MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c2c265388a6a35791a4bb896cfcfbb7f14022b3e0256dbb5e0c14b81e1a47dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	2c2c265388a6a35791a4bb896cfcfbb7f14022b3e0256dbb5e0c14b81e1a47dd
SHA3-384 hash:	837577245c81cb5047a350c2b86673e8051ad0f29741e0dc8b7497d9177ec569274fb3b13246caf9a40b03923ef6553a
SHA1 hash:	82ab62cd17f0c2512fcd8d764c69309523cd3cdc
MD5 hash:	509ad1f864d2b0ecd54a5008d080807c
humanhash:	pip-tennessee-diet-hydrogen
File name:	Purchase Order_ ENQ REF_PDF________________________..exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	2'072'984 bytes
First seen:	2023-05-30 19:48:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	49152:ynoyoWrAnzcL+gh12wNQ57HRRT+8mi2v5F1:ynoquzc8wNQxRRTW9v5F1
Threatray	1'457 similar samples on MalwareBazaar
TLSH	T137A5129433A5C467EA2C82368621D1F093657EF8E611D2873ACD7F6F7BB134219222D7
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	James_inthe_box
Tags:	exe FormBook signed

Code Signing Certificate

Organisation:	Mozilla cooperation 2023
Issuer:	Mozilla cooperation 2023
Algorithm:	sha256WithRSAEncryption
Valid from:	2023-05-30T06:18:56Z
Valid to:	2024-05-30T06:18:56Z
Serial number:	8d129147a97857f2e78c2a5696559c29
Thumbprint Algorithm:	SHA256
Thumbprint:	1aecf894a1df45b31c7a7571a0fc7a6f759007dbf0c69c73aac86ac8e12ba034
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

412

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Purchase Order_ ENQ REF_PDF________________________..exe

Verdict:

Malicious activity

Analysis date:

2023-05-30 19:50:17 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c1344358-54ca-4934-878e-6719f2854909

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/393762/

Detection(s):

SecuriteInfo.com.FileRepMalware.18187.4624.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Сreating synchronization primitives

Sending a custom TCP request

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/6476532e265e4e1dc7e52c09/reports/959ebe19-b8f8-437c-a046-d6ce85904635/overview

Verdict:

Malicious

Labled as:

MSIL/GenKryptik.GKGW trojan

Link:

https://www.hybrid-analysis.com/sample/2c2c265388a6a35791a4bb896cfcfbb7f14022b3e0256dbb5e0c14b81e1a47dd

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/3a4cbcef-2604-4d9f-852b-b1994204347f

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1245594

Signature

.NET source code references suspicious native API functions

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected FormBook

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2c2c265388a6a35791a4bb896cfcfbb7f14022b3e0256dbb5e0c14b81e1a47dd/

Threat name:

ByteCode-MSIL.Trojan.Tnega

Status:

Malicious

First seen:

2023-05-30 11:34:45 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

14 of 36 (38.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fqwcmu4iu2rvpenexoewz7h3w7yuaivt4asw3o26bqklqhq2i7oq._file

Verdict:

malicious

Formbook

13e85a56084b5afcf6030fbaee89e2c49b5616eb8f7f5da934f11547b2df2d10

Formbook

3cc2f46e36577be2638cee152ef4c7500f50c5d403c34a7b37e90734f754b013

Formbook

3fcbc2bcb77ddb0ccb6cf77f2ab4af72eb622f2da7cc29b62cf523b17f1f6898

Formbook

4a26b1d03db10e6808ac8d4337a4c88c448b87432e2d1c593a647ec103ec4a2c

Formbook

577a6f8ac673a1b176fd32c9b8fe01178fee10a2602e3ccbc02b3fdebfa9bf0b

Formbook

88d0963292143c5ba31261b14fa12f59edcd78df1bea35281e8cf080aa1460c0

Formbook

91ac5e95c271f56efcf7f8c2f1ce27579242a2cdca317fd11bf7ff380c9750ed

Formbook

bc9a80c327839012274d763d66186497685a6b73e0b20eea73c720d61f5c9407

Formbook

e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025

Formbook

+ 1'447 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/230530-yjm5habh2v/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Uses the VBS compiler for execution

Unpacked files

SH256 hash:

2c2c265388a6a35791a4bb896cfcfbb7f14022b3e0256dbb5e0c14b81e1a47dd

MD5 hash:

509ad1f864d2b0ecd54a5008d080807c

SHA1 hash:

82ab62cd17f0c2512fcd8d764c69309523cd3cdc

Link:

https://www.unpac.me/results/1ddaab62-0045-449b-8927-bae8eb7b840e/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2c2c265388a6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2c2c265388a6a35791a4bb896cfcfbb7f14022b3e0256dbb5e0c14b81e1a47dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/393762/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample