MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c33c5bc5ff734e08441f0ae726f6a05bdc9aedf06d989767f3283c0ece448a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2c33c5bc5ff734e08441f0ae726f6a05bdc9aedf06d989767f3283c0ece448a3
SHA3-384 hash: f986721aaa9b0a828d36be273344772403499bf49e4ac1a1a928a2024d0f04c9ac91bebe51eabc81364a4eeb4c5cb365
SHA1 hash: 0bacbb56fc939ca9c62a4d97c842a9f15429f31a
MD5 hash: f3ef43446e2e9b54be156d5ae18d1214
humanhash: bravo-utah-charlie-victor
File name:f3ef43446e2e9b54be156d5ae18d1214
Download: download sample
Signature Formbook
Create hunting rule
File size:759'296 bytes
First seen:2022-05-19 14:48:41 UTC
Last seen:2022-05-19 16:01:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:zviK3zUXrh93w44p+Hdsp2DfBwJqPeQdCdYwX5ztklxiB:zvnjUXrD3w44pSdkamQ7wXF
Threatray 15'699 similar samples on MalwareBazaar
TLSH T1E8F49DE0367A0B56F9388FFD00A6616147F134B2966BC2991F9371FB1960BDA0EC095F
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
239
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f3ef43446e2e9b54be156d5ae18d1214
Verdict:
Malicious activity
Analysis date:
2022-05-19 23:01:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c486e5b7-d281-490a-9567-41c174a85075

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/272627/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.32143.18711.12555.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/628658feff102f27123a0dd7/reports/3da6f109-9785-4c1a-beb9-e98138b967e5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5af29b35-7196-48c8-8308-7ae5260c18c1
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/997788
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 630283 Sample: RYi1DY36M7 Startdate: 19/05/2022 Architecture: WINDOWS Score: 100 30 Found malware configuration 2->30 32 Malicious sample detected (through community Yara rule) 2->32 34 Antivirus detection for URL or domain 2->34 36 8 other signatures 2->36 10 RYi1DY36M7.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\...\RYi1DY36M7.exe.log, ASCII 10->28 dropped 46 Tries to detect virtualization through RDTSC time measurements 10->46 48 Injects a PE file into a foreign processes 10->48 14 RYi1DY36M7.exe 10->14         started        signatures5 process6 signatures7 50 Modifies the context of a thread in another process (thread injection) 14->50 52 Maps a DLL or memory area into another process 14->52 54 Sample uses process hollowing technique 14->54 56 Queues an APC in another process (thread injection) 14->56 17 explorer.exe 14->17 injected process8 process9 19 systray.exe 17->19         started        signatures10 38 Self deletion via cmd delete 19->38 40 Modifies the context of a thread in another process (thread injection) 19->40 42 Maps a DLL or memory area into another process 19->42 44 Tries to detect virtualization through RDTSC time measurements 19->44 22 cmd.exe 1 19->22         started        24 explorer.exe 2 158 19->24         started        process11 process12 26 conhost.exe 22->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2c33c5bc5ff734e08441f0ae726f6a05bdc9aedf06d989767f3283c0ece448a3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-18 20:42:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
25 of 41 (60.98%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0ba2f6257fb96db81026615bb726f0ede3ea3263f2f79989cbab3f7e3cff97a1
Formbook
4a7aa26a59cccaa38181f61e413214368bd2cb3b8aa9c93c8694cc7d37591a3f
Formbook
5f178e8ceb1e7a58d15110f4f376823069242ee2916a3d30782a14c1dda44cbe
Formbook
752d0155c769033832d6845eabba29bce2b9d0eedff734b31a49c879ed08ff72
Formbook
8d08a6736ce2ad51b87e1f3e9577a53abd8ca055fb1d7027b97250cecabee199
Formbook
909570efc48341a6ae00ae8dcbb8d751f912569a4756f7526bc7d0cf1cda81ed
Formbook
98555514bbd11ff97bc555c553087b857314f4da0488e2235080651ee71a0f0f
Formbook
d727b63c6bcf81ea3c6a345f8435ad103f37c11c1b2cc89f9fee1f7253a26f9f
Formbook
f301682053d5e2fd2982d90d37508983ac1bf5e630e66e553573709ce7e37817
Formbook
+ 15'689 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:m9y5 rat spyware stealer trojan
Link:
https://tria.ge/reports/220519-r6zy9abedp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Unpacked files
SH256 hash:
09602efe05dc6b9738b23b91708978231d20c08329940541a086561795a6c9fd
MD5 hash:
1521132bd568891debf24b4973aaa24e
SHA1 hash:
393fafe43a177d02d2a8be164101fc2add2748dc
Link:
https://www.unpac.me/results/9acbaeb9-3482-46ae-b582-d0fac567235a/
SH256 hash:
3dfd2c3816d7c6b6f967ee7281fae1e4d1e2a8395b6052d99574fb623086f6f8
MD5 hash:
f63508591306cf3204c695d5a8b42cac
SHA1 hash:
9d6d67b0317cd5f7ac4dcdb06cab3a377cef5ace
Link:
https://www.unpac.me/results/9acbaeb9-3482-46ae-b582-d0fac567235a/
SH256 hash:
82bfd44d655a1974037ca80e745ec9f8562904a56212a02a622423f20790172a
MD5 hash:
bb90879ddef73950ca8ed426d3c19b72
SHA1 hash:
b09ec8449e511dd5c9d3eab671b7d45c6cfdb019
Link:
https://www.unpac.me/results/9acbaeb9-3482-46ae-b582-d0fac567235a/
SH256 hash:
b133c40259175237941d7075bb730c90da05a33591506619d38136489d59b7e2
MD5 hash:
56a59378d29ed4c805d4195893936387
SHA1 hash:
7dad918652a45c54b0897c27e8bf541c21c72557
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/9acbaeb9-3482-46ae-b582-d0fac567235a/
Parent samples :
56f0926377455c42b13e8235983ec0c4a2a1bdefc68a712d7e9374ab67af108d
2c33c5bc5ff734e08441f0ae726f6a05bdc9aedf06d989767f3283c0ece448a3
682629e9b965b64912c262031e640de0b18c637b392df618db5775b8bef53ef4
SH256 hash:
2c33c5bc5ff734e08441f0ae726f6a05bdc9aedf06d989767f3283c0ece448a3
MD5 hash:
f3ef43446e2e9b54be156d5ae18d1214
SHA1 hash:
0bacbb56fc939ca9c62a4d97c842a9f15429f31a
Link:
https://www.unpac.me/results/9acbaeb9-3482-46ae-b582-d0fac567235a/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2c33c5bc5ff7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/2c33c5bc5ff734e08441f0ae726f6a05bdc9aedf06d989767f3283c0ece448a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 2c33c5bc5ff734e08441f0ae726f6a05bdc9aedf06d989767f3283c0ece448a3

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2202479/
Cape
Cape
https://www.capesandbox.com/analysis/272627/

Comments


Avatar
zbet commented on 2022-05-19 14:48:46 UTC

url : hxxp://104.168.33.25/ice/vbc.exe