MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ac5823e51b08f55b089eba1300ad0dd347a3ffb2d41d9145a53be1ff63ba1d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ac5823e51b08f55b089eba1300ad0dd347a3ffb2d41d9145a53be1ff63ba1d5
SHA3-384 hash: a66d9e708dfb4ce869825f3899f44f7d2164409852421adac92c4adc426e30b3d4a32079dcf677b4f6d5a0a0ed17ec81
SHA1 hash: 7c9151a78921e4b3190a7775db3b96ee8c159fb8
MD5 hash: 39c2b8488da397dea7f3690d8d945a33
humanhash: item-fillet-comet-bakerloo
File name:39c2b8488da397dea7f3690d8d945a33.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:443'904 bytes
First seen:2021-11-30 07:25:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:IlMM2kQqvZRH/c2KFix1DrLwYJ8zzr191b5tgtcHHhB/bQTYBDeJ/HGfIFO9nxST:IJKI9nwVz191b5iyn4QDeJvAx9nkGH
Threatray 11'802 similar samples on MalwareBazaar
TLSH T17394CF93366492F6E13D5BB3BE53900E17632CF9AE52C10C6AD3F6CA2971B600E54673
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
39c2b8488da397dea7f3690d8d945a33.exe
Verdict:
Malicious activity
Analysis date:
2021-11-30 07:37:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6aa4b208-7e53-4e83-81d2-f8e165bd29a6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/209839/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1122.29672.3688.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit obfuscated packed
Link:
https://www.filescan.io/uploads/61a5d20dc4c531414822fbcd/reports/a9cff6ce-450c-429c-8642-58e86f654dd0/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1b67c5de-79c8-4a20-ac58-9dd2a2286394
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/898487
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 530963 Sample: tIeRLpHd46.exe Startdate: 30/11/2021 Architecture: WINDOWS Score: 100 31 www.omikotlegluconormix.biz 2->31 35 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->35 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 8 other signatures 2->41 11 tIeRLpHd46.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\tIeRLpHd46.exe.log, ASCII 11->29 dropped 53 Tries to detect virtualization through RDTSC time measurements 11->53 55 Injects a PE file into a foreign processes 11->55 15 tIeRLpHd46.exe 11->15         started        signatures6 process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 15->57 59 Maps a DLL or memory area into another process 15->59 61 Sample uses process hollowing technique 15->61 63 Queues an APC in another process (thread injection) 15->63 18 explorer.exe 15->18 injected process9 dnsIp10 33 www.fellezaclinic.com 61.86.246.55, 49814, 80 KCNKintetsuCableNetworkCoLtdJP Japan 18->33 43 System process connects to network (likely due to code injection or exploit) 18->43 22 explorer.exe 18->22         started        signatures11 process12 signatures13 45 Self deletion via cmd delete 22->45 47 Modifies the context of a thread in another process (thread injection) 22->47 49 Maps a DLL or memory area into another process 22->49 51 Tries to detect virtualization through RDTSC time measurements 22->51 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2ac5823e51b08f55b089eba1300ad0dd347a3ffb2d41d9145a53be1ff63ba1d5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-30 07:26:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0626da1000aa221c4f0c47872a0f33eabff9d952bdca540c6e35083e8a0ffabe
Formbook
2f6e89afd122fb052c5ad063bfe784b854157f9ff99af0a8aae4b7d19641ff61
Formbook
4c5887639c1dfcc0349690d98e9c8034029a6fa2f2e6bdbba96371bf23ce3301
Formbook
680993e1220c8d918f192ae23c5c01b6357c58ad68b7cc59fa122c09b7b85cdd
Formbook
7d1844147e478bee58b0c3a4789dd5084fd47807edccc924ff8c7438815b8d95
Formbook
90661f85c7864f95181eceebf32eafd0b4b166aebdfdf5529edfc3a3dd6c0715
Formbook
98257df783e840e80743c3482da475c0a8b0505b1eef573c4f7c968a9e53cdfb
Formbook
b94594b975025469886d9e5a2a2f119e5f8a9f7b82ae24226499efb7d954a061
Formbook
e777d588f24e21fdcc3add6de5b93d5fb498b594a59f03d02b5a7880bc5d5180
Formbook
ff64ff314c7947e5faae8181ac818b124a6d17d0fc3a66e8777a78a613d6093c
Formbook
+ 11'792 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:e9gd rat spyware stealer trojan
Link:
https://tria.ge/reports/211130-h9jl1ahdb9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.fellezaclinic.com/e9gd/
Unpacked files
SH256 hash:
752627e01c6aff20178c7e9dda850df9829b317619c0f38a0ef7f450964d9796
MD5 hash:
5549baad29eb5c606c49adf842bce82d
SHA1 hash:
af89fe61c3f601c243441e6b02779a41c5ad4ee4
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/e6207492-2b2d-420f-b2c0-0a494ddababb/
Parent samples :
7d1844147e478bee58b0c3a4789dd5084fd47807edccc924ff8c7438815b8d95
2ac5823e51b08f55b089eba1300ad0dd347a3ffb2d41d9145a53be1ff63ba1d5
SH256 hash:
b19104b568ca3ddccc2a8d3d10ecddb1ea240171e798dc3a486292cfa14b6365
MD5 hash:
7b0900da932f4ed9630d65b04422736d
SHA1 hash:
6fa340436e3a8e73ae2b3e911f861483183c68ef
Link:
https://www.unpac.me/results/e6207492-2b2d-420f-b2c0-0a494ddababb/
SH256 hash:
d68d3fa3eaf2bb5564c1b2438b23b1e35d49872f1eb40b6879f372bf2fae5068
MD5 hash:
9954a8aea04f9059ebaeb2b1f068ded2
SHA1 hash:
2d655b61cd3fb804fc594d11d1f72525eb9f0a51
Link:
https://www.unpac.me/results/e6207492-2b2d-420f-b2c0-0a494ddababb/
SH256 hash:
2ac5823e51b08f55b089eba1300ad0dd347a3ffb2d41d9145a53be1ff63ba1d5
MD5 hash:
39c2b8488da397dea7f3690d8d945a33
SHA1 hash:
7c9151a78921e4b3190a7775db3b96ee8c159fb8
Link:
https://www.unpac.me/results/e6207492-2b2d-420f-b2c0-0a494ddababb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/2ac5823e51b08f55b089eba1300ad0dd347a3ffb2d41d9145a53be1ff63ba1d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 2ac5823e51b08f55b089eba1300ad0dd347a3ffb2d41d9145a53be1ff63ba1d5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1833506/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/209839/
  
URLhaus
https://urlhaus.abuse.ch/url/1838502/

Comments