MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2156540defeef151bccca4ec77952f352fac70437f559a1533d4ada6505f5d3f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	2156540defeef151bccca4ec77952f352fac70437f559a1533d4ada6505f5d3f
SHA3-384 hash:	0e9c51e532451b7627f8cd561158ea2b017c79701cd79ccff39085faddc3c13563feadeddb7734b60b9332e7e9c1e658
SHA1 hash:	6be1d877115672038c4533c1129430b684e24d09
MD5 hash:	5a8bd0c6478d9ec5386bde36b53d9e2f
humanhash:	mobile-saturn-beryllium-maine
File name:	2156540defeef151bccca4ec77952f352fac70437f559a1533d4ada6505f5d3f
Download:	download sample
Signature	Formbook Create hunting rule
File size:	802'304 bytes
First seen:	2022-10-18 06:30:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:ZAa2iN/TgUuNMVY6IDvlRVudRamkfzmJOqOTUTI6EvJM8VhdiTXQ:h1ANMKB5zudFAm5I7vC8VhdAQ
TLSH	T1CF05E0271BEA4B4BD025B6B894D1D3F2A3E9DC01E167C29B5BCA5C1FF08A275D720361
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	JAMESWT_WT
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

232

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/321227/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

SecuriteInfo.com.Trojan.PackedNET.389.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/634e4828898b0652a4b89f4d/reports/8f975d91-6b33-4173-bf9e-04ad45ac29c1/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/805ab30b-8b8d-4f9d-b148-b3e9117643c2

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1092479

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Deletes itself after installation

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2156540defeef151bccca4ec77952f352fac70437f559a1533d4ada6505f5d3f/

Threat name:

ByteCode-MSIL.Spyware.SnakeLogger

Status:

Malicious

First seen:

2022-09-29 13:40:37 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=eflfidpp53yvdpgmutwhpfjpgux2y4cdp5kzufjt2sw2muc7lu7q._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:eiux rat spyware stealer trojan

Link:

https://tria.ge/reports/221018-g92l5sfahq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/fc6f7fb8-13e6-4b84-b1c6-020b188b529a

Unpacked files

SH256 hash:

344216377d236a23c2cfc2312ee6f19fc36cbb727145747b92877ffe9fff6d4c

MD5 hash:

8efb881550fccedaffe15c7d8d4207c3

SHA1 hash:

feb357e52c3fdfe717ddfe355adf5eec106a7dea

Detections:

XLoader

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/0f857b19-cf61-4c77-ba55-4f8c4216ed32/

SH256 hash:

6d83a04a312c66f28b342618e6e63db2760c8ebab17865692f6ea5c0d521011d

MD5 hash:

7d6c8eca81a17405cfcf51d140e53253

SHA1 hash:

5336f9135f0ff398a3e8f5b7af44f5a473a4f023

Link:

https://www.unpac.me/results/0f857b19-cf61-4c77-ba55-4f8c4216ed32/

SH256 hash:

7d28910a3c8b45df7c935833a50c6c5263814d4e642a1d24f774d7ede54f2f1b

MD5 hash:

862e5f8d4435a97c0ff816781386c2e6

SHA1 hash:

7a091fa8f9007a15f56f77546c002b80594d0095

Link:

https://www.unpac.me/results/0f857b19-cf61-4c77-ba55-4f8c4216ed32/

SH256 hash:

2470b39032f6182252039c88199016566b0de30c6aa02163a143427afedd12af

MD5 hash:

c3a1924684ca30ed22234ce1d9111dfc

SHA1 hash:

7347706241422758c06440fd6044ae4e042b456b

Link:

https://www.unpac.me/results/0f857b19-cf61-4c77-ba55-4f8c4216ed32/

SH256 hash:

1792af251d54df5cb33cadf19381c88d7e06efdc3e955068323cc6a00e2d66e9

MD5 hash:

d9cd3d50660b753ff87468c468b83b25

SHA1 hash:

2a33c98cde92cf7b859ba3391a2e1a88f80ae3a2

Link:

https://www.unpac.me/results/0f857b19-cf61-4c77-ba55-4f8c4216ed32/

SH256 hash:

e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee

MD5 hash:

35cb29046968faca7f3f3b4463449b6c

SHA1 hash:

088c8c30ec1bece0a4b5bbfe3982b073f8b95598

Link:

https://www.unpac.me/results/0f857b19-cf61-4c77-ba55-4f8c4216ed32/

SH256 hash:

2156540defeef151bccca4ec77952f352fac70437f559a1533d4ada6505f5d3f

MD5 hash:

5a8bd0c6478d9ec5386bde36b53d9e2f

SHA1 hash:

6be1d877115672038c4533c1129430b684e24d09

Link:

https://www.unpac.me/results/0f857b19-cf61-4c77-ba55-4f8c4216ed32/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/2156540defeef151bccca4ec77952f352fac70437f559a1533d4ada6505f5d3f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/321227/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample