MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a346621e42f809c9cbfaf01bd2baa682838165f5e24c7c945f855671fc457e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 17

Intelligence 17 IOCs YARA 5 File information Comments

SHA256 hash:	2a346621e42f809c9cbfaf01bd2baa682838165f5e24c7c945f855671fc457e4
SHA3-384 hash:	03eaacf56aee356fb3cc52999fe8cfd907761ae454836bf01ca5b18b43932c20322cc12d6411cc9bcf7e4e7e9ecb8f32
SHA1 hash:	c7748a8f4b34af3a8e76e1583ac14cd95c32ac9e
MD5 hash:	978af787e7c03fa3cb90bc9cecf33862
humanhash:	missouri-tango-crazy-uniform
File name:	SecuriteInfo.com.Trojan.PackedNET.2979.6041.20917
Download:	download sample
Signature	Formbook Create hunting rule
File size:	693'248 bytes
First seen:	2024-07-17 16:38:36 UTC
Last seen:	2024-07-24 12:31:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	12288:bUME/4AgZ9n0Ao3NX0pQm0FSD8GBkxb3fOOE7MxIpNu4jOtM/u61IVA:FE/4AgX0AL108AGBE3fu1jOeW61IVA
Threatray	134 similar samples on MalwareBazaar
TLSH	T130E4125073A09D13C955A3B68CFA83002376DA212A07DF9B10C8B6AD1DB67D09D766FF
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	00ccd4f0f0d4cc00 (1 x Formbook, 1 x SnakeKeylogger)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

365

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2a346621e42f809c9cbfaf01bd2baa682838165f5e24c7c945f855671fc457e4.exe

Verdict:

Suspicious activity

Analysis date:

2024-07-18 15:22:33 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/365f7070-6e59-47a5-8b9c-b016f2d223e4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.2979.6041.20917.UNOFFICIAL

Verdict:

Clean

Score:

89.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6697f3a9936dc865ddc750f1

Tags:

s w o t t e r

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/2a346621e42f809c9cbfaf01bd2baa682838165f5e24c7c945f855671fc457e4

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9e698340-3e54-46f3-b4bb-737e955a0b46

Result

Threat name:

FormBook, PureLog Stealer

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1475253

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Yara detected PureLog Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/2a346621e42f809c9cbfaf01bd2baa682838165f5e24c7c945f855671fc457e4

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/2a346621e42f809c9cbfaf01bd2baa682838165f5e24c7c945f855671fc457e4/

Threat name:

ByteCode-MSIL.Backdoor.FormBook

Status:

Malicious

First seen:

2024-07-17 15:58:18 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fi2gmipef6ajzhf7v4a32k5knaudqfs7lysmpskf7bkwoh6ek7sa._file

Verdict:

malicious

Label(s):

formbook

Formbook

3796cd93f800a4c068bbadb4da09c577330fc49f0fdd171ef3bfffee0b3b555b

Formbook

93aeb18c52bece32042f39cbce6994036ac8556043fdc335bb3fc1453ce8d74f

Formbook

a4de39a318f8fb37cf0ac7f320a6cf7f8b68a403ea26d3c5f8b82630f6693b70

Formbook

d16d34e4b1d1ef563842f3a0e691642da9f814bf240827e704caa57dc3106db0

Formbook

d6c03cce5773652c4cb266084f901b331550d57a656240d20c288484657cd701

Formbook

+ 124 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:v15n rat spyware stealer trojan

Link:

https://tria.ge/reports/240717-t5yqxayhqm/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook payload

Formbook

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/6ae81a4b-7fdf-4097-a9a0-33d6858e5f9f

Unpacked files

SH256 hash:

726fc15ab650f469e5a5c0300f5261d43961bfb5713bab962c90fbc6c37e9688

MD5 hash:

64d86b46c505b6488f6996514ec6dbe6

SHA1 hash:

3eef767b9f298582caa83eecbf0b64ed9be98a22

Detections:

FormBook

win_formbook_g0

win_formbook_auto

win_formbook_w0

Formbook

Link:

https://www.unpac.me/results/37e61833-5436-41dc-b1a1-492ce12ef817/

Parent samples :

b362ced287b5f00b3b2ab2c3a7bbc85b57e13271d76a6c65423a831fde92876c
2a346621e42f809c9cbfaf01bd2baa682838165f5e24c7c945f855671fc457e4
ecf7d21e6034165420d152b1c77462ac51da9950be2b4eb32f966eda29376aa5
f9e519cd66cb6bed521306afb703672ef2ed9d82d8341398c4199be4523cad96
8e5d1467792caf25ac149070af9ade23a972792a9bddf7ad6b811668e7b72981
2a6ee6b0b17d33a011119d09d27e466d0d640314992d262f03a3789c464044d6
63e3b4304b855b3219c28b8d5306241564ac5f1752a01b5b793ee7733b4c69a7
ecb208b31c9db988e6a1ec481172f71e646a084add91834c0631ea2dd0d6efd6
1b9e77854e399411406c1f8e3fa6e0bceb4a1284c7bedeed503bcb24bdcfbe30
d2b2b2ae2cf256bec969052f108726d12ce6f84a2ca91f4baf4683a5bb331c86
a1ce25c899ff86db4e54d042569e0a996d399dcc9a701b551999b1edeb2acb89

SH256 hash:

22bccd89dac770e71c4bf659fa2fe2879c58f439c5b67d048e6d5a7885c93d6d

MD5 hash:

0d4ea09aeadc21fcdb50ad02d7df2eac

SHA1 hash:

d345b418190eb856534f87d18b9d1003b03745fa

Link:

https://www.unpac.me/results/37e61833-5436-41dc-b1a1-492ce12ef817/

SH256 hash:

9e5ffc99c137984f8ebb259045453dad00ef2d302a47339db43c435a45146283

MD5 hash:

06116feeed5a8fd758cc7a9fe9512952

SHA1 hash:

13e5b4acd4045b8029c405652c3c6d987fb28447

Link:

https://www.unpac.me/results/37e61833-5436-41dc-b1a1-492ce12ef817/

Parent samples :

b846450f859085cdf0488cefe8f186559d3a688ef3a1077b478dfdf1c6146597
26b72c81c3128373635fb99afe3e28b5c17a069dbe828229243b3484960521f6
420e0d791c2e5de27eb45cddb00321f7ba3fb3c2a735bd98d440345d01a7bec8
af10f3a48dbedc97b3823fae7eba5e9ff21f21ea9f588fc416884172c6da0b0a
ff91ba5708d63898bb46549107dc2e7b6945d968e1f629ccbe679ad575c1721c
92237dfe62e734cfd7c58327c9386a912388148738c9b11dd4c840fb2a956f12
d2b2b2ae2cf256bec969052f108726d12ce6f84a2ca91f4baf4683a5bb331c86
465c79cd8303aac9888982f9edbca10aecbf7b0dca4df78d2c3a2bb429104ebf
1bf2a9ea09f8638ac50155e3bdb1bfdddeb5d3496d8f44fe2be0b3c57ae16941

SH256 hash:

a9aa93c465a158b1cc576c6bb9ba9a2315b2170a6a0488cd9327b47cdc33fbae

MD5 hash:

766f027b7033f6c8097574e696f0aee4

SHA1 hash:

0730f2a1e7aee93a7fad423487a1e44094e33b3a

Link:

https://www.unpac.me/results/37e61833-5436-41dc-b1a1-492ce12ef817/

SH256 hash:

2a346621e42f809c9cbfaf01bd2baa682838165f5e24c7c945f855671fc457e4

MD5 hash:

978af787e7c03fa3cb90bc9cecf33862

SHA1 hash:

c7748a8f4b34af3a8e76e1583ac14cd95c32ac9e

Link:

https://www.unpac.me/results/37e61833-5436-41dc-b1a1-492ce12ef817/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2a346621e42f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2a346621e42f809c9cbfaf01bd2baa682838165f5e24c7c945f855671fc457e4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample