MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21bf3627b1e2a400d46ed681b6791b43b13a3f62615b74c3bdaeef402b11bf81. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	21bf3627b1e2a400d46ed681b6791b43b13a3f62615b74c3bdaeef402b11bf81
SHA3-384 hash:	bab96aa299bede6d87df3d33291e45bdb3ec77b7d5a437e03e37efb317f8949b41111ef6a08d34b2a5f24b9a4ec85e09
SHA1 hash:	182c85768bcc9d98d5d73b9380c5ef6104ab5d89
MD5 hash:	a335d7a4e7bd5a3ef49a9a9ba80a28a9
humanhash:	leopard-lion-hawaii-red
File name:	SecuriteInfo.com.Win64.CrypterX-gen.26836
Download:	download sample
Signature	Formbook Create hunting rule
File size:	33'280 bytes
First seen:	2022-09-07 20:30:23 UTC
Last seen:	2022-09-08 14:05:18 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	768:Jzrz4jI4newj6KJ6n5Q1qHH9wqeteXoJrRMcC:JblAeQcniqHH99weYnM3
Threatray	2'790 similar samples on MalwareBazaar
TLSH	T161E2E751AFDC4528DBBA963E86C7B67517E4AD024533CF6E2886230A28333F9FD025D5
TrID	63.5% (.EXE) Win64 Executable (generic) (10523/12/4) 12.2% (.EXE) OS/2 Executable (generic) (2029/13) 12.0% (.EXE) Generic Win/DOS Executable (2002/3) 12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	cc86635579738ecc (1 x Formbook, 1 x AgentTesla)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

382

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Win64.CrypterX-gen.26836

Verdict:

No threats detected

Analysis date:

2022-09-07 20:36:16 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/902acc40-ecac-43aa-b95d-f5fbd843dc61

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/308578/

Detection(s):

SecuriteInfo.com.Win64.CrypterX-gen.26836.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Launching a process

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Creating a file in the %AppData% subdirectories

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

scar

Link:

https://www.filescan.io/uploads/6318ffd8f7a861bd921b9d22/reports/efe8063d-bb72-44c2-948e-1c3b53abbc4e/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/36d6a748-e220-4b20-a69b-44c9b37bc3c5

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1066757

Signature

.NET source code contains potential unpacker

Creates an undocumented autostart registry key

Drops executable to a common third party application directory

Encrypted powershell cmdline option found

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries the IP of a very long domain name

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Costura Assembly Loader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/21bf3627b1e2a400d46ed681b6791b43b13a3f62615b74c3bdaeef402b11bf81/

Threat name:

ByteCode-MSIL.Trojan.Scar

Status:

Malicious

First seen:

2022-09-07 14:48:12 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=eg7tmj5r4ksabvdo22a3m6i3ioytup3cmfnxjq55v3xuakyrx6aq._file

Verdict:

malicious

Formbook

22f9a7a8f42d3d3c49c8868d8013d56e54fcdcde9c020fb03bad42903f77279c

Formbook

2c6e013e2bc4014fb8a59dd2bcf6bb12b18ee5cd90fce17832a6a6bbcec0517d

Formbook

458787a4edcc3d5b67ad7cbe721addd3879872d25c90f9399984e02a9038b9c1

Formbook

df8723cf1e135173f9a26e74fbd3f4f3e85cb4b0a922d17fdb9c38699164d6e5

Formbook

f00e0a8ab182f233c9983d7176a3af4dd86a90507f6523990c9208f9596ddd15

Formbook

fd3ee92d2d58129a26dd3f43816178047afc35b7b423da06a6db32ea23ff6613

Formbook

+ 2'780 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

collection discovery persistence spyware stealer

Link:

https://tria.ge/reports/220908-fwslmsbaaj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Accesses Microsoft Outlook profiles

Adds Run key to start application

Creates a large amount of network flows

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

21bf3627b1e2a400d46ed681b6791b43b13a3f62615b74c3bdaeef402b11bf81

MD5 hash:

a335d7a4e7bd5a3ef49a9a9ba80a28a9

SHA1 hash:

182c85768bcc9d98d5d73b9380c5ef6104ab5d89

Link:

https://www.unpac.me/results/e87dac10-e4d1-4ac0-9554-d7cb5bf39717/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/21bf3627b1e2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.38

Link:

https://yomi.yoroi.company/submissions/21bf3627b1e2a400d46ed681b6791b43b13a3f62615b74c3bdaeef402b11bf81

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/308578/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample