MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c67cd53627199ab4741a3fe73a317b1f91fd46544e06ed251b8ab8b444170a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2c67cd53627199ab4741a3fe73a317b1f91fd46544e06ed251b8ab8b444170a8
SHA3-384 hash: 2943f60fc872ac26ac0175d3d6c302f0e9c31d32ad2eb4a87ae1937de218f9e9ae38c7153c5865fafe767558311b7312
SHA1 hash: 9901d14b05a9e8305a4660ead1a334571f7017fe
MD5 hash: bab35b6fe111a241883bdbd3f9996a30
humanhash: white-crazy-freddie-berlin
File name:Inquiry 241128.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:918'016 bytes
First seen:2024-11-28 08:15:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:k2xj0BZodxnaB89JG0Z7dFXue45xMP9LCnYnL:H+BZ0hBG0Z7+eOOPAnY
Threatray 1'014 similar samples on MalwareBazaar
TLSH T1D81512A422DFE906C8E217704972E3F44A749DC8ED15C30B5BE97EEFF8362562990391
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon 0048496961686800 (5 x Formbook, 2 x RemcosRAT, 1 x Loki)
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
418
Origin country :
PL PL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Inquiry 241128.exe
Verdict:
No threats detected
Analysis date:
2024-11-28 08:42:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/026a1cf7-1bd1-4fa2-a81e-1772f432af74

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.3133.32469.23571.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67482815d0583382434ba640
Tags:
virus micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/674826c4c92e14920bfbb45b/reports/d91c7133-7d40-4b5c-945d-28561caa97c6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/2c67cd53627199ab4741a3fe73a317b1f91fd46544e06ed251b8ab8b444170a8
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eb221d1d-66c9-4ac2-9f4f-98087e29fd88
Result
Threat name:
FormBook, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1564390
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1564390 Sample: Inquiry 241128.exe Startdate: 28/11/2024 Architecture: WINDOWS Score: 100 46 Antivirus / Scanner detection for submitted sample 2->46 48 Sigma detected: Scheduled temp file as task from temp location 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 10 other signatures 2->52 7 Inquiry 241128.exe 7 2->7         started        11 oklxWiuHrvEbN.exe 5 2->11         started        process3 file4 38 C:\Users\user\AppData\...\oklxWiuHrvEbN.exe, PE32 7->38 dropped 40 C:\...\oklxWiuHrvEbN.exe:Zone.Identifier, ASCII 7->40 dropped 42 C:\Users\user\AppData\Local\...\tmpDA0D.tmp, XML 7->42 dropped 44 C:\Users\user\...\Inquiry 241128.exe.log, ASCII 7->44 dropped 54 Adds a directory exclusion to Windows Defender 7->54 56 Injects a PE file into a foreign processes 7->56 13 powershell.exe 23 7->13         started        16 powershell.exe 23 7->16         started        18 schtasks.exe 1 7->18         started        20 Inquiry 241128.exe 7->20         started        58 Antivirus detection for dropped file 11->58 60 Multi AV Scanner detection for dropped file 11->60 62 Machine Learning detection for dropped file 11->62 22 schtasks.exe 1 11->22         started        24 oklxWiuHrvEbN.exe 11->24         started        26 oklxWiuHrvEbN.exe 11->26         started        signatures5 process6 signatures7 64 Loading BitLocker PowerShell Module 13->64 28 conhost.exe 13->28         started        30 WmiPrvSE.exe 13->30         started        32 conhost.exe 16->32         started        34 conhost.exe 18->34         started        36 conhost.exe 22->36         started        process8
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2c67cd53627199ab4741a3fe73a317b1f91fd46544e06ed251b8ab8b444170a8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2c67cd53627199ab4741a3fe73a317b1f91fd46544e06ed251b8ab8b444170a8/
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2024-11-28 03:44:54 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=frt42u3cogm2wr2bup7hhiyxwh4r7vdfitqg5usrxcvywrcbocua._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
Similar samples:
2f7014c598a900f828893aeb0c0724d9f48c37c6987dfc12847525df174e0e81
Formbook
84fb2ec298bec7a70493394b6d6caabcd0522a8f5f7753d8e725118c7e08da4e
Formbook
9634a4f19306cf8e57396c40e99612888f2663cfe261e3640b836ad488cfe95b
Formbook
ccadaf700c4557efd158b2578d62710414c288b13d1c7a1eec1b06957ea8837b
Formbook
error
Formbook
f389839a6216aea670545a89697ce85cc3a8c170961804cea96525c5ed1cb6e7
Formbook
+ 1'004 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/241128-j548ks1pcz/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3e00cdf3-47c0-4e97-9571-6b6cf345367d
Unpacked files
SH256 hash:
57eae970c958ede9aa453b0384b5440ad520cf3957d217aa914aed436c437e53
MD5 hash:
e4902b7f3836b5f14e117f1f5d35b6ea
SHA1 hash:
55bd0d8570400fead5b4fdd0d39cbd5c70b1b7fd
Link:
https://www.unpac.me/results/857c9d0a-7cac-4571-9334-29e0b1984f6a/
SH256 hash:
7959a9b2ea6bba1b4330b72a4c6fa90c075a5b21ea471ccb65680ba248261be8
MD5 hash:
13b4f69ee3e3657fbe3c0d245f5820ca
SHA1 hash:
3ff41501d3594a35a9b8c39469bb3f6f86c3d319
Link:
https://www.unpac.me/results/857c9d0a-7cac-4571-9334-29e0b1984f6a/
SH256 hash:
e336c22a135249eb2d3c1b238b24dce6b3caceee46ed2c528ac3bc4d0db5466b
MD5 hash:
5acc21a9b9bf336c0fe056d96e26c8da
SHA1 hash:
1fc74ff9fae303c5cad68becc9a2a050a5570c73
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/857c9d0a-7cac-4571-9334-29e0b1984f6a/
SH256 hash:
67dcf18fdd4c10ffb663147b020f3ad61318901788b549b9ed9f3e1048d0aa73
MD5 hash:
a6377ea44fc38dd0821b260a6b2ef2a7
SHA1 hash:
000a27dbb56df395033adf78ef97339d2f001178
Link:
https://www.unpac.me/results/857c9d0a-7cac-4571-9334-29e0b1984f6a/
SH256 hash:
2c67cd53627199ab4741a3fe73a317b1f91fd46544e06ed251b8ab8b444170a8
MD5 hash:
bab35b6fe111a241883bdbd3f9996a30
SHA1 hash:
9901d14b05a9e8305a4660ead1a334571f7017fe
Link:
https://www.unpac.me/results/857c9d0a-7cac-4571-9334-29e0b1984f6a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2c67cd536271/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments