 signatures10 67 Modifies the context of a thread in another process (thread injection) 20->67 69 Maps a DLL or memory area into another process 20->69 71 Sample uses process hollowing technique 20->71 73 Queues an APC in another process (thread injection) 20->73 29 systray.exe 20->29         started        32 explorer.exe 20->32 injected 35 autoconv.exe 20->35         started        37 conhost.exe 23->37         started        process11 dnsIp12 81 Modifies the context of a thread in another process (thread injection) 29->81 83 Maps a DLL or memory area into another process 29->83 85 Tries to detect virtualization through RDTSC time measurements 29->85 39 cmd.exe 1 29->39         started        53 www.ynabvn.com 89.32.150.238, 49767, 80 HOSTERIONRO Romania 32->53 55 martinbrosenterprise.com 166.62.10.181, 49763, 80 AS-26496-GO-DADDY-COM-LLCUS United States 32->55 57 3 other IPs or domains 32->57 87 System process connects to network (likely due to code injection or exploit) 32->87 signatures13 process14 process15 41 conhost.exe 39->41         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fc19eafdcfe6ae03a37ac61ee6fc5fb2c1cf57172c2754dce4aefc3c8a35c976/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-05-24 14:37:55 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7qm6v7op42xahi32yypon7c7wla46vyxfqtvjxhev36dzcrvzf3a._file
Verdict:
unknown
Similar samples:
084b7a2a142edf5c3ebcd6bcafebe00a6953b36eff6ed7dafd54a490e657b1f5
Formbook
1d3e01fb6e4f61f482bf3bc2628b5141a896284973eaa50c35bdb929a5aa541b
Formbook
290963ddb0862d90575e418931ac2cfacfbb79146f5846771e81046298bf75e8
Formbook
3eaf562f8434b81494c817bb90000cd612c6be3cad116c59c2f9608326435144
Formbook
43e9194904503eb5a508cf89297b8dbfc73f79600ff6bf13c5d8e717941e2652
Formbook
4427dbd6209079235487c24f4843a10d582fe6264fae0d107091e81133a8960c
Formbook
5501a072a478f1b6c6045154d4b3e5c102c5da98041f503d80b8a2b50bb6b85b
Formbook
5ef4f1d59492644372e4de91586798adb788432987848730694be8db0f968008
Formbook
69b433882a0be8350987589222a1b677cb948d1efea4e523b878a778bad33d4a
Formbook
b5d8a24e97905a0333243481930777008b654c43dd04bbf995d75334183c8070
Formbook
+ 14 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210524-jznhkmyjjn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/fc19eafdcfe6ae03a37ac61ee6fc5fb2c1cf57172c2754dce4aefc3c8a35c976

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-24 16:01:45 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection