MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ab54e46be8e8a1b7e66be9bed5492e2cb5c4112e548442e209954affc2dc374. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	2ab54e46be8e8a1b7e66be9bed5492e2cb5c4112e548442e209954affc2dc374
SHA3-384 hash:	413d5ca6ac1f0aad2a40ca993464ec752a9d474e4afe38c3def17d096401b9746890d3c7c8b4a67481889780f0ebbfae
SHA1 hash:	d85b7cf1d1544fb02c50f0ae8fdf24e85adb86b5
MD5 hash:	f4689766d507f4eb2f206cf8ea3e237d
humanhash:	early-white-alaska-ceiling
File name:	SecuriteInfo.com.Trojan.PWS.Stealer.23680.7194.31659
Download:	download sample
Signature	Formbook Create hunting rule
File size:	235'130 bytes
First seen:	2021-08-25 10:17:16 UTC
Last seen:	2021-08-26 05:25:34 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	35807dcde258f88fa3ce5c21adc607fb (5 x Loki, 4 x a310Logger, 2 x Formbook)
ssdeep	6144:JwX/EDsssssssssssssvxx02JKflFxLav6qGJyogGzssG5O5POJKf:J4/EDsssssssssssssJ7YtF9eGO6ssGa
Threatray	6'020 similar samples on MalwareBazaar
TLSH	T10F34127E54A709B8DE28003306FFCBF87A50AC39C3A42AEE90D57215ADB1AE77047755
dhash icon	64f4d4d4ecf4d4d4 (82 x SnakeKeylogger, 34 x AgentTesla, 24 x Formbook)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

346

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Trojan.PWS.Stealer.23680.7194.31659

Verdict:

Suspicious activity

Analysis date:

2021-08-25 10:22:06 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/af0bcbe4-a04b-4b0f-b52b-ed09d551dbef

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/182259/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Stealer.23680.7194.31659.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Sending a UDP request

Sending a custom TCP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4c8eaa48-e934-4183-bb42-9bc71c936a68

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/838948

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2ab54e46be8e8a1b7e66be9bed5492e2cb5c4112e548442e209954affc2dc374/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2021-08-25 10:18:04 UTC

AV detection:

20 of 27 (74.07%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=fk2u4rv6r2fbw7tgx2n62ves4lfvyqis4veeilratfkk77bnyn2a._file

Verdict:

malicious

Label(s):

formbook

Formbook

385f5ca91b0a230a14f5d32c79d061a3af0f5533923ad62e1982d1327ed086a4

Formbook

3cec9bd714745b020366af9537184c619794ef4dee36c99093f53b243c97dcc1

Formbook

5b7a858563dfd290658d183a0d1c101e39a9dda3327e84c11ef12bc873cb98b9

Formbook

80b056a8c2fee08fd3361a8a271dea407425ca335275d49f81a1c50a06d9ed98

Formbook

8b4049ea3937e355ad9a551795afcb621fb56991ffc6f1db746861acfd7d6a46

Formbook

93f0775c5a5512759f85db7b3d1c4b3ee7049369cd0dcd1d4f778626621bfa0c

Formbook

95eedb3eaf98ec12d5f66609278d43f94e1f635420d413ee0672bbf9434aafa4

Formbook

a7c09392aa26962b20d2fc58398b6425ebd062187b2923fbbb7b1866523f1e26

Formbook

b55552391ee123f26e577b412c0df78bd0a59644ec510d1e7e708feff12a2abb

Formbook

+ 6'010 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:b6cu loader rat

Link:

https://tria.ge/reports/210825-wchb6ha34n/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.xn--marketingrevolucin-61b.com/b6cu/

Unpacked files

SH256 hash:

68a49f8d55aecf2551c16097b302614bcd617a3d1b565f37cd45a92993d0f065

MD5 hash:

1bfe6840b1414ec3315aa2735431fb71

SHA1 hash:

f6e382e2d534b5edc965d5053b6a4c63488e4c43

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/5c3c1e33-ddd0-4d52-851e-a31e6e3931c2/

Parent samples :

93f0775c5a5512759f85db7b3d1c4b3ee7049369cd0dcd1d4f778626621bfa0c
5b7a858563dfd290658d183a0d1c101e39a9dda3327e84c11ef12bc873cb98b9
d699748002a4cf4d6250e0aca08e4de6e687f39a9f946171a57f573410be3d25
52aaa20eef4d75bb209ef1d632a3e5a894358ebbd5ae9e18262868209fa30b7c
8b4049ea3937e355ad9a551795afcb621fb56991ffc6f1db746861acfd7d6a46
4f611f4466203533e8cd92ac4c802d90ab056c928bcec7c470b8d61570dfc967
bd015a47e8e376d7cfb70b5ebc81328a9c3a3cdc45d03635b107c106555d55a4
45278d169fd9dfd30355570aec0c04c274d71eec2543d0b33e7e2a641ea93eb7
2ab54e46be8e8a1b7e66be9bed5492e2cb5c4112e548442e209954affc2dc374
8c84e97b71aa8d34be8742cd4b6c0b86abdfb92379b099465eb751b0882efb23
43368f8d0f777c8f0a9fb5dc2ec89f131275873935098ff8a12be41cd2161ecf
c71e73a5006f03bf63ad6099f034a3d19a130a6893979c43318eca2cb6bfd224
e4c51cfe125602ab5cd33e751d121395c59599055a8294a5234c37a399ddf582
7da12f9f66e5a7ee4f9a6a025c6c3a1464ea85d0d805d2f7e85537c24a4ad6c0
c8e7193944ede931e488cd5e85554447e4da772455bad4a8e8b40840d9a5f8e9
d6fa87fb59dbf4de1d1d0af1062a41e6a9620b682ecdfc0eb91856e28b9ea1de
0c5e61b415a6ebd50f07b9a3eab5bb7fd6b501715e9f3968c4ea2dbc7323f189
9b2ccbdf764922ff44a99056461539087a21d4ace577956e8659ca65eb5015d1

SH256 hash:

2ab54e46be8e8a1b7e66be9bed5492e2cb5c4112e548442e209954affc2dc374

MD5 hash:

f4689766d507f4eb2f206cf8ea3e237d

SHA1 hash:

d85b7cf1d1544fb02c50f0ae8fdf24e85adb86b5

Link:

https://www.unpac.me/results/5c3c1e33-ddd0-4d52-851e-a31e6e3931c2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.13

Link:

https://yomi.yoroi.company/submissions/2ab54e46be8e8a1b7e66be9bed5492e2cb5c4112e548442e209954affc2dc374

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/182259/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample