MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 221f3d1fe2ec39b9854c584a51fa3cd49f23995f8ae99c8c7d8e2efa85bb38b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 19


Intelligence 19 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 221f3d1fe2ec39b9854c584a51fa3cd49f23995f8ae99c8c7d8e2efa85bb38b0
SHA3-384 hash: 6d603e9144329da6b6fac429bca8cbfefb27f3b7f2fa2204a7b1d704dd0a796b5fce42120a5d48712184ffb5ab5c310f
SHA1 hash: 489d2d23a982393d00ed22530b7919169b0dbe47
MD5 hash: b960a974c1e40499ca7f1489955cf5fe
humanhash: monkey-neptune-arkansas-monkey
File name:BL-SHIPPING DOCUMENTS.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:248'681 bytes
First seen:2023-07-03 09:34:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 429 x GuLoader)
ssdeep 6144:/Ya6EZbmuHMo4jXs4oYT7C6bg1H2sTBpZfw1edMzJ:/Y6Zbmuhqs7o7C6E1HhTzGodQ
Threatray 2'868 similar samples on MalwareBazaar
TLSH T18F341248BB50DCB3E4E90E304E7D56A7A5F1EF3411395B2B1370AE5D7A138A1E20E762
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter cocaman
Tags:exe FormBook Shipping

Intelligence

File Origin
# of uploads :
1
# of downloads :
277
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
BL-SHIPPING DOCUMENTS.exe
Verdict:
Malicious activity
Analysis date:
2023-07-03 09:35:57 UTC
Tags:
formbook xloader trojan stealer
Link:
https://app.any.run/tasks/bd5dfbac-8b06-458b-84bb-a9c23e2f583a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/405816/
Detection(s):
Sanesecurity.Rogue.0hr.20230703-0639.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Restart of the analyzed sample
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Setting browser functions hooks
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/95240/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/64a2964be546ae2961052f71/reports/ede6ba7f-734e-492d-83ac-94a29b8a0edc/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/221f3d1fe2ec39b9854c584a51fa3cd49f23995f8ae99c8c7d8e2efa85bb38b0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7b192937-c3b6-422c-a5ae-9c74342aecf1
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1265719
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample has a suspicious name (potential lure to open the executable)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 898746 Sample: BL-SHIPPING_DOCUMENTS.exe Startdate: 03/07/2023 Architecture: WINDOWS Score: 100 49 www.gaynorvascones.site 2->49 63 Snort IDS alert for network traffic 2->63 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 8 other signatures 2->69 11 BL-SHIPPING_DOCUMENTS.exe 1 21 2->11         started        signatures3 process4 file5 45 C:\Users\user\AppData\Roaming\...\fbktpy.exe, PE32 11->45 dropped 47 C:\Users\user\AppData\Local\...\inaiae.dll, PE32 11->47 dropped 87 Detected unpacking (changes PE section rights) 11->87 89 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 11->89 91 Maps a DLL or memory area into another process 11->91 93 Tries to detect virtualization through RDTSC time measurements 11->93 15 BL-SHIPPING_DOCUMENTS.exe 11->15         started        signatures6 process7 signatures8 95 Modifies the context of a thread in another process (thread injection) 15->95 97 Maps a DLL or memory area into another process 15->97 99 Sample uses process hollowing technique 15->99 101 Queues an APC in another process (thread injection) 15->101 18 explorer.exe 7 5 15->18 injected process9 dnsIp10 51 www.copythriller.com 18->51 53 www.contourbioinc.com 18->53 55 3 other IPs or domains 18->55 71 System process connects to network (likely due to code injection or exploit) 18->71 73 Uses netstat to query active network connections and open ports 18->73 22 fbktpy.exe 19 18->22         started        26 fbktpy.exe 19 18->26         started        28 NETSTAT.EXE 18->28         started        30 2 other processes 18->30 signatures11 process12 file13 41 C:\Users\user\AppData\Local\...\inaiae.dll, PE32 22->41 dropped 75 Multi AV Scanner detection for dropped file 22->75 77 Detected unpacking (changes PE section rights) 22->77 79 Machine Learning detection for dropped file 22->79 32 fbktpy.exe 22->32         started        43 C:\Users\user\AppData\Local\...\inaiae.dll, PE32 26->43 dropped 81 Maps a DLL or memory area into another process 26->81 35 fbktpy.exe 26->35         started        83 Modifies the context of a thread in another process (thread injection) 28->83 85 Tries to detect virtualization through RDTSC time measurements 28->85 37 cmd.exe 1 28->37         started        signatures14 process15 signatures16 57 Modifies the context of a thread in another process (thread injection) 32->57 59 Maps a DLL or memory area into another process 32->59 61 Sample uses process hollowing technique 32->61 39 conhost.exe 37->39         started        process17
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/221f3d1fe2ec39b9854c584a51fa3cd49f23995f8ae99c8c7d8e2efa85bb38b0/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-07-03 04:20:00 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eipt2h7c5q43tbkmlbffd6r42spshgk7rluzzdd5ryxpvbn3hcya._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
291f9c211eed167fbf4b31411d79c7447a09b29dd2308dceacacc3fe31fa2364
Formbook
306e86d6c586c3a6a52ed61b426b1e2520671b95b54510fb3faede2f499801d0
Formbook
35e8f730fa386dfecfb616ff20246d9eec1d6ec4d2b18f9d2e0d53032bff6b7f
Formbook
6031a34aae88c5aa68c4c13fccf872edcc28a8e6a3873186f7cc67989a701a5b
Formbook
8d108254a8f52c795d01e4fa87ac70437873d1073e38c179716e5fa40816b82f
Formbook
9784d4f3af63382e92105496844b25bc4e42e92305b7707c3fd6451c98c391f6
Formbook
9d9e8ec84f674a2484716075dd29db7677057598a3ef9b1d0f8dd4addfac24da
Formbook
a1a882d7abefdec8678649330339a2f080a777450da1be5110b88e81a8ea38cc
Formbook
a1d8a89e81432cfe0c04f896cfdfa69aea54901c145460b4a0ba680a64da5800
Formbook
fdf0c7d08d92b27b19cd74779d71066a5605f3389421a4b9f3e50276ed7223ea
Formbook
+ 2'858 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:s28y persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/230703-lkb3eahb4t/
Behaviour
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Loads dropped DLL
Formbook payload
Formbook
Unpacked files
SH256 hash:
2c92c3a13530fbcd3a2768af8671311c3fcf878626ed24febdc65c76cbeaeaf1
MD5 hash:
57ba313b829018ef160b67e61a5a48ba
SHA1 hash:
91aed3316a773ffb22f738bd3b01e10d3803a1f3
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/ea9f6803-4893-49ee-917a-89b5fadc70fb/
Parent samples :
215bf08032eb73c5e0b50bcce07def909e22f769315b0f90ed6cec87b28d44f6
221f3d1fe2ec39b9854c584a51fa3cd49f23995f8ae99c8c7d8e2efa85bb38b0
fa3a477577604a91938f7650b04d3dfaa1d8ec12578d3bb2618817529c8b5797
ec9d091c881ad4da6f5e77f947c2723b1aa374fbf373931871c767dfb9cabb0e
37ae91a0976d913bc1a194207829dc5460afd7b12d4ee22a69129772d151f156
f3a16fbf76dc776eb61b55b5a5aa8d3203e77effc2e05d85f93df96612323095
80c223f70302436ab080c4c7e8d75f3b3d60c4266a41d0afc56fc6c52cb04352
dce92db361fb0e2b6cc00cb1b205288120af9c48b7ffdfc71b5735ad81c72b16
f792e08bbda113fc78f608ed6aea5424257a5fefe071dfa13dd8e88715d36b87
b0d24f4ca574f8e54fc1e23097d9f6b45ec8c37e7732e43a96daea3179b44aa8
SH256 hash:
221f3d1fe2ec39b9854c584a51fa3cd49f23995f8ae99c8c7d8e2efa85bb38b0
MD5 hash:
b960a974c1e40499ca7f1489955cf5fe
SHA1 hash:
489d2d23a982393d00ed22530b7919169b0dbe47
Link:
https://www.unpac.me/results/ea9f6803-4893-49ee-917a-89b5fadc70fb/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/221f3d1fe2ec/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/221f3d1fe2ec39b9854c584a51fa3cd49f23995f8ae99c8c7d8e2efa85bb38b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip a34fa78da75463965a522babbfae0942cfbb143dc615dbd40c4c89e073afd2d0

Formbook

Executable exe 221f3d1fe2ec39b9854c584a51fa3cd49f23995f8ae99c8c7d8e2efa85bb38b0

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 a34fa78da75463965a522babbfae0942cfbb143dc615dbd40c4c89e073afd2d0
Cape
Cape
https://www.capesandbox.com/analysis/405816/
  
Dropped by
MD5 65e34023ffce77a7903540bd96402a91

Comments