MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2630c44d4f84ca7abc040505a9b4105634bfcd99b4e4de8cb75993eca94d4cd5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2630c44d4f84ca7abc040505a9b4105634bfcd99b4e4de8cb75993eca94d4cd5
SHA3-384 hash: 3d93bbc39d0df0fa46d3580dd7c0db35c79039dcb33155f05f912b5834257e92d608bd79205bb379e87c9182f61999e1
SHA1 hash: 0be9854d9fb05c77f814e076dbf1b358687470e9
MD5 hash: 1d49923885911bec6854216dfa14b7de
humanhash: two-twenty-texas-vermont
File name:1d49923885911bec6854216dfa14b7de.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:306'818 bytes
First seen:2022-03-03 08:36:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:rGiKYNm2sowL88I76J/+L/1AP0h7iuTys+qirM2cmHzqRShq:3ZwLs6JrMh9TmqAfz/A
Threatray 13'892 similar samples on MalwareBazaar
TLSH T18964231ADAD4D623D7E6593007B7D3F4F3FB89C645A3A603EBA80F2276193970895C81
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
183
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/246775/
Detection(s):
Win.Malware.Generic-9940818-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Launching a process
Launching cmd.exe command interpreter
DNS request
Sending an HTTP GET request
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/905dbaa3-79a1-484f-8bf8-3c5b7dedff83
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/949848
Signature
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2630c44d4f84ca7abc040505a9b4105634bfcd99b4e4de8cb75993eca94d4cd5/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-03-03 07:15:52 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=eyymitkpqtfhvpaeauc2tnaqky2l7tmzwtsn5dfxlgj6zkknjtkq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0da36b7f7e4b44b640ab5769532fdd7599032ca2b1d6b57807ba48ad1fa76780
Formbook
2a4415721925c12ce8a80719697ffbda5daf88fe34804b0549bc5d5605790cdb
Formbook
335fa8671bb1ef8659247de4bed05898512fb3a056ef6deb31849eefef8a4743
Formbook
6b765d70d97e0b3d8da0d871555d9d284bd08e85034ad45447bde1aadd2b2878
Formbook
736e922d451686797ec76431a5c40aab65da4cc9de49fc8a898c013f44caf2ce
Formbook
93da913f4b899003071cf8743f4a06f14464397cdb135638e2e76072a283f970
Formbook
959b7ce61e82bc7f837042b10627c2d87442d52a243eafa8b837419ec0174418
Formbook
a71e32c316d38a8ed867e32672cc48624e1e716f8a339e29dc57108216b0bc8a
Formbook
deac58296321ec67026dc3de7275137fbdf1775e28fbd9e4d3bf528be7bc95ff
Formbook
e68d65f2d19ca4d1d09bfc86fad9464689e1453f3c4488ef75dbb84041f22518
Formbook
+ 13'882 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader campaign:y329 loader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220303-kh6nkaaae2/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Xloader Payload
Formbook
Xloader
Unpacked files
SH256 hash:
2630c44d4f84ca7abc040505a9b4105634bfcd99b4e4de8cb75993eca94d4cd5
MD5 hash:
1d49923885911bec6854216dfa14b7de
SHA1 hash:
0be9854d9fb05c77f814e076dbf1b358687470e9
Link:
https://www.unpac.me/results/001122ee-7fb5-40ce-84dd-d2aa808c1f66/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.18
Link:
https://yomi.yoroi.company/submissions/2630c44d4f84ca7abc040505a9b4105634bfcd99b4e4de8cb75993eca94d4cd5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 2630c44d4f84ca7abc040505a9b4105634bfcd99b4e4de8cb75993eca94d4cd5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2071308/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/246775/

Comments