MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ad7e15e59c05d71f2682a81f2bf2872eb4421b343a4c4b96748a31064445494. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	2ad7e15e59c05d71f2682a81f2bf2872eb4421b343a4c4b96748a31064445494
SHA3-384 hash:	4672c19c526b002cabe9e4c6d16abe1dfca2624744714f82016ce4dd0ad3a6258f57a57440d5515d3849b4f1d67d6564
SHA1 hash:	abc7f14b9c5305c7d127ad53d0f0c9cd17af3b07
MD5 hash:	f3d7308ba02ae2418b7133bb54af2f2f
humanhash:	winter-chicken-oregon-london
File name:	f3d7308ba02ae2418b7133bb54af2f2f.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'072'128 bytes
First seen:	2021-01-19 12:12:56 UTC
Last seen:	2021-01-19 13:35:07 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	24576:kgYUGwifQf0frS8Hkvls6fa11hYzZ7RS/O:kgYUnGS7+6fa1CZ
Threatray	3'606 similar samples on MalwareBazaar
TLSH	3D354A983E00F68EC427C871C9581CF4BAA56C66D70B81476057FEB9BB3E856DE1D0B2
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

144

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

f3d7308ba02ae2418b7133bb54af2f2f.exe

Verdict:

Suspicious activity

Analysis date:

2021-01-19 12:23:57 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/3aabc9a7-5186-4578-b434-b9f2b65175ab

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/112862/

Detection(s):

SecuriteInfo.com.CIL.HeapOverride.Heur.20400.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/584940

Signature

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM_3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/2ad7e15e59c05d71f2682a81f2bf2872eb4421b343a4c4b96748a31064445494/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-01-19 12:13:21 UTC

AV detection:

14 of 28 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fll6cxszyboxd4tifka7fpziolvuiintiosmjolhjcrrazcekska._file

Verdict:

malicious

Label(s):

formbook

Formbook

3579fdebe1647aa6a9172a2d808fa43b66a9ebc0e09aba02e1ed70d74dad67e2

Formbook

750292519a4b694e981556bdaec9c5b568ac54f1b9cb52fc1f740cd45b2748ec

Formbook

7b5c683c8f9571d55f21bdd73cec4b0f39a169265e58c5877ca94203e61548af

Formbook

7cea909eb4fef13fdeee846b808200826a8de0292ba555bcc4fefdde642dbb55

Formbook

8daa411eb30ad00d9be98b72d66343cd681616040c1b825a4b35bfc2a27ee1de

Formbook

9335b040e7823155fcde32d1cfd5268db42e2f9c191e2144269800adb2a820d8

Formbook

b96e65c2c4d2cdbe32d98e9f24a1e5f1d74bdaa0f47088cc70d48f4be730dc55

Formbook

ba2963b7da8a1df3e40441825654972ce2a5903c9f27bc081e42795c296c80eb

Formbook

bda9b47b8a3ca85a643a426750e309fe77d948e2d6f704a8a56ba452dd1531ae

Formbook

+ 3'596 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:formbook family:xloader loader rat spyware stealer trojan

Link:

https://tria.ge/reports/210119-5tlat8x6ga/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Formbook

Xloader

Malware Config

C2 Extraction:

http://www.rizrvd.com/bw82/

Unpacked files

SH256 hash:

0741117b2fafba8a3a8ae382fc10786bb2529a8432ce0577c6935e8526ddac5b

MD5 hash:

68636a5ff4233a2c2eb38ff504bc0433

SHA1 hash:

de4bb3f7abdfdcb03af952cae091d98ed8ed6f71

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/f579003d-5b48-4faf-861c-51b6a0bcf474/

Parent samples :

0110a52c51d060db8c4b9f3d654340fdf954bd7ceb47956e235ebe5921a57df4
7cea909eb4fef13fdeee846b808200826a8de0292ba555bcc4fefdde642dbb55
38a0bf5c98a42c67d5612b0b377c51725caedc64b19f9c4d20f0ebc6fe972c0d
cd1cdd19d3500f9947de10caa28d3fad75bc207faa10b7f9f7aab88c720dea1b
8ec223664a9b73308e2fdd73bcaa525d4a152a0b9ab799889539d98efcc07c09
bda9b47b8a3ca85a643a426750e309fe77d948e2d6f704a8a56ba452dd1531ae
6c953b93cf75e79db29a1ae424ee8da08962cbda1ec84a49281cccb51013594b
9335b040e7823155fcde32d1cfd5268db42e2f9c191e2144269800adb2a820d8
4924681f7988a37fccc12475b5cf9fa0013fb00d1a8da2dfc4c4e25236b35d7d
3579fdebe1647aa6a9172a2d808fa43b66a9ebc0e09aba02e1ed70d74dad67e2
ba2963b7da8a1df3e40441825654972ce2a5903c9f27bc081e42795c296c80eb
b96e65c2c4d2cdbe32d98e9f24a1e5f1d74bdaa0f47088cc70d48f4be730dc55
204cd2ef2cb64300f46ba8ce7dae3507b6861cd9225e3bae6fc2303360585ef4
38f7338384d3c8576e23aa876f7819c1f201e027bb586900aca0411ea665f07a
750292519a4b694e981556bdaec9c5b568ac54f1b9cb52fc1f740cd45b2748ec
7b5c683c8f9571d55f21bdd73cec4b0f39a169265e58c5877ca94203e61548af
2ad7e15e59c05d71f2682a81f2bf2872eb4421b343a4c4b96748a31064445494
ed035bd3cdab82c607f296fd966c4064f0f04c9011d9e7744ca3e7739ed7269b
27196c6c79c8cdb02b4ee6b1028ec11aa38bbeea6d94d956a22ab1228c65b733
1e0ffffac4a1077450af5cd08414d45c275605cdedd7a3138a863b96ea3624ab
31f4d8bb8797649e9de2f8adc7b7e679775784d33d686d7c76429c4fe97a7c07
b073ef66058998fc6ee7c61fb6eeaffe28a816f36dda995edcd1a6e893deedd3
73acf08c9a3ee5b8208b8e21f1c88d9820b6bfc58ddbf1d7eee2029b7626d271
40acc1cfe1986fee292469e21c175d68bed0502f46af424d0cd8ec42e0ead72d
2938b38c785f109befe2eb2768082aea672c27e978e52998a4bca8526b1a669f
d63c5bbfea14e5cbfc013e0df1c94ff9eb0ea87d95bcd3fb8ff9047cd58dc8aa
9ba1b16e84be57d419e0a19248f13f186bcf9a2d98e97936e16d1fceb0357b97
7dfb2d60095157148fcb26bdfc4270ce6d5e3678c60628b8f683c4e1adbd8043
ebbcc767acc5337309a6f0770c52236b131cbcffb3e843e4bf132489cb2001cc
5d85f149c5450263866d98fadff08504e1a05837cdead5792f291303dfa3438d
0a818e0d6e682be8b8b7a4ec2becdb2de6c05d5503c6f397a63d18ccf0fa9b0f
958cedb2b814c4f1e6c4cb514d5b3eff4a816777baa9533f67f3106b4e18920a
8a432739f45c70d580007c9e4586d826507821bd978c192a5f99c51e85444e6c
e2f640f8cdc89a54ecd8d1a0c8d4b8a4d1e6560f086fd82d05e0010d95a1d9e9
2389280eef390b0fc6e10447d91e265c3c9fb0de749707a8aeeb1a72de2269c4

SH256 hash:

a976feef8eb3bcaffab471cff1bbaa143b1b5b031e0f51c9485ae7fbd2217327

MD5 hash:

21eb91fc438e525158a4a3bd947488a4

SHA1 hash:

99ddb6035333e73c8247d72e674df2a731f7d690

Link:

https://www.unpac.me/results/f579003d-5b48-4faf-861c-51b6a0bcf474/

SH256 hash:

1da2329b066de952015546c59bf4babbc467c76c35685746d4a9bedb54fb37f8

MD5 hash:

aff0a3d2bfad87b8b723d0467d244152

SHA1 hash:

095b647ab46375029fda0a636ec7b530763110bc

Link:

https://www.unpac.me/results/f579003d-5b48-4faf-861c-51b6a0bcf474/

SH256 hash:

2ad7e15e59c05d71f2682a81f2bf2872eb4421b343a4c4b96748a31064445494

MD5 hash:

f3d7308ba02ae2418b7133bb54af2f2f

SHA1 hash:

abc7f14b9c5305c7d127ad53d0f0c9cd17af3b07

Link:

https://www.unpac.me/results/f579003d-5b48-4faf-861c-51b6a0bcf474/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2ad7e15e59c05d71f2682a81f2bf2872eb4421b343a4c4b96748a31064445494

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 2ad7e15e59c05d71f2682a81f2bf2872eb4421b343a4c4b96748a31064445494

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/970633/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/112862/

URLhaus

https://urlhaus.abuse.ch/url/971752/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample