MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ac830fd4c5c4c3522b5cb9983edc13f2580b932875bc9daeb02633b8829fb3b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ac830fd4c5c4c3522b5cb9983edc13f2580b932875bc9daeb02633b8829fb3b
SHA3-384 hash: f7513263aa999d91afe558b0638b13a4e50434364f6f432aa2d22eb91b913c517507302b188d663e0a7efcff0fef8f04
SHA1 hash: 2fadf244fd7567e18c2c86237e290af6e1581885
MD5 hash: e3488000bfab3d82a4fd31206ba01954
humanhash: fish-golf-triple-spaghetti
File name:e3488000bfab3d82a4fd31206ba01954.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:450'048 bytes
First seen:2021-09-24 08:47:07 UTC
Last seen:2021-09-24 09:54:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:Inw7AifGHfcli22QzEtu5zwIpxK168JTn4X8wL4oYxV50ENTOfSc0cDR1Jon4KgI:HnGE/z75FkbnW8u9YxVT7+Ro4Kg
Threatray 9'628 similar samples on MalwareBazaar
TLSH T1D5A4EF1193DCCEAEE3196A7858546C1085A3D3ED21E2EA4AED5D54B23CEB20CF710ED7
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
235
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e3488000bfab3d82a4fd31206ba01954.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-24 09:01:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d706bfed-6393-433c-8f4d-797683513b43

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/191126/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Noon.lc.31904.31247.UNOFFICIAL
Create hunting rule

Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a174f67a-1b0f-4e6e-a1a9-81a8ab3f1520
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/857210
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 489638 Sample: UGHpu7KlZ5.exe Startdate: 24/09/2021 Architecture: WINDOWS Score: 100 40 Multi AV Scanner detection for submitted file 2->40 42 .NET source code contains potential unpacker 2->42 44 Machine Learning detection for sample 2->44 46 2 other signatures 2->46 10 UGHpu7KlZ5.exe 3 2->10         started        process3 file4 32 C:\Users\user\AppData\...\UGHpu7KlZ5.exe.log, ASCII 10->32 dropped 58 Tries to detect virtualization through RDTSC time measurements 10->58 60 Injects a PE file into a foreign processes 10->60 14 UGHpu7KlZ5.exe 10->14         started        17 UGHpu7KlZ5.exe 10->17         started        19 UGHpu7KlZ5.exe 10->19         started        signatures5 process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 14->62 64 Maps a DLL or memory area into another process 14->64 66 Sample uses process hollowing technique 14->66 68 Queues an APC in another process (thread injection) 14->68 21 explorer.exe 14->21 injected process8 dnsIp9 34 www.peachtreedme.com 21->34 36 www.outtanowhereentertainment.com 21->36 38 peachtreedme.com 34.98.99.30, 49771, 80 GOOGLEUS United States 21->38 48 System process connects to network (likely due to code injection or exploit) 21->48 25 raserver.exe 21->25         started        signatures10 process11 signatures12 50 Self deletion via cmd delete 25->50 52 Modifies the context of a thread in another process (thread injection) 25->52 54 Maps a DLL or memory area into another process 25->54 56 Tries to detect virtualization through RDTSC time measurements 25->56 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2ac830fd4c5c4c3522b5cb9983edc13f2580b932875bc9daeb02633b8829fb3b/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-09-24 08:48:17 UTC
AV detection:
14 of 45 (31.11%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
410659d6e76a955d58e88df12ffea3550a57758513630f051c6e66caa343fdad
Formbook
4c5887639c1dfcc0349690d98e9c8034029a6fa2f2e6bdbba96371bf23ce3301
Formbook
54507294252cb270a6b1944f838eb0428d87fbcfaf05e887126d5754af3ec1fa
Formbook
6bb763ffd1ca484344f2a02df3f9e6bddc18a0f1fcd5d58002ad16b82b36db90
Formbook
6c0e85b84f2b1dfdb580a168386ad91efe7f734066ff3a12a0d359fcb4711dca
Formbook
7024147e75938acd54b804df172c63b57c794e1980632c5f8190ae1e9d0da82a
Formbook
af0af3ebf3ac231ad77dbe4cbfa0fb2d48312d4ca0b5431081046ab09aa3b552
Formbook
b11a7103f96fb02a8df7ad0e821f0083f48f56cc38df47d8573f39c0d4a19235
Formbook
d39ec2fb7fa07bb6886173571262d2324d96b6e879ccc4f2cea46ece183e576a
Formbook
f03c40561ba64d0797bcf79bfefd015c8d9ca010f1bd67b3d27ffab584a9911e
Formbook
+ 9'618 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:bckt rat spyware stealer trojan
Link:
https://tria.ge/reports/210924-kqgz6sgddr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.picnictablecompany.com/bckt/
Unpacked files
SH256 hash:
7d7501fb22cb18f10bfac1575359ff3a7e9ba934985a8184d02e5a26a3c4801d
MD5 hash:
4c1f6f8f4bf9678c49d6ea74baca3576
SHA1 hash:
3209fc3defa6d9eeb8ed06fe8cbcf6a69c84c782
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/7f7d94e8-2821-4655-be14-91b4812742a7/
Parent samples :
7024147e75938acd54b804df172c63b57c794e1980632c5f8190ae1e9d0da82a
4c5887639c1dfcc0349690d98e9c8034029a6fa2f2e6bdbba96371bf23ce3301
2ac830fd4c5c4c3522b5cb9983edc13f2580b932875bc9daeb02633b8829fb3b
043b45f9d94820186d7324c5f6e0fd7661de15ad29104fd43294e2f3839efa06
92c90d735148f7fd056e2d53bf44239f3fdab6b029e78d3ed6077d9c7f40aef2
c7ea020c54d4ce9a629d57feb15e38fac8457b14221386111ef022735e375d13
5be742e9644f86ef1d407e5b3e85dff6211561e6dbf9c9fc85b0c5289b899979
SH256 hash:
74b796245fd278d7702612d341cd9d7a6a2c86d0d130fd41df3b36c91089ea5c
MD5 hash:
5d02fcf2ded2882ef3f6593b85209f00
SHA1 hash:
ee54f15652dce3374d0df26d416a5a4ec9c0dae3
Link:
https://www.unpac.me/results/7f7d94e8-2821-4655-be14-91b4812742a7/
SH256 hash:
d989baf1ae68b4eaf6ad9d55b2409bd06b036ad4c555e8277a57e4bab6f2efa1
MD5 hash:
9b819753313a843fa889000f996d2c94
SHA1 hash:
66e740717eb024ff7bdf08d86873c36fb0668077
Link:
https://www.unpac.me/results/7f7d94e8-2821-4655-be14-91b4812742a7/
SH256 hash:
61dcad571c54173bd37b4d4e7508b6455f6a54c90ee47ca2b6959e9cbdc65eb2
MD5 hash:
d8e57e7bf8dfe611427511dcc5ae2ec8
SHA1 hash:
6231876cd1efd87e07d10c20c711f2899426344c
Link:
https://www.unpac.me/results/7f7d94e8-2821-4655-be14-91b4812742a7/
SH256 hash:
2ac830fd4c5c4c3522b5cb9983edc13f2580b932875bc9daeb02633b8829fb3b
MD5 hash:
e3488000bfab3d82a4fd31206ba01954
SHA1 hash:
2fadf244fd7567e18c2c86237e290af6e1581885
Link:
https://www.unpac.me/results/7f7d94e8-2821-4655-be14-91b4812742a7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/2ac830fd4c5c4c3522b5cb9983edc13f2580b932875bc9daeb02633b8829fb3b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 2ac830fd4c5c4c3522b5cb9983edc13f2580b932875bc9daeb02633b8829fb3b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1599707/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1583603/
Cape
Cape
https://www.capesandbox.com/analysis/191126/

Comments