MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c696217e2b047158bc9be361907f236233e4d7091ee4c0e1f1402247c827498. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 6 File information Comments

SHA256 hash:	2c696217e2b047158bc9be361907f236233e4d7091ee4c0e1f1402247c827498
SHA3-384 hash:	6233031868ef39148a424cd58bb02858f26bb598312d7f182e6d8699e28a2b769e437375ded63fca170d68c2c899995b
SHA1 hash:	a718b0da52d08918b0c969c167b442bdc66a50d3
MD5 hash:	b2fae623fa0e77effda92fbe3640dc9f
humanhash:	december-bacon-butter-enemy
File name:	SecuriteInfo.com.Trojan.Win32.Save.a.21926.14317
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'673'216 bytes
First seen:	2021-07-15 03:40:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:ets2vCM80qH9ivkDFRhI3JN//zA3rMes1U6GHet:CsC8Dskpi3j8tSG
Threatray	6'406 similar samples on MalwareBazaar
TLSH	T15575923EA954AA27BB3FD26845430014F4BC71EA36399CDB49C72588355E9027EEF36C
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

127

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Trojan.Win32.Save.a.21926.14317

Verdict:

Suspicious activity

Analysis date:

2021-07-15 03:43:01 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/eb73f816-9b72-4c7b-918f-1c6a4554cfa0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/171849/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Save.a.21926.14317.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6580677b-ff8b-4ff5-8d1a-711ac47f046a

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/816642

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/2c696217e2b047158bc9be361907f236233e4d7091ee4c0e1f1402247c827498/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2021-07-15 01:20:56 UTC

AV detection:

7 of 46 (15.22%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fruwef7cwbdrlc6jxy3bsb7sgyrt4tlqshxeydq7cqbci7ecosma._file

Verdict:

malicious

Label(s):

formbook

Formbook

5ee7421dbf8127f1c6ff086299b2a1c638ca26a61a649f1cb61230814d0ff4e8

Formbook

6fac6e1f7f8cdd8cec52b2dd7a23fd434084c7d12ef0f04deaa52794d3612ef7

Formbook

7d803e44c98cd23b971f692182f8d1d508fe82fb0fd6b681e7896c552d88411a

Formbook

8c38ea1b07ac6af7083834889e6c999fd84c857a767cf0928be1e7812a594849

Formbook

98a634da7b379b6369d5b7445c7aeb5a58aa195c8f088bf11c84c77ba2c972fd

Formbook

a173731d16e9140be26ee0a16e6416109b684b71a3523a3c4b85cf101bcd3b1e

Formbook

d3a729cac68f5147eb5b7a4e288196b37d0e7a02305529c591b060bcd36a843d

Formbook

ebe1f420ea3fcef5b426cf6458d23984e12c4ceb5983571699f60aaa963b159a

Formbook

f5a2547fc06aeb5416ee308668f2091e0e21c07b57aa6f4e5db47e06e6899a73

Formbook

+ 6'396 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader loader rat

Link:

https://tria.ge/reports/210715-6v9gr26ppj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.cryptodeposit.info/u8aa/

Unpacked files

SH256 hash:

3776aa883ec68fbacf7503eee496561e8fc124832f32d1e19e30a91a4bac2392

MD5 hash:

aa8737e1ef2851feefc526d37a03d654

SHA1 hash:

6ba7702a1dd5ade1f6f7dd2d092ef5af238b7221

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/6081b339-7fa6-4abd-a6be-d77c24b4355e/

Parent samples :

2c696217e2b047158bc9be361907f236233e4d7091ee4c0e1f1402247c827498
084cb2109cff42297ef1b5982900b2022ccc35210cff2231f95acc0aec4e8e36
cc0f2348e1c6b1cabd55e7770566e41cf7ce5978f0028d8c0f66eb55ec26cc6b

SH256 hash:

14ef3efa1a8a0901c4a21d85329c9261c17a1105f930c066984a22fb1103c3ab

MD5 hash:

ac34bb5d614e9b037388d96901d93f8b

SHA1 hash:

d1c3a1bd89b7fae58d841499f8faa772d61f204f

Link:

https://www.unpac.me/results/6081b339-7fa6-4abd-a6be-d77c24b4355e/

SH256 hash:

e60dd55b3ae80c14cab8e153ed5f84a7ecdcd4dc54d7d8ccdc956e8adee7fa8e

MD5 hash:

238d6fc0b28f993ca2779d51ddc58615

SHA1 hash:

754d4e55c1eb83c9c8c886fa2d3a6f4d6c45eacd

Link:

https://www.unpac.me/results/6081b339-7fa6-4abd-a6be-d77c24b4355e/

SH256 hash:

25a053aad34aa5671cccf62137cadd97c555d6411502aa198b5026c54d2b0366

MD5 hash:

aa2afab377a6e9d7756d09a610e2e283

SHA1 hash:

336420f0fdbbfdde41916d1d619100192417e30b

Link:

https://www.unpac.me/results/6081b339-7fa6-4abd-a6be-d77c24b4355e/

SH256 hash:

2c696217e2b047158bc9be361907f236233e4d7091ee4c0e1f1402247c827498

MD5 hash:

b2fae623fa0e77effda92fbe3640dc9f

SHA1 hash:

a718b0da52d08918b0c969c167b442bdc66a50d3

Link:

https://www.unpac.me/results/6081b339-7fa6-4abd-a6be-d77c24b4355e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.81

Link:

https://yomi.yoroi.company/submissions/2c696217e2b047158bc9be361907f236233e4d7091ee4c0e1f1402247c827498

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Formbook Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/171849/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample