MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c13447326df9da1edb4700336d4cf841f7575b7505df68ef2ae7bdb6f2d9f5c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2c13447326df9da1edb4700336d4cf841f7575b7505df68ef2ae7bdb6f2d9f5c
SHA3-384 hash: 25405ff2ff49899f8edb09ef483e5dde72ba7191bca5c914da8c5f527f23f2b38f11c22be14968231f77b7e96703691c
SHA1 hash: bbb6bd54867a9e3ee53521c8bc538aca3c65588d
MD5 hash: c754e46f97def1e03a574662d827d0d2
humanhash: sodium-march-texas-louisiana
File name:c754e46f97def1e03a574662d827d0d2.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:433'987 bytes
First seen:2022-02-06 16:07:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 6144:bw1xx8mRGb+5rlBGoRG4Nz474GYDH++06kF/P0iJnbm3XZW:amsj5rlt5Nzs4A+yFXfi3XM
Threatray 13'440 similar samples on MalwareBazaar
TLSH T13C94AD8F23603282E0124F358505BB094B6D5FE62D76CA0EF75D3F97A73AB811E96391
File icon (PE):PE icon
dhash icon e8d8b4e6e68a82e0 (3 x RemcosRAT, 2 x Formbook, 1 x AgentTesla)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c754e46f97def1e03a574662d827d0d2.exe
Verdict:
Malicious activity
Analysis date:
2022-02-06 16:47:48 UTC
Tags:
installer
Link:
https://app.any.run/tasks/4fee22d5-8d13-4326-bd8c-3c83e7df78cb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/233794/
Detection(s):
SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe formbook overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/61fff265ad4747e995078300/reports/0981be05-db06-41ba-ac0b-9fa36bfa0ebf/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9655be3a-266c-43bb-8c8c-21e2b9028592
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/934789
Signature
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 567267 Sample: Fq1dwZ24n3.exe Startdate: 06/02/2022 Architecture: WINDOWS Score: 100 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for dropped file 2->43 45 4 other signatures 2->45 9 Fq1dwZ24n3.exe 19 2->9         started        process3 file4 29 C:\Users\user\AppData\Local\...\xddleuihl.dll, PE32 9->29 dropped 47 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 9->47 49 Tries to detect virtualization through RDTSC time measurements 9->49 51 Injects a PE file into a foreign processes 9->51 13 Fq1dwZ24n3.exe 9->13         started        signatures5 process6 signatures7 53 Modifies the context of a thread in another process (thread injection) 13->53 55 Maps a DLL or memory area into another process 13->55 57 Sample uses process hollowing technique 13->57 59 Queues an APC in another process (thread injection) 13->59 16 cmmon32.exe 13->16         started        19 explorer.exe 13->19 injected process8 signatures9 31 Self deletion via cmd delete 16->31 33 Modifies the context of a thread in another process (thread injection) 16->33 35 Maps a DLL or memory area into another process 16->35 37 Tries to detect virtualization through RDTSC time measurements 16->37 21 cmd.exe 1 16->21         started        23 explorer.exe 1 128 16->23         started        25 explorer.exe 1 147 16->25         started        process10 process11 27 conhost.exe 21->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2c13447326df9da1edb4700336d4cf841f7575b7505df68ef2ae7bdb6f2d9f5c/
Threat name:
Win32.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2022-02-04 13:09:53 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
25 of 43 (58.14%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
081be32fe752d7e270c45f1d7a71889aa4452a590963da8dd75e3f26861ddba8
Formbook
0da36b7f7e4b44b640ab5769532fdd7599032ca2b1d6b57807ba48ad1fa76780
Formbook
2a4415721925c12ce8a80719697ffbda5daf88fe34804b0549bc5d5605790cdb
Formbook
64c7583a94ab474b9cd3509e8ca73eb7a19e70ffc2c4fa4582ccd7fd3f10c5ec
Formbook
705bf99df489a6945a540499bc8c6d7b7564d9a255629e326013d4a85bb77a78
Formbook
71bad0685e5b2447a8dcdc960ee2930ad5ec4910d5d449040fb52cb9754df2a2
Formbook
75362f20dab8d57db3ade6427e647b0bc01d8345ccfa9781d5778877f04f7fb5
Formbook
9de751536a55984df4e0686ff47bbe5553906d4b2e2559d7afc019fcb7d4eb4a
Formbook
9e6a92df11bb23b335d5bbf85731a1ea96f6c4038a24c2e4edb28e2169804c30
Formbook
+ 13'430 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220206-tk8elsbee2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Loads dropped DLL
Unpacked files
SH256 hash:
afaa616c00216064a72251860c5cac715e367bdd40683d93d14b0e832eaf23d8
MD5 hash:
17913c20bac2ddf72d737aa2311ed1ec
SHA1 hash:
bc39842b076c44cfb45b99bddcacd152f27e1d54
Link:
https://www.unpac.me/results/52bed269-23b1-48e9-bb04-4e677417723b/
SH256 hash:
183977ae4b1054731ff00ea59e6da55a67a059ef1365fd2bfa92fa58009160d4
MD5 hash:
8ebc16740ce1af9a6ec64b11dc810f91
SHA1 hash:
19dea7142c63075d46f778dccde0caf00f58dbb8
Link:
https://www.unpac.me/results/52bed269-23b1-48e9-bb04-4e677417723b/
SH256 hash:
2c13447326df9da1edb4700336d4cf841f7575b7505df68ef2ae7bdb6f2d9f5c
MD5 hash:
c754e46f97def1e03a574662d827d0d2
SHA1 hash:
bbb6bd54867a9e3ee53521c8bc538aca3c65588d
Link:
https://www.unpac.me/results/52bed269-23b1-48e9-bb04-4e677417723b/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 2c13447326df9da1edb4700336d4cf841f7575b7505df68ef2ae7bdb6f2d9f5c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2028278/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/233794/

Comments