MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2af0bbe87c28664ad5b453eae02d512f770962319673b9c494d85b717a6f9edf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2af0bbe87c28664ad5b453eae02d512f770962319673b9c494d85b717a6f9edf
SHA3-384 hash: cb1b8181ff6cd9efc161867c048ea869af52f514362338cd50fc6c3c113e70e3ffb1030657fbdfcfc8aaae37ed012bcb
SHA1 hash: 6e9874bac7b065a42110cef5c1b060de94123b2d
MD5 hash: a3bd608d019d827e4eee68f67f39a444
humanhash: washington-johnny-quebec-delta
File name:SecuriteInfo.com.Variant.Jaik.77520.20069.28067
Download: download sample
Signature Formbook
Create hunting rule
File size:340'579 bytes
First seen:2022-12-09 01:27:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 97318da386948415d08cef4a9006d669 (71 x Formbook, 35 x SnakeKeylogger, 26 x AgentTesla)
ssdeep 6144:9kwmZ6RfPyO6qBUnqk5yx+9JjOGNE1STKB7xUbGpn9C+xv0/159Xmj2pO6GInyw:qZ6RfPyO6ZqN7GNsTVxBp9PdK5XmK5p
TLSH T18E74228B38E9E8BFD4A500F041B78ABFE1B1E2010546568F9F384BFAA1159836F06657
TrID 92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/344544/
Detection(s):
SecuriteInfo.com.Variant.Jaik.77520.20069.28067.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Reading critical registry keys
DNS request
Sending an HTTP GET request
Launching a process
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63928f25527933be940d5ee1/reports/8be4ae28-35d9-4edc-9c31-5189d8a5ce8e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8bed2527-071e-42a1-b119-1f4bba2d80fd
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1131140
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 763864 Sample: SecuriteInfo.com.Variant.Ja... Startdate: 09/12/2022 Architecture: WINDOWS Score: 100 41 Multi AV Scanner detection for domain / URL 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus detection for URL or domain 2->45 47 3 other signatures 2->47 8 SecuriteInfo.com.Variant.Jaik.77520.20069.28067.exe 19 2->8         started        process3 file4 23 C:\Users\user\AppData\Local\...\igyfrxru.exe, PE32 8->23 dropped 11 igyfrxru.exe 8->11         started        process5 signatures6 49 Machine Learning detection for dropped file 11->49 51 Maps a DLL or memory area into another process 11->51 14 igyfrxru.exe 11->14         started        process7 signatures8 53 Modifies the context of a thread in another process (thread injection) 14->53 55 Maps a DLL or memory area into another process 14->55 57 Sample uses process hollowing technique 14->57 59 Queues an APC in another process (thread injection) 14->59 17 raserver.exe 13 14->17         started        20 explorer.exe 14->20 injected process9 dnsIp10 31 Tries to steal Mail credentials (via file / registry access) 17->31 33 Tries to harvest and steal browser information (history, passwords, etc) 17->33 35 Modifies the context of a thread in another process (thread injection) 17->35 37 Maps a DLL or memory area into another process 17->37 25 www.commongoodprojects.com 216.40.34.41, 49695, 80 TUCOWSCA Canada 20->25 27 bakels-genot.com 37.97.254.27, 49698, 49699, 80 TRANSIP-ASAmsterdamtheNetherlandsNL Netherlands 20->27 29 7 other IPs or domains 20->29 39 System process connects to network (likely due to code injection or exploit) 20->39 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2af0bbe87c28664ad5b453eae02d512f770962319673b9c494d85b717a6f9edf/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-12-09 01:28:08 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
10 of 40 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=flylx2d4fbtevvnukpvoalkrf53qsyrrszz3treu3bnxc6tpt3pq._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader campaign:k6n9 loader rat spyware stealer trojan
Link:
https://tria.ge/reports/221209-bvntvaca57/
Behaviour
Enumerates system info in registry
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Formbook
Xloader
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c6984a2e-ed18-4b54-9212-2f86ecff5769
Unpacked files
SH256 hash:
191ce48d6e0f31986de6425c9cbc36606b8234740b42ec0eeb931ed718aea267
MD5 hash:
336530c447c306b08eae5e3007b60566
SHA1 hash:
7b93b113d140d1d215c4009109b117e7f302dae6
Detections:
XLoader
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/0447cbc2-4457-41a1-a7de-5a942f247112/
Parent samples :
9b6c0f168cdbcc0aedb4884e856777cf5c31f55d9c3e09cb2e2ead9e53a3ce63
0d09e99b2a15cae89b2b6c61ae744d8437b2289615d909ee58ee52ac865b5872
2af0bbe87c28664ad5b453eae02d512f770962319673b9c494d85b717a6f9edf
SH256 hash:
5c773c9a3cb12e2241f8b533d5d47022d5d3aaa69e1944f4c55310dbdc49fc1a
MD5 hash:
4db514a22af97956b68bd5f9edf4ad80
SHA1 hash:
574c4eab6067fef0c216199238d3f8375ac22ade
Link:
https://www.unpac.me/results/0447cbc2-4457-41a1-a7de-5a942f247112/
SH256 hash:
33f39802122e635d006cd6f5201beda767b63820861d2f495085298e177033e6
MD5 hash:
6e572e3351b0763a0efce0f673d5053c
SHA1 hash:
bae90372112b2f148d090022c85bd62e9f0ffa1c
Link:
https://www.unpac.me/results/0447cbc2-4457-41a1-a7de-5a942f247112/
SH256 hash:
2af0bbe87c28664ad5b453eae02d512f770962319673b9c494d85b717a6f9edf
MD5 hash:
a3bd608d019d827e4eee68f67f39a444
SHA1 hash:
6e9874bac7b065a42110cef5c1b060de94123b2d
Link:
https://www.unpac.me/results/0447cbc2-4457-41a1-a7de-5a942f247112/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2af0bbe87c28/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.18
Link:
https://yomi.yoroi.company/submissions/2af0bbe87c28664ad5b453eae02d512f770962319673b9c494d85b717a6f9edf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/344544/

Comments