MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2692c5fb278a85db144c8121617ab7909a54281e5161b8bff920bd485ea4eccf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2692c5fb278a85db144c8121617ab7909a54281e5161b8bff920bd485ea4eccf
SHA3-384 hash: 0ba270a063c7e9550186d94870d7718855af2cf0d90965cfab5ab4121d8232f84524d5944584bfc6daa1d44ecdccc084
SHA1 hash: 663812bf9037681a9dc953a3520b1f54c17c7845
MD5 hash: f8f0e589e87202ce0b1657ba331e3fb9
humanhash: lima-shade-south-william
File name:Bill Of Lading - DGGA33116.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:929'792 bytes
First seen:2023-05-25 08:35:05 UTC
Last seen:2023-05-29 09:53:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:wP0tN5wBL+KzvB+bZdcMtBx/vCP8fWH0G:wP0iBLTBMltKP8G0G
Threatray 2'938 similar samples on MalwareBazaar
TLSH T15815F19125E08C10E2AAAFB546B3F27453755C55E763C30A24E02C9B7D3BA927F463C3
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon e869f1f070f03054 (8 x Formbook, 7 x AgentTesla, 4 x Loki)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
241
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Bill Of Lading - DGGA33116.exe
Verdict:
No threats detected
Analysis date:
2023-05-25 08:55:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/21f3c5f1-6180-49c7-8bc0-ec0be23ece61

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/391470/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/646f1df35ce396d092140e39/reports/e6d4d6d8-1735-46f8-83c8-fe7a7724c337/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/2692c5fb278a85db144c8121617ab7909a54281e5161b8bff920bd485ea4eccf
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/40a0dda4-e977-40d8-a957-d0ee5539d2e4
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1242343
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2692c5fb278a85db144c8121617ab7909a54281e5161b8bff920bd485ea4eccf/
Threat name:
ByteCode-MSIL.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2023-05-22 06:05:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
20 of 36 (55.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e2jml6zhrkc5wfcmqeqwc6vxscnfika6kfq3rp7zec6uqxve5thq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
02bc9f274f7ba4ec93358bfa71c5b658727b414e7e6301c50fac619227a78327
Formbook
151eacb26f65117d4a4abb8473c8650edd42b079a662f7dc4c4ebdd966045d1c
Formbook
2d2e43cbbe4c81767774ac3eea5e5f199b1ad6233e4670f3c250ccb6cb7817cd
Formbook
4759019b080ba0e6212bf1db94be7c1efebcb517a7cd7060186f50731c662769
Formbook
571f10fb2f8ed39463e85d4a5af98f8203489b60d7a634d890462f10d6b15f2d
Formbook
625f5caa0e4422a01de12f875b7acf8c4edb699f36a7237c18bf3df7772a7e6c
Formbook
bde2918cb64c5e7a60fdd3efb2a0a11bd352210b61c600a19f5b47bc61e5b2de
Formbook
ce3a332225a10d659e26a1775a2e002ce62d470c9f02c47bbbf69767c7e2ffa9
Formbook
e0b295c6ff8b659d36af3e6b48ce997d4e094d8f50bd14ec71c309a46024dad5
Formbook
+ 2'928 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230525-khkq4ahd41/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
7bb70d3d4bc68aa15e8a93d035dc943e4860b944bba5767c8051738d6ceac24b
MD5 hash:
b3f6e6eb60ebf84ae5ad1f9926ab3ce9
SHA1 hash:
6c21c05971f62955fd3fbc2697c0407647224ee9
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/a749b0f2-09b1-49a1-af4b-2e962bd885b0/
Parent samples :
02bc9f274f7ba4ec93358bfa71c5b658727b414e7e6301c50fac619227a78327
151eacb26f65117d4a4abb8473c8650edd42b079a662f7dc4c4ebdd966045d1c
ce3a332225a10d659e26a1775a2e002ce62d470c9f02c47bbbf69767c7e2ffa9
571f10fb2f8ed39463e85d4a5af98f8203489b60d7a634d890462f10d6b15f2d
2692c5fb278a85db144c8121617ab7909a54281e5161b8bff920bd485ea4eccf
0b7841ea5b8040d0a636dfb94f374666baec80ee31307dc156c947b287d8f1cc
a9e9a756fe59beb18eb1cdfceee2b2c5c9246dfdad6dc05a6a9a810c479e2516
89525d55fd73880fae8d04629ee885c441a497fb091eb73e204c91d9d03ddb05
742d71604162b05306e5701394815bb970efa39a9778ca3cc7a1f6617845782b
SH256 hash:
ee8044463d637bca6ee6967b5ab0ab04d28db515b94e1e09eb931f69d4bb4d22
MD5 hash:
bf2ac64a9f5788fbb6acd96d2a3391d5
SHA1 hash:
65a983320eee0701a12db8b79729d99ff2e64d17
Link:
https://www.unpac.me/results/a749b0f2-09b1-49a1-af4b-2e962bd885b0/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/a749b0f2-09b1-49a1-af4b-2e962bd885b0/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
bf1a93d8c0b4f9830e4d47755c02067d00326f65b237d2cd44f4d48e3dd541dc
MD5 hash:
afde9d52f7e16f06e882e2884e346e1b
SHA1 hash:
581c61ed21a76f7252c9b37df1752e7150f7f766
Link:
https://www.unpac.me/results/a749b0f2-09b1-49a1-af4b-2e962bd885b0/
SH256 hash:
5db8c46e59a5b3e8b076488be2b5d4eefa656bf2fe678b949e8ec3f2f8a83a05
MD5 hash:
14558253b3c8664b895e6a022127e779
SHA1 hash:
48d294afda8196284b5c7ec1afccbd3bc20307fb
Link:
https://www.unpac.me/results/a749b0f2-09b1-49a1-af4b-2e962bd885b0/
SH256 hash:
b178430918654661133e3cc86f68618dac7c1a56092e89c8d474cf3f05390a23
MD5 hash:
a74d4ff639d43c44d7dcf925dfc3b2d1
SHA1 hash:
1db08e8f485ac81d554e836a784589ab4cee8486
Link:
https://www.unpac.me/results/a749b0f2-09b1-49a1-af4b-2e962bd885b0/
SH256 hash:
2692c5fb278a85db144c8121617ab7909a54281e5161b8bff920bd485ea4eccf
MD5 hash:
f8f0e589e87202ce0b1657ba331e3fb9
SHA1 hash:
663812bf9037681a9dc953a3520b1f54c17c7845
Link:
https://www.unpac.me/results/a749b0f2-09b1-49a1-af4b-2e962bd885b0/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2692c5fb278a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 2692c5fb278a85db144c8121617ab7909a54281e5161b8bff920bd485ea4eccf

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/391470/

Comments