MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b237db9c22328f7ca27581fb777ba32c7352c81c61880c0f0d226e6663556dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2b237db9c22328f7ca27581fb777ba32c7352c81c61880c0f0d226e6663556dc
SHA3-384 hash: b9f10677c4ad9cba19363edee7cd76c73b38c10961108472973cadacaf9c09d0d7210a8b599dea891409587d420f84d0
SHA1 hash: 7830a95bf645b1bce599e4c3ffb7ca2c74756d0a
MD5 hash: 649587a22d4d6da8d4f7aa2c2d4a195e
humanhash: west-twelve-september-eight
File name:2b237db9c22328f7ca27581fb777ba32c7352c81c61880c0f0d226e6663556dc
Download: download sample
Signature Formbook
Create hunting rule
File size:804'352 bytes
First seen:2025-01-10 14:38:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'655 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:EKJzdY9shQgqL08bCVUNPJneQbcV4yUbBnpYrppppQHluarcifXWFIPs4T5d:Zdhl8qUVleQbi4yUtpYrLpQlPNWhkv
Threatray 33 similar samples on MalwareBazaar
TLSH T1C4050154AB5DC417C99416348EA0F6B926689E8DF912D207AFDCBFAF3C72B151C482C3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon 30d4f068e9b0d430 (7 x Formbook, 5 x AgentTesla, 2 x VIPKeylogger)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
201
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2b237db9c22328f7ca27581fb777ba32c7352c81c61880c0f0d226e6663556dc
Verdict:
No threats detected
Analysis date:
2025-01-10 21:17:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cd418e5f-a25a-471b-87a0-843ad4c81fc4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Crypterx-10038718-0
Create hunting rule

Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=678131332c8240e189bb8ff9
Tags:
virus micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit formbook obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/6781310c72a72c6ee1c01e9d/reports/deaeb6c7-da85-4f22-90b0-0b27c08c8dc5/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/2b237db9c22328f7ca27581fb777ba32c7352c81c61880c0f0d226e6663556dc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
KeyBase
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a6eb87e4-6c34-4223-835e-7790181b707c
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1588298
Behaviour
Behavior Graph:
n/a
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2b237db9c22328f7ca27581fb777ba32c7352c81c61880c0f0d226e6663556dc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2b237db9c22328f7ca27581fb777ba32c7352c81c61880c0f0d226e6663556dc/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-12-09 09:46:08 UTC
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fmrx3oocemuppsrhlap3o552gldtklebyymibqhq2itomzrvk3oa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
unknown_loader_037
Create hunting rule
Similar samples:
12d47f62ed1f5d60193a3a3099873286365c15dc6bf9df17aa250e1f7660c36c
Formbook
2b237db9c22328f7ca27581fb777ba32c7352c81c61880c0f0d226e6663556dc
Formbook
50087b010b52ec07a7f52a85b56dc43041aae17b428e6b0af3d52d797d427682
Formbook
7eaafbaab938950dd4391329f899ef84b9e37267433dc3ca88545e0304be2124
Formbook
b35b2cdd55c218208aaf1848f827c0a82d6b4886ef21b2611ef834914cf48f8b
Formbook
baccdf8ebf6b1196dec0a68de4d1917b0f23a5e3f1ef5d7556a5bde9be5e8e6c
Formbook
error
Formbook
+ 23 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/250110-r1clrszjhl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Verdict:
Malicious
Tags:
Win.Packed.Crypterx-10038718-0
YARA:
n/a
Link:
https://app.threat.zone/submission/cf128305-90f8-4c41-ba4e-dd6a76022302
Unpacked files
SH256 hash:
7a70f53f93eab2279574e0a365053f30a3f9a5615bbdf1f212e38eba6c424279
MD5 hash:
ddb9033e4bf58df3cd84fb84496a879a
SHA1 hash:
0c6c15183be60cfd712be27efee55f36370e4d93
Link:
https://www.unpac.me/results/6614d2c4-c7ed-42be-8d70-1d1cfd6c7326/
SH256 hash:
05c0e6dcf3bea9540ce1e9d98d30b301e380bddf9f04948175eb23de8db3535f
MD5 hash:
4f24d8a3c4a88347ffe38c3363c0cd94
SHA1 hash:
eb4e3d04f91f44c37f53c677d66f273bb78f8d88
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/6614d2c4-c7ed-42be-8d70-1d1cfd6c7326/
SH256 hash:
4572d6044473fb1fb2dada605fbf179df2a9791ce86f0988283af6ee18613483
MD5 hash:
d7f4768b5724addfd2220fccbfa37379
SHA1 hash:
12380cddc774305d2da9ff759dbd3bc2ae5620ba
Link:
https://www.unpac.me/results/6614d2c4-c7ed-42be-8d70-1d1cfd6c7326/
SH256 hash:
206f66ee7caf705a21a1c756a949218f9ffec6dab58ce6de020883f9875a68c6
MD5 hash:
e961985c9ffbbd37ae75e6101c3ae23c
SHA1 hash:
0e9e8eccda811b1472c06c3c2ff829dea9a04402
Link:
https://www.unpac.me/results/6614d2c4-c7ed-42be-8d70-1d1cfd6c7326/
SH256 hash:
2b237db9c22328f7ca27581fb777ba32c7352c81c61880c0f0d226e6663556dc
MD5 hash:
649587a22d4d6da8d4f7aa2c2d4a195e
SHA1 hash:
7830a95bf645b1bce599e4c3ffb7ca2c74756d0a
Link:
https://www.unpac.me/results/6614d2c4-c7ed-42be-8d70-1d1cfd6c7326/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments