MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2400be915c3981fa03b79f750cc5e37ae832d21e5e7f6bbd6753761286b036cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2400be915c3981fa03b79f750cc5e37ae832d21e5e7f6bbd6753761286b036cb
SHA3-384 hash: c20176b418b8d106e36d77940d226b6d2a86eec076d653a65392b5f693f45b2defd63a5656fb365e5ac9e4256ce33590
SHA1 hash: 4c9278714c0aae121f89e1273d02c08b2b4af412
MD5 hash: 2742755e3fef9f876e7b23f37b653ee6
humanhash: beryllium-autumn-triple-nine
File name:2742755e3fef9f876e7b23f37b653ee6
Download: download sample
Signature Formbook
Create hunting rule
File size:806'400 bytes
First seen:2023-05-08 02:07:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:9bkcdXHwni4IyS+ORD9sGko1fkJgN74XIDUm7ZgQ488fLyDJ5Uio:9bJNwLORD2glbfDj7ZgQ48O215Ui
Threatray 2'747 similar samples on MalwareBazaar
TLSH T1550501A314BA8350E03F87B079B8BD2417B335DBE9C69E7403296AC59D5AB113C8D49F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
258
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3f75b4fdca6b5faac7e268b2dbec9b62
Verdict:
Malicious activity
Analysis date:
2023-05-05 12:30:50 UTC
Tags:
opendir exploit cve-2017-11882 loader
Link:
https://app.any.run/tasks/dbfa56b9-6afe-4c4f-94b4-617998b1067f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/387360/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.99250.16324.25764.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/6458598336a9691aaede1503/reports/341bb163-5d69-40d6-9319-c8746f3f8b1f/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/2400be915c3981fa03b79f750cc5e37ae832d21e5e7f6bbd6753761286b036cb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0c2d6578-9dd8-4699-89ff-dad439fdc711
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1227925
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2400be915c3981fa03b79f750cc5e37ae832d21e5e7f6bbd6753761286b036cb/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-05-05 12:14:56 UTC
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eqal5ek4hga7ua5xt52qzrpdpludfuq6lz7wxplhkn3bfbvqg3fq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0067b252ab478516ec30b56fbb160b7210083c5d10f1b06c4233a3f92bdec28a
Formbook
0911f0bf9c55b8b1388b01524a3d37bbe843c3a3d5a5db4047812ec1a436ec10
Formbook
15046684df239f63119e30eadc6a71abbfece9080bb3a6a1d4f7b0899ee47409
Formbook
43dbcc71737c54b9bcd7f5cc12d2f3d332bf8ca7e80f594725230c44614c5ab9
Formbook
5658c7c8569ab75900d22eaae71debe1b35de848590e3e740b01baf9b05a0efa
Formbook
833a839bf412c22e06f2a3c0622e460df8fc5edbf55cdad09e7b76d5d73dacaa
Formbook
92260cefa8e973f4c40e32aa5656cc9794b745db70b5c7b410a7b0b10c443c6c
Formbook
aa3a5e3035f1281d3a412956e0a0273d33e0f07500abc909eb5d9dad6524b588
Formbook
e843a90ec56b0efbd176b3856d811875e24b98ae6fdf77985e1b77916ab4259b
Formbook
f9d55b9da595432539830f1dc35cd8be32668d9eed89ea051fedbfd82e6ab1ed
Formbook
+ 2'737 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230508-ckj9cagf42/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Unpacked files
SH256 hash:
be1d91f54ac3942f111540df45f8e5707dd09cf6592c3a6518f1e21c7edb7d88
MD5 hash:
581f5b68a96fe615550382611224c96e
SHA1 hash:
6b7234fa3b6b5192846e14e2cfad82b2ee41ff5e
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/b6e78644-4229-44eb-a070-8af5571f428f/
Parent samples :
92260cefa8e973f4c40e32aa5656cc9794b745db70b5c7b410a7b0b10c443c6c
2400be915c3981fa03b79f750cc5e37ae832d21e5e7f6bbd6753761286b036cb
8f3449b43eb5b5bc23330078ff8237c5d743a73519348f95b3c51d691f5663a3
fd775a8681200c469cfdbda94d5c9cde3454cb21a4a4783bad3aa647cab4378e
SH256 hash:
72b312931b9ecd4fbadc34e2d7a8808bcc27e007708490852a376c5df4690b38
MD5 hash:
db346564f5c72876cd6c9c6874f337e2
SHA1 hash:
feeb48062a5228bc706fb86fa81f5b34fe748475
Link:
https://www.unpac.me/results/b6e78644-4229-44eb-a070-8af5571f428f/
SH256 hash:
06f7815673123551c85d99397ce8a67060db84192d597f264575d9af0f40ab23
MD5 hash:
f8b1b6d6249722c781d5689edea36610
SHA1 hash:
d99d70226b55f25122e7a3ea52a6c3173baab1ec
Link:
https://www.unpac.me/results/b6e78644-4229-44eb-a070-8af5571f428f/
SH256 hash:
120af75c6c13f61f0186fa8d93df5ad09e070212630a4564d4ed3954437e0ef7
MD5 hash:
afc1c5999ef2563241e4b88d7d961179
SHA1 hash:
abbb9a17e534e70e4220c749741c55ef095266d6
Link:
https://www.unpac.me/results/b6e78644-4229-44eb-a070-8af5571f428f/
SH256 hash:
244085cf5662f70f2cb3ff691441102837306ec302516bd27bda0f2cd3ab351f
MD5 hash:
5369b5cb9d49bc549a4227c5bbf059cf
SHA1 hash:
52762f90a079523671ca20d90d8ef3319da499be
Link:
https://www.unpac.me/results/b6e78644-4229-44eb-a070-8af5571f428f/
SH256 hash:
e5518e76f14e87bcc58a705c6f8f3a686cbffefc0e55985d17a067adfddf3688
MD5 hash:
920a2854e9c183ad2ef7d5543c296d38
SHA1 hash:
2c20da753bdf6f1a46261e2c132dd42f75c94229
Link:
https://www.unpac.me/results/b6e78644-4229-44eb-a070-8af5571f428f/
SH256 hash:
2400be915c3981fa03b79f750cc5e37ae832d21e5e7f6bbd6753761286b036cb
MD5 hash:
2742755e3fef9f876e7b23f37b653ee6
SHA1 hash:
4c9278714c0aae121f89e1273d02c08b2b4af412
Link:
https://www.unpac.me/results/b6e78644-4229-44eb-a070-8af5571f428f/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2400be915c39/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/2400be915c3981fa03b79f750cc5e37ae832d21e5e7f6bbd6753761286b036cb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_EXE_in_ISO
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects ISO files that contains an Exe file. Does not need to be malicious
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 2400be915c3981fa03b79f750cc5e37ae832d21e5e7f6bbd6753761286b036cb

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2626818/
Cape
Cape
https://www.capesandbox.com/analysis/387360/

Comments


Avatar
zbet commented on 2023-05-08 02:07:23 UTC

url : hxxp://172.245.123.16/110/vbc.exe