MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 231d94bc2d507343290f505b4ef945d10b57c7ac49a777a4c331418b3e513727. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments 1

SHA256 hash:	231d94bc2d507343290f505b4ef945d10b57c7ac49a777a4c331418b3e513727
SHA3-384 hash:	8c338713b13dabbc35489b1226cfe5e1f3e15e552d0ebecbb795a9f7147fce67b564f2f4d822b9b8327182359ddda217
SHA1 hash:	82465f9c80d2c186915408cf36e109bba9c93bae
MD5 hash:	2291814c0adf5741ea1a1dfecab72efb
humanhash:	hawaii-autumn-artist-five
File name:	2291814c0adf5741ea1a1dfecab72efb
Download:	download sample
Signature	Formbook Create hunting rule
File size:	807'424 bytes
First seen:	2022-07-13 13:21:50 UTC
Last seen:	2022-07-15 03:33:31 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	12288:RwidI4Vm1geJ+drbMQlH5DZbzUWjie3bforchJ67eGjnY3yfftFuVv4Os:R0/FJ+rRFZZboWBLggLydGQOs
TLSH	T17F050118FFA84666DB9A537DDCB403258772E2C26723F31C26C4A1A46D137115EC2BEB
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	zbetcheckin
Tags:	32 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

200

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/287061/

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.13168.24986.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62cec7060b00dfa734ec5ca5/reports/a1d7ef5a-717d-4fd8-a665-cf52dbd6a746/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e6ae6339-0333-4c26-8ff5-75657ea2ddeb

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1030195

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/231d94bc2d507343290f505b4ef945d10b57c7ac49a777a4c331418b3e513727/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-07-13 09:01:38 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=emozjpbnkbzugkipkbnu56kf2efvpr5mjgtxpjgdgfaywpsrg4tq._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:a62i rat spyware stealer trojan

Link:

https://tria.ge/reports/220713-ql79fshef8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook payload

Formbook

Unpacked files

SH256 hash:

ea801ddd1ea57f52ae69533038861744365d8d9c05c3a9c1190dba32d07dc6b6

MD5 hash:

4d0e9bfe94004ceb16e9b63c7c03067d

SHA1 hash:

05e3fb4119f85cc6b6543d8624191a7000d856cd

Link:

https://www.unpac.me/results/bd72130b-e364-4330-b60e-c3485da02ffa/

SH256 hash:

883b63ef84c6b1cc09687962beca56e4f4b7960df7c5459e29998befaa3ccf15

MD5 hash:

ecb3f27eb8279c51608c8ea8f8050655

SHA1 hash:

82385d75444ab5fccacf37e2746c7dce73faa7f3

Link:

https://www.unpac.me/results/bd72130b-e364-4330-b60e-c3485da02ffa/

SH256 hash:

05273b683f1d262898d74089191fe470c7873f295bedbf9cb016e3ac3a396149

MD5 hash:

96f33961a755ca135a45b58c60b5fed6

SHA1 hash:

cfdd3bf76a13d5eed09f28ff5ceca2c3f8d75e26

Link:

https://www.unpac.me/results/bd72130b-e364-4330-b60e-c3485da02ffa/

SH256 hash:

a107c2ec4a4318c918595cdb27256834e8fa85de9f57c120f4c63988c5005b06

MD5 hash:

93e216d718ecb31caddc6bcedaf856d5

SHA1 hash:

f45426e9a21977562367e182d0e179a3be6fd35d

Link:

https://www.unpac.me/results/bd72130b-e364-4330-b60e-c3485da02ffa/

SH256 hash:

2c0220f0592b109778c39d45acb2213d68eceb634f5bef4d71e2d3fb81f42044

MD5 hash:

60277db7ce97c7e1f8f34387f0a2b834

SHA1 hash:

281d52b525165da6e56882565f38af3e8cb40305

Detections:

win_formbook_g0

win_formbook_auto

FormBook

Link:

https://www.unpac.me/results/bd72130b-e364-4330-b60e-c3485da02ffa/

Parent samples :

231d94bc2d507343290f505b4ef945d10b57c7ac49a777a4c331418b3e513727
20127add0e752f2611eb3c21047f0c14a38d23738bcdc2e15794b5e8bdbd5f65
d099e42a4c8649fe039ab52c7f479a31e897242f211a0c2e073aeaf12fcd34ee

SH256 hash:

231d94bc2d507343290f505b4ef945d10b57c7ac49a777a4c331418b3e513727

MD5 hash:

2291814c0adf5741ea1a1dfecab72efb

SHA1 hash:

82465f9c80d2c186915408cf36e109bba9c93bae

Link:

https://www.unpac.me/results/bd72130b-e364-4330-b60e-c3485da02ffa/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/231d94bc2d50/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.81

Link:

https://yomi.yoroi.company/submissions/231d94bc2d507343290f505b4ef945d10b57c7ac49a777a4c331418b3e513727

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 231d94bc2d507343290f505b4ef945d10b57c7ac49a777a4c331418b3e513727

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2256999/

Cape

https://www.capesandbox.com/analysis/287061/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2022-07-13 13:22:00 UTC

url : hxxp://192.3.110.133/44/vbc.exe