MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24c3816b1d93a87af33e2ac0fe32e6936578e220642441d8895df2f768745244. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	24c3816b1d93a87af33e2ac0fe32e6936578e220642441d8895df2f768745244
SHA3-384 hash:	be105c495fc957dbdf23094741c62d3a7b8659ab8f852d3aa3633fb5d131f9ba05427647a3d6f845713350536b4b1f9b
SHA1 hash:	884ab2b85eb222e6ebb32480d05b2f2e7c17bc22
MD5 hash:	8de332d7f57396f7e6f33e212d33480b
humanhash:	fruit-north-apart-tennessee
File name:	NEW ORDER.scr
Download:	download sample
Signature	Formbook Create hunting rule
File size:	802'304 bytes
First seen:	2022-01-26 05:59:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep	12288:wPdQ1m+uHwKuqlqg/c+W7x8hb72lk3rfR+MHHjs0s8/wbUk1mPkm3LNwK5tpU0sa:2X+7x8hb72lk3V+MjMwwT1EJNwDzq
TLSH	T19E05D01632E0C134D29D2C3599A07954BF73F06F38D2F974EEA2DA057BB9784AA04973
File icon (PE):
dhash icon	2c12b27112726418 (23 x AgentTesla, 4 x Formbook, 4 x SnakeKeylogger)
Reporter	GovCERT_CH
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

151

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

NEW ORDER.scr

Verdict:

Malicious activity

Analysis date:

2022-01-26 07:14:53 UTC

Tags:

trojan formbook stealer

Link:

https://app.any.run/tasks/acd738af-dca7-4f84-bbc2-8c2ba8e3f37c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/222988/

Detection(s):

SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Unauthorized injection to a recently created process

Creating a file

Searching for synchronization primitives

Launching a process

Сreating synchronization primitives

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/61f0e36959d130b02a5225a2/reports/eb66e549-4e88-483a-87fa-0b7c7b0b794e/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a6a61782-ecb4-4e48-ab5b-35a5fb270c1a

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/927646

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Self deletion via cmd delete

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/24c3816b1d93a87af33e2ac0fe32e6936578e220642441d8895df2f768745244/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-01-26 05:52:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=etbyc2y5souhv4z6flap4mxgsnsxryramqsedwejlxzpo2dukjca._file

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:s16r rat spyware stealer suricata trojan

Link:

https://tria.ge/reports/220126-gqchxaheak/

Behaviour

Gathers network information

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

Formbook

suricata: ET MALWARE FormBook CnC Checkin (GET)

Unpacked files

SH256 hash:

dba88743bd48da8979345d7fb414a23e693ea124f9bad75c18c9496fbbf4942c

MD5 hash:

06ee9717e415654f0daf2ac073e175a5

SHA1 hash:

774f649c6aaa48fb6a1a676902b821bc16a09601

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/f71d33ee-895d-4406-bb93-9c3340587dbe/

Parent samples :

24c3816b1d93a87af33e2ac0fe32e6936578e220642441d8895df2f768745244
f2d58fc68302fb9cfc6ba93ca4f01f17c8baf7fef4cdfef59638e61fa4f54ad4
dcec29b67b720887c02915f7eb210942445a64e450f03bf12ca03ed345bc300a
76c2944d78f0dac034e5a7cc6a916c30e66a88aaaaf3481b9af71db7bcdf9ca6
e6d85a6287cb583fc5dec0b47a3288d9d0bed8e103991797b14a0e16ab41a9b4
4c5d57b063eeb8b59a0d22007e4698b75e7f16d2144636fd0610661a733b5b1b
668deaef1d8c72ce98a734831d2fa70a27e85948c497d5f980c7d8236416fc52
6cc892ee85c0247a54d6329b73857fac9d20b9b76d6b4d360fe5c752a0983180
710cf8f0a914a5baf6d61323ec2f33babc05c1374f4ae3fa8a2b04099c8f1b7f
e51d07f5a5a73b65e0ddd7f2b94fa87a3fede71fbb4e4b35c57b9fc56dd198ee
f71ffb7f3aa8f472021605310da900b36925efcf3f2965b6e541f0aaab4eb1c3
7b019b56698280d4c945147470334d6a5dea23d758713028d21bcfe34d4f0123
504c2a875f8a0f0b9cf47d70aa3f32defa0e3b66f403fe6eccba4f89b7cc379f
dc209c6180c6cc71541cedb0b311499b30857b25a3e19f2ced6073b53fe55be6
29a4e548415db316b3e1eea470848a8f339d93afa5bb47cbb357b42a95d5e350

SH256 hash:

1ccb46fff85f1c37c5b3933b9b180b7b029893a683e75c3a28ce0732a543d225

MD5 hash:

72c0512931a7603f9e4ddeeec979211c

SHA1 hash:

b55cf09afe05263ee97df03b87d9ab31d8fe1656

Link:

https://www.unpac.me/results/f71d33ee-895d-4406-bb93-9c3340587dbe/

SH256 hash:

5247926388ed51a1178cb1de85bc5df1443c240ace43d7d9386edf8d7fceec02

MD5 hash:

9a6cb543f17cc6f61c016dbc8a331bc2

SHA1 hash:

62210e9d0f4d5b8101886a336feb3e1ae0eaf824

Link:

https://www.unpac.me/results/f71d33ee-895d-4406-bb93-9c3340587dbe/

SH256 hash:

24c3816b1d93a87af33e2ac0fe32e6936578e220642441d8895df2f768745244

MD5 hash:

8de332d7f57396f7e6f33e212d33480b

SHA1 hash:

884ab2b85eb222e6ebb32480d05b2f2e7c17bc22

Link:

https://www.unpac.me/results/f71d33ee-895d-4406-bb93-9c3340587dbe/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/24c3816b1d93/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/24c3816b1d93a87af33e2ac0fe32e6936578e220642441d8895df2f768745244

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 24c3816b1d93a87af33e2ac0fe32e6936578e220642441d8895df2f768745244

(this sample)

Dropped by

formbook

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/222988/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample