MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2938b38c785f109befe2eb2768082aea672c27e978e52998a4bca8526b1a669f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	2938b38c785f109befe2eb2768082aea672c27e978e52998a4bca8526b1a669f
SHA3-384 hash:	77b6c3dd7f1b5470492a3b83e0b59bec39fcf22aeb980b0a539dd4ae5efdc7c9fbd359546d4909270a9f0e747437fe11
SHA1 hash:	92e2887bc10089607141e78bc6702166ffa8ee32
MD5 hash:	7cc23aa86ee79dc1e11a395e85096ec3
humanhash:	mango-idaho-oven-jig
File name:	SecuriteInfo.com.Trojan.Packed2.42809.24249.27917
Download:	download sample
Signature	Formbook Create hunting rule
File size:	890'368 bytes
First seen:	2021-01-21 21:05:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	24576:sKy9gYUGwr09fUt09fUMC94rb24jYzzECFrN+:sZgYUnGfU8fUJKi4jaFt
Threatray	3'574 similar samples on MalwareBazaar
TLSH	E915E0242784FF15E1BE6776D8B40560C3F9FC03D622D9AF6DE1398E68B3B95891130A
Reporter	SecuriteInfoCom
Tags:	FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

169

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

NEW AGREEMENT 2021.xlsx

Verdict:

Malicious activity

Analysis date:

2021-01-21 17:59:04 UTC

Tags:

encrypted opendir exploit CVE-2017-11882 loader trojan formbook stealer

Link:

https://app.any.run/tasks/fe40dc28-8c08-4390-bbc3-05ad7d52e4d6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/113411/

Detection(s):

SecuriteInfo.com.Trojan.Packed2.42809.24249.27917.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file

Sending a UDP request

Unauthorized injection to a recently created process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/587796

Signature

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM_3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/2938b38c785f109befe2eb2768082aea672c27e978e52998a4bca8526b1a669f/

Threat name:

ByteCode-MSIL.Trojan.Taskun

Status:

Malicious

First seen:

2021-01-21 15:01:41 UTC

AV detection:

14 of 27 (51.85%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=fe4lhddyl4ijx37c5mtwqcbk5jtsyj7jpdsstgfexsufe2y2m2pq._file

Verdict:

malicious

Label(s):

formbook

Formbook

27196c6c79c8cdb02b4ee6b1028ec11aa38bbeea6d94d956a22ab1228c65b733

Formbook

2ad7e15e59c05d71f2682a81f2bf2872eb4421b343a4c4b96748a31064445494

Formbook

31f4d8bb8797649e9de2f8adc7b7e679775784d33d686d7c76429c4fe97a7c07

Formbook

3579fdebe1647aa6a9172a2d808fa43b66a9ebc0e09aba02e1ed70d74dad67e2

Formbook

38f7338384d3c8576e23aa876f7819c1f201e027bb586900aca0411ea665f07a

Formbook

40acc1cfe1986fee292469e21c175d68bed0502f46af424d0cd8ec42e0ead72d

Formbook

a12d62cf3071c705c6527b3a640f6dfa3f4823cf5289f8be7cba25ac14e79031

Formbook

b073ef66058998fc6ee7c61fb6eeaffe28a816f36dda995edcd1a6e893deedd3

Formbook

ed035bd3cdab82c607f296fd966c4064f0f04c9011d9e7744ca3e7739ed7269b

Formbook

+ 3'564 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:formbook family:xloader loader rat spyware stealer trojan

Link:

https://tria.ge/reports/210121-2l8dh78xqe/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Formbook

Xloader

Malware Config

C2 Extraction:

http://www.rizrvd.com/bw82/

Unpacked files

SH256 hash:

c6f0a030f7a0259c4462ca32b9ccd5c2883f41e65c585eab44ed3165f15a4c8e

MD5 hash:

557278165d26498c08e0fc2e8b41346c

SHA1 hash:

b28d8607223c6ecd69aacb4d81d66b7dfe00268e

Link:

https://www.unpac.me/results/f49420fc-2639-4cf8-917a-00f5b91e2551/

SH256 hash:

f1e6d6b6ed070fac3a5f799e0ea7fc8b8c33013c452bd45331e062f0c7670109

MD5 hash:

ce25dd8050527cf169e86695f999286b

SHA1 hash:

ebbc1663876fc28f8e11238c3a42a2b2615dbe39

Link:

https://www.unpac.me/results/f49420fc-2639-4cf8-917a-00f5b91e2551/

SH256 hash:

0741117b2fafba8a3a8ae382fc10786bb2529a8432ce0577c6935e8526ddac5b

MD5 hash:

68636a5ff4233a2c2eb38ff504bc0433

SHA1 hash:

de4bb3f7abdfdcb03af952cae091d98ed8ed6f71

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/f49420fc-2639-4cf8-917a-00f5b91e2551/

Parent samples :

0110a52c51d060db8c4b9f3d654340fdf954bd7ceb47956e235ebe5921a57df4
7cea909eb4fef13fdeee846b808200826a8de0292ba555bcc4fefdde642dbb55
38a0bf5c98a42c67d5612b0b377c51725caedc64b19f9c4d20f0ebc6fe972c0d
cd1cdd19d3500f9947de10caa28d3fad75bc207faa10b7f9f7aab88c720dea1b
8ec223664a9b73308e2fdd73bcaa525d4a152a0b9ab799889539d98efcc07c09
bda9b47b8a3ca85a643a426750e309fe77d948e2d6f704a8a56ba452dd1531ae
6c953b93cf75e79db29a1ae424ee8da08962cbda1ec84a49281cccb51013594b
9335b040e7823155fcde32d1cfd5268db42e2f9c191e2144269800adb2a820d8
4924681f7988a37fccc12475b5cf9fa0013fb00d1a8da2dfc4c4e25236b35d7d
3579fdebe1647aa6a9172a2d808fa43b66a9ebc0e09aba02e1ed70d74dad67e2
ba2963b7da8a1df3e40441825654972ce2a5903c9f27bc081e42795c296c80eb
b96e65c2c4d2cdbe32d98e9f24a1e5f1d74bdaa0f47088cc70d48f4be730dc55
204cd2ef2cb64300f46ba8ce7dae3507b6861cd9225e3bae6fc2303360585ef4
38f7338384d3c8576e23aa876f7819c1f201e027bb586900aca0411ea665f07a
750292519a4b694e981556bdaec9c5b568ac54f1b9cb52fc1f740cd45b2748ec
7b5c683c8f9571d55f21bdd73cec4b0f39a169265e58c5877ca94203e61548af
2ad7e15e59c05d71f2682a81f2bf2872eb4421b343a4c4b96748a31064445494
ed035bd3cdab82c607f296fd966c4064f0f04c9011d9e7744ca3e7739ed7269b
27196c6c79c8cdb02b4ee6b1028ec11aa38bbeea6d94d956a22ab1228c65b733
1e0ffffac4a1077450af5cd08414d45c275605cdedd7a3138a863b96ea3624ab
31f4d8bb8797649e9de2f8adc7b7e679775784d33d686d7c76429c4fe97a7c07
b073ef66058998fc6ee7c61fb6eeaffe28a816f36dda995edcd1a6e893deedd3
73acf08c9a3ee5b8208b8e21f1c88d9820b6bfc58ddbf1d7eee2029b7626d271
40acc1cfe1986fee292469e21c175d68bed0502f46af424d0cd8ec42e0ead72d
2938b38c785f109befe2eb2768082aea672c27e978e52998a4bca8526b1a669f
d63c5bbfea14e5cbfc013e0df1c94ff9eb0ea87d95bcd3fb8ff9047cd58dc8aa
9ba1b16e84be57d419e0a19248f13f186bcf9a2d98e97936e16d1fceb0357b97
7dfb2d60095157148fcb26bdfc4270ce6d5e3678c60628b8f683c4e1adbd8043
ebbcc767acc5337309a6f0770c52236b131cbcffb3e843e4bf132489cb2001cc
5d85f149c5450263866d98fadff08504e1a05837cdead5792f291303dfa3438d
0a818e0d6e682be8b8b7a4ec2becdb2de6c05d5503c6f397a63d18ccf0fa9b0f
958cedb2b814c4f1e6c4cb514d5b3eff4a816777baa9533f67f3106b4e18920a
8a432739f45c70d580007c9e4586d826507821bd978c192a5f99c51e85444e6c
e2f640f8cdc89a54ecd8d1a0c8d4b8a4d1e6560f086fd82d05e0010d95a1d9e9
2389280eef390b0fc6e10447d91e265c3c9fb0de749707a8aeeb1a72de2269c4

SH256 hash:

2938b38c785f109befe2eb2768082aea672c27e978e52998a4bca8526b1a669f

MD5 hash:

7cc23aa86ee79dc1e11a395e85096ec3

SHA1 hash:

92e2887bc10089607141e78bc6702166ffa8ee32

Link:

https://www.unpac.me/results/f49420fc-2639-4cf8-917a-00f5b91e2551/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2938b38c785f109befe2eb2768082aea672c27e978e52998a4bca8526b1a669f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 2938b38c785f109befe2eb2768082aea672c27e978e52998a4bca8526b1a669f

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/973357/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/113411/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample