MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 238864be2d731bc5838b95c8bb50b961d19f04b6b64d3daf323db967266fa458. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 238864be2d731bc5838b95c8bb50b961d19f04b6b64d3daf323db967266fa458
SHA3-384 hash: 8cec4ac8e998b9b437d8ee4b561db54d897af4dfcc9b6ce21a4d6dbf560504b1b3fc8e7d9923dd61b6ecbe52ba2268fb
SHA1 hash: 6cfb91be22a7c684e04cdc3e4e36f3c43c7e702f
MD5 hash: 8ec5b6656574a65d6f57b1f27decd161
humanhash: washington-iowa-muppet-indigo
File name:238864be2d731bc5838b95c8bb50b961d19f04b6b64d3daf323db967266fa458
Download: download sample
Signature Formbook
Create hunting rule
File size:244'414 bytes
First seen:2023-07-04 13:22:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:PYa6VVMUOy1kznVL5hQg0KLB2GkjRLL7w6rdv+:PYfmukbVLH70KMJjRbw6rdv+
Threatray 3'327 similar samples on MalwareBazaar
TLSH T1C434132477D3C40BE8B3557304BA57A7EFE28A3214F8992B8360B50C7D76AC1A91E716
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
288
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
238864be2d731bc5838b95c8bb50b961d19f04b6b64d3daf323db967266fa458
Verdict:
Suspicious activity
Analysis date:
2023-07-04 13:21:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2bacbf82-b3de-43be-a727-d6c221d0e420

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/406716/
Detection(s):
SecuriteInfo.com.Gen.Variant.Nemesis.22782.19180.7779.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Unauthorized injection to a recently created process
Restart of the analyzed sample
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/95522/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/64a41d3651710bcd8d4428ba/reports/abfed055-cee0-417d-9166-8778e3bc01d3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/238864be2d731bc5838b95c8bb50b961d19f04b6b64d3daf323db967266fa458
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ca5cd942-d38f-4179-8662-ac6bd4af4c4a
Result
Threat name:
FormBook, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1266643
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1266643 Sample: IMGdjvzOf2.exe Startdate: 04/07/2023 Architecture: WINDOWS Score: 100 31 www.avranox.com 2->31 33 parkingpage.namecheap.com 2->33 41 Snort IDS alert for network traffic 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 8 other signatures 2->47 11 IMGdjvzOf2.exe 19 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\xnkkwcvzv.dll, PE32 11->29 dropped 59 Detected unpacking (changes PE section rights) 11->59 61 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 11->61 63 Maps a DLL or memory area into another process 11->63 65 Tries to detect virtualization through RDTSC time measurements 11->65 15 IMGdjvzOf2.exe 11->15         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 Queues an APC in another process (thread injection) 15->73 18 explorer.exe 1 15->18 injected process9 dnsIp10 35 www.beachgrappling.com 208.91.197.27, 49697, 80 CONFLUENCE-NETWORK-INCVG Virgin Islands (BRITISH) 18->35 37 www.jiuse896.com 188.114.97.7, 49698, 80 CLOUDFLARENETUS European Union 18->37 39 www.b257sh5.asia 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 51 Uses ipconfig to lookup or modify the Windows network settings 18->51 22 ipconfig.exe 18->22         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/238864be2d731bc5838b95c8bb50b961d19f04b6b64d3daf323db967266fa458/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-06-28 00:00:33 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
30 of 38 (78.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eoegjprnomn4la4lsxelwufzmhiz6bfwwzgt3lzshw4wojtpurma._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
03315fc089295a2ff5733402c9a928e0fa0c26c3d67dd3610ea121845bde4f1f
Formbook
43e743e060255d4a878a5fd14de21a97ae1fe045cd55dece4a9f1cd1857ee559
Formbook
53bb0f293733cadbf6b5704cd0359b61acaa6367eb49268905714492d35ddf81
Formbook
6031a34aae88c5aa68c4c13fccf872edcc28a8e6a3873186f7cc67989a701a5b
Formbook
8a1818f6e89fe3a6a0cae314467eb120d9e3f95ad6e17099c4f3f5e18d039929
Formbook
9123b739b8d3d1c2f5a3dabf8c358c77175422d0e83f5edadc7584bd50eb484c
Formbook
94dab2dcd48fb66d3a0836a2711083a5ee738603de0b47fecfed4e23711def16
Formbook
99ec8b8e93e7a91dab1a16b9353333fa340d52569de4b88f5703bbc5a666211c
Formbook
ad8fd0b0690db382dc13e6e8a7365581877af214c39ca5dd673b8cea760e8891
Formbook
d57ad8a21aa598c3aea680ee4abdebc2ee552c290a1f5d498f3516b084a95d38
Formbook
+ 3'317 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:da23 rat spyware stealer trojan
Link:
https://tria.ge/reports/230704-qmskdsfa5y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Formbook payload
Formbook
Unpacked files
SH256 hash:
780b652a23c309bbc2b16011e4ebeadd990b73d74f297f090652ecffab2c8a58
MD5 hash:
c7d865c71b56a05b603a7fa89e5999a2
SHA1 hash:
c65c02a21dc977eb7ea9c7bfe8bf2de87d6e690b
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/1dd484a2-998b-4255-a5ad-ace2c3f9d28a/
SH256 hash:
4e2bb7ba85a7232e9d9e1e0918e0e0a2f919a4e184fa18f61e312830070728ae
MD5 hash:
76c9bc90fe94ed2de99af273900404dc
SHA1 hash:
8e23684dbe55183c6916f1533ff1870c85d6fdeb
Link:
https://www.unpac.me/results/1dd484a2-998b-4255-a5ad-ace2c3f9d28a/
SH256 hash:
780b652a23c309bbc2b16011e4ebeadd990b73d74f297f090652ecffab2c8a58
MD5 hash:
c7d865c71b56a05b603a7fa89e5999a2
SHA1 hash:
c65c02a21dc977eb7ea9c7bfe8bf2de87d6e690b
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/1dd484a2-998b-4255-a5ad-ace2c3f9d28a/
SH256 hash:
4e2bb7ba85a7232e9d9e1e0918e0e0a2f919a4e184fa18f61e312830070728ae
MD5 hash:
76c9bc90fe94ed2de99af273900404dc
SHA1 hash:
8e23684dbe55183c6916f1533ff1870c85d6fdeb
Link:
https://www.unpac.me/results/1dd484a2-998b-4255-a5ad-ace2c3f9d28a/
SH256 hash:
238864be2d731bc5838b95c8bb50b961d19f04b6b64d3daf323db967266fa458
MD5 hash:
8ec5b6656574a65d6f57b1f27decd161
SHA1 hash:
6cfb91be22a7c684e04cdc3e4e36f3c43c7e702f
Link:
https://www.unpac.me/results/1dd484a2-998b-4255-a5ad-ace2c3f9d28a/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/238864be2d73/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/406716/

Comments