MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2aa2b861c5fad54e2a32fa2cc376871cd2d80a1485412073f5b5f461a7723e29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2aa2b861c5fad54e2a32fa2cc376871cd2d80a1485412073f5b5f461a7723e29
SHA3-384 hash: c8238d5088f3aae504ea0e17222ca026322c37d480d6f71d7a23fbb3abe3af4b05da493dab933b1498056a17d0d10bf0
SHA1 hash: 3dab0d6ac85b82314add7e0773ad05635e5dbc1f
MD5 hash: d9145fe0ca078e3e8ed799105e393108
humanhash: william-timing-march-blossom
File name:file.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:306'810 bytes
First seen:2022-10-14 14:37:57 UTC
Last seen:2022-10-15 10:15:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (725 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 6144:ibE/HUk01969hJRIA767oUL5J3RvZrLZcCEyBoh/uwmZZ+:ibw01969PR9xU/1EyBWmw6Z+
TLSH T1AB641294B304C43BC4A067B93DBE67AB4DF2C81651948F1757403EBE38A66A1DF1E361
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c89c98acacacbcac (31 x Loki, 23 x AgentTesla, 22 x AveMariaRAT)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/320403/
Detection(s):
Win.Dropper.Smdd-6956905-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching the default Windows debugger (dwwin.exe)
Searching for synchronization primitives
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Creating a file in the system32 subdirectories
Creating a file
Setting browser functions hooks
Unauthorized injection to a recently created process by context flags manipulation
Forced shutdown of a system process
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/43147/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
75%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6349745066721ebd9b2e449d/reports/da7c370b-a015-4754-bdce-e6e2d3b75f3f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b3d068c8-6030-4845-a957-d5bfbc050daa
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1090810
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found hidden mapped module (file has been removed from disk)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 723436 Sample: file.exe Startdate: 14/10/2022 Architecture: WINDOWS Score: 100 41 www.topwawa24.site 2->41 53 Snort IDS alert for network traffic 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Antivirus detection for dropped file 2->57 59 5 other signatures 2->59 12 file.exe 18 2->12         started        signatures3 process4 file5 37 C:\Users\user\AppData\Local\...\duzcazams.exe, PE32 12->37 dropped 15 duzcazams.exe 2 12->15         started        process6 file7 39 C:\Users\user\AppData\Local\Temp\A166.tmp, PE32 15->39 dropped 47 Machine Learning detection for dropped file 15->47 49 Found hidden mapped module (file has been removed from disk) 15->49 51 Tries to detect virtualization through RDTSC time measurements 15->51 19 duzcazams.exe 15->19         started        22 WerFault.exe 23 9 15->22         started        24 conhost.exe 15->24         started        signatures8 process9 signatures10 61 Modifies the context of a thread in another process (thread injection) 19->61 63 Maps a DLL or memory area into another process 19->63 65 Sample uses process hollowing technique 19->65 67 Queues an APC in another process (thread injection) 19->67 26 explorer.exe 19->26 injected process11 dnsIp12 43 www.25800.biz 1.32.254.90, 49703, 80 BCPL-SGBGPNETGlobalASNSG Singapore 26->43 45 192.168.2.1 unknown unknown 26->45 69 System process connects to network (likely due to code injection or exploit) 26->69 30 mstsc.exe 26->30         started        signatures13 process14 signatures15 71 Modifies the context of a thread in another process (thread injection) 30->71 73 Maps a DLL or memory area into another process 30->73 75 Tries to detect virtualization through RDTSC time measurements 30->75 33 cmd.exe 1 30->33         started        process16 process17 35 conhost.exe 33->35         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2aa2b861c5fad54e2a32fa2cc376871cd2d80a1485412073f5b5f461a7723e29/
Threat name:
Win32.Trojan.GenericML
Create hunting rule
Status:
Malicious
First seen:
2022-10-14 07:11:41 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fkrlqyof7lku4krs7iwmg5uhdtjnqcquqvasa47vwx2gdj3shyuq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:sy01 rat spyware stealer trojan
Link:
https://tria.ge/reports/221014-rzqr1adfgk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook payload
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/95ea53b4-c337-4fba-931c-017a0686386f
Unpacked files
SH256 hash:
5a6b9e753d9f7078ec399721c6aa0405159c63219b217f222f6f20d1240091e5
MD5 hash:
8c34087ed573b47ee050dd24fb30eb52
SHA1 hash:
d46acf9eed2b7c6afd87e189d33b5e05785dc199
Detections:
FormBook
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/d98dcad1-27de-4eb1-bd6a-19de5ca436f9/
Parent samples :
260f5a6aff298b7aec332ba6500169a52412145dbe6d487f61970d34e7b69c57
2aa2b861c5fad54e2a32fa2cc376871cd2d80a1485412073f5b5f461a7723e29
1edd52620047de1ae4461b1184c25a995a8b0f924582db0ec808e0f9763b5cfc
e2f2df406e05d13e2245e2fe9da7128c257a7bb11464dce77ce386b51470abd8
b29e424c006aa87230a73e1289e52016446e85dc18dd7d60e79dbb8942ce57d4
9b4df9f66fdc83879d2ce5c5077f51e0ca02af50050fdeaccaca982bc0c59b52
071b55748a4bf8024c8db0de1a1e0201eb18bac7def0ceb902f0ff18039dfb2e
8a5eebc7b8520bde5c361db7249fe0d5286e9074dc7e0bfc555f3f2a1166bb2a
4422661ccc0d1ca90ea0427fbe9eacc398d819ef1f557c163a686fa127444c3a
SH256 hash:
85c894999f8f958fd89e36612a392e2241307c2785714e931ce28687ab95ac07
MD5 hash:
751ddb16bf247ba9244bc9c18e0cb28c
SHA1 hash:
360f08b4931095ccf6e58935cc91ab765b72aef4
Link:
https://www.unpac.me/results/d98dcad1-27de-4eb1-bd6a-19de5ca436f9/
SH256 hash:
2aa2b861c5fad54e2a32fa2cc376871cd2d80a1485412073f5b5f461a7723e29
MD5 hash:
d9145fe0ca078e3e8ed799105e393108
SHA1 hash:
3dab0d6ac85b82314add7e0773ad05635e5dbc1f
Link:
https://www.unpac.me/results/d98dcad1-27de-4eb1-bd6a-19de5ca436f9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2aa2b861c5fad54e2a32fa2cc376871cd2d80a1485412073f5b5f461a7723e29

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz d81ef70cc21230ef3f4411c0fa18b4c964d17c5908597195cf2b8ba0c96b8e2a

Formbook

Executable exe 2aa2b861c5fad54e2a32fa2cc376871cd2d80a1485412073f5b5f461a7723e29

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/320403/
  
Dropped by
SHA256 d81ef70cc21230ef3f4411c0fa18b4c964d17c5908597195cf2b8ba0c96b8e2a
  
Dropped by
MD5 6ffd4a33de6621fb8ae6b7f7726dc1da

Comments