MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c98eff09ca7fbd11f42ba145d852b1960879ae2290527cae16f3984250ed79d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2c98eff09ca7fbd11f42ba145d852b1960879ae2290527cae16f3984250ed79d
SHA3-384 hash: eeb8b67d74835d0c8bfb65589ef5db9253dfe00e323ceca7152fee6f2930bd3e7baa4015d2e7f91d65eeaed672cbf45a
SHA1 hash: 99ca90da6e63b50e8dab0a8bddb652415031961a
MD5 hash: 299d4ea47568be36a6ccaf102bfbc03e
humanhash: robert-bluebird-hot-gee
File name:Ordinazione d'acquisto.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:623'104 bytes
First seen:2023-04-04 19:17:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:NTJ19b+TWNrYy7OC07o3kGn0K2sksJX5+erCxG:NtDb+CSyrn0K9ksJMerkG
Threatray 711 similar samples on MalwareBazaar
TLSH T139D4120A3B62532AC96E9BF79123650583F4EE75B465F31D2DC038E60E73BA18466CD3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 32aa6abaaeecac51 (27 x SnakeKeylogger, 19 x Formbook, 4 x MassLogger)
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
266
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Ordinazione d'acquisto.exe
Verdict:
Malicious activity
Analysis date:
2023-04-04 19:21:11 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/a4f24d32-d9b2-4569-8987-afce5e99a1e7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Creating a process from a recently created file
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/642c77ec497fb6f23efd6229/reports/877319c0-3900-4534-8a13-3d10398921f4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/2c98eff09ca7fbd11f42ba145d852b1960879ae2290527cae16f3984250ed79d
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d7570bdd-1882-42b6-99b4-4c6455afb5c4
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1208336
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 841249 Sample: Ordinazione_d'acquisto.exe Startdate: 04/04/2023 Architecture: WINDOWS Score: 100 75 Snort IDS alert for network traffic 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 Antivirus detection for URL or domain 2->79 81 7 other signatures 2->81 10 Ordinazione_d'acquisto.exe 7 2->10         started        14 TxFHjeU.exe 5 2->14         started        process3 dnsIp4 53 C:\Users\user\AppData\Roaming\TxFHjeU.exe, PE32 10->53 dropped 55 C:\Users\user\...\TxFHjeU.exe:Zone.Identifier, ASCII 10->55 dropped 57 C:\Users\user\AppData\Local\...\tmpDF8A.tmp, XML 10->57 dropped 59 C:\Users\...\Ordinazione_d'acquisto.exe.log, ASCII 10->59 dropped 89 Uses schtasks.exe or at.exe to add and modify task schedules 10->89 91 Adds a directory exclusion to Windows Defender 10->91 93 Tries to detect virtualization through RDTSC time measurements 10->93 17 Ordinazione_d'acquisto.exe 10->17         started        20 powershell.exe 21 10->20         started        22 schtasks.exe 1 10->22         started        28 4 other processes 10->28 61 192.168.2.1 unknown unknown 14->61 95 Multi AV Scanner detection for dropped file 14->95 97 Machine Learning detection for dropped file 14->97 99 Injects a PE file into a foreign processes 14->99 24 TxFHjeU.exe 14->24         started        26 schtasks.exe 1 14->26         started        file5 signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 17->67 69 Maps a DLL or memory area into another process 17->69 71 Sample uses process hollowing technique 17->71 73 Queues an APC in another process (thread injection) 17->73 30 explorer.exe 1 17->30 injected 34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        38 conhost.exe 26->38         started        process9 dnsIp10 63 www.casadecanonlnllc.com 45.79.19.196, 49704, 80 LINODE-APLinodeLLCUS United States 30->63 65 www.truview-it.africa 30->65 101 System process connects to network (likely due to code injection or exploit) 30->101 40 help.exe 30->40         started        43 raserver.exe 30->43         started        45 autofmt.exe 30->45         started        47 autofmt.exe 30->47         started        signatures11 process12 signatures13 83 Modifies the context of a thread in another process (thread injection) 40->83 85 Maps a DLL or memory area into another process 40->85 87 Tries to detect virtualization through RDTSC time measurements 40->87 49 cmd.exe 40->49         started        process14 process15 51 conhost.exe 49->51         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2c98eff09ca7fbd11f42ba145d852b1960879ae2290527cae16f3984250ed79d/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-04-04 12:55:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
19 of 35 (54.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fsmo74e4u755ch2cxikf3bjldfqipgxcfecspsxbn44yijio26oq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
11327f3b5123a0f6325b9370d4321bddc00ef1619f6da209503ae1370b24121e
Formbook
1497a90052656ff479232e10d12fb56c3129754e7546538a11e365da74cd15da
Formbook
21721ca445cf51608c363f704dcf8c552aa966239914d5810aca2e642981335b
Formbook
778782d68c349fbb021a749f1370c2446c19cd3a64e7891c84c55ddf834f2e02
Formbook
a1f4604ea58dce5c513639a0929b6e130783a85873bec08ab0e5b061736dd086
Formbook
c077e2a20dd5984363120b91f3fb09983a586d86ddb401ba4414919ec023adc2
Formbook
d98a67065568b317f933edad5c1f2700d1178ece2bc52e511cdf81b9cf2552eb
Formbook
e09eaaa707261756f322c8d5b12af0a09c575ffbdd7bf19b895cab4982b7f68a
Formbook
e0f2298d191750e9e605b5038f70b14e1bbb1091bed8e8e94837e3dbf35bfdc1
Formbook
eb3414abcb87814b1f26bed72e45682051e7b4cd712d30038ef5d45ea8ec3187
Formbook
+ 701 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:e31p rat spyware stealer trojan
Link:
https://tria.ge/reports/230404-xzxs7she36/
Behaviour
Creates scheduled task(s)
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
4f7e925125af781ff637251cc4a3be7d3926d195f5559dbacb7c9faa5a435d78
MD5 hash:
2d492a7a55fd01268efb97a36fa3ea9c
SHA1 hash:
b90c0e4de08cc0e460add3f680d0450a8d0140a9
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/046d8974-2a5f-436d-90c1-51af3d6866ca/
Parent samples :
8e067a63005c0cb62a0db614acafc9e1964bfd5520c13075d04879fb2aa90451
2c98eff09ca7fbd11f42ba145d852b1960879ae2290527cae16f3984250ed79d
SH256 hash:
0906cd504b8a4489aec23b72b945f6b44340bd1d7402ea9d852c108295ee8239
MD5 hash:
8e56ca138d2e8630c48be8766aafc3c6
SHA1 hash:
e74c57394ea991ab61bc60611bd6db0f41892e1b
Link:
https://www.unpac.me/results/046d8974-2a5f-436d-90c1-51af3d6866ca/
SH256 hash:
744399fc21305da0b98085dc87ca6f7ade59c80499ac00f15f656b48e09735a3
MD5 hash:
0544c89dd396201fa1c56527dd8bf0a3
SHA1 hash:
da16932725ab95a0e8945e8dc314781f5b539707
Link:
https://www.unpac.me/results/046d8974-2a5f-436d-90c1-51af3d6866ca/
SH256 hash:
2916d97ae6489ac1fb0e8d9a313cacf53c2f33378c9935967d4a7c8b1f23a4fc
MD5 hash:
914d6bd16b25950154ff70c9c09ec446
SHA1 hash:
9b4f77c732719ce974aa42d0b529ae0ea0520e5d
Link:
https://www.unpac.me/results/046d8974-2a5f-436d-90c1-51af3d6866ca/
SH256 hash:
3c507afadbb1c31a9ebdd24baac5739d47576159e01c5e84f973c951885100aa
MD5 hash:
e79bf0e7e9d52d398e0b23b352394c68
SHA1 hash:
682325763a0ec77e0fd475ea3a4021b4651eceac
Link:
https://www.unpac.me/results/046d8974-2a5f-436d-90c1-51af3d6866ca/
SH256 hash:
2c98eff09ca7fbd11f42ba145d852b1960879ae2290527cae16f3984250ed79d
MD5 hash:
299d4ea47568be36a6ccaf102bfbc03e
SHA1 hash:
99ca90da6e63b50e8dab0a8bddb652415031961a
Link:
https://www.unpac.me/results/046d8974-2a5f-436d-90c1-51af3d6866ca/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2c98eff09ca7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/2c98eff09ca7fbd11f42ba145d852b1960879ae2290527cae16f3984250ed79d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 2c98eff09ca7fbd11f42ba145d852b1960879ae2290527cae16f3984250ed79d

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment

Comments