MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c9e58b98c0929168074d7742170d85eb83c23f97aff8786381aec250af1d6f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments 1

SHA256 hash:	2c9e58b98c0929168074d7742170d85eb83c23f97aff8786381aec250af1d6f8
SHA3-384 hash:	c739aab625e4b11349cb63d4903c331a2bf9f1fa18f0e838a4c0a0b6cf71e1afc5cd499f1fd32a644f4dc491f3c3bdb4
SHA1 hash:	1186ac8cf82ce7178556a93efae8c800f8afc9c0
MD5 hash:	cdd6c89e919974fd8f8fa65ece0de766
humanhash:	utah-magnesium-ten-emma
File name:	cdd6c89e919974fd8f8fa65ece0de766
Download:	download sample
Signature	Formbook Create hunting rule
File size:	691'200 bytes
First seen:	2023-08-01 13:21:48 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:K3UNZ2D9kQgIRQ0+hkUG+MU5nhU/PGsBjW8zVL7AFnsSdw5syLiuUp:2UvZQH/1+75nWG8jN9Sd9yLiu
Threatray	3'626 similar samples on MalwareBazaar
TLSH	T134E4F04136AA5F87C4BB83F91631A1001BF16DAF603CE3599EC2B1CA1672F114A95F7B
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	zbetcheckin
Tags:	32 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

277

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

汇款通知.xls

Verdict:

Malicious activity

Analysis date:

2023-08-01 10:51:31 UTC

Tags:

opendir exploit cve-2017-11882 loader

Link:

https://app.any.run/tasks/15ffb626-0d9c-41ef-9e3d-7041c406b153

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/439617/

Detection(s):

SecuriteInfo.com.Variant.MSILHeracles.92482.24795.18001.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a window

Sending a custom TCP request

Restart of the analyzed sample

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

barys comodo lokibot packed

Link:

https://www.filescan.io/uploads/64c906fda6284b7a568334c2/reports/c013537c-6311-4dc0-b572-e3d886081680/overview

Verdict:

Malicious

Labled as:

MSILHeracles.Generic

Link:

https://www.hybrid-analysis.com/sample/2c9e58b98c0929168074d7742170d85eb83c23f97aff8786381aec250af1d6f8

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d92800a7-abbe-4405-81e0-fb309515abcf

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1283761

Signature

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2c9e58b98c0929168074d7742170d85eb83c23f97aff8786381aec250af1d6f8/

Threat name:

Win32.Trojan.Casdet

Status:

Malicious

First seen:

2023-08-01 11:52:12 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 36 (55.56%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fspfrommbeurnadu252cc4gyl24dyi7zpl7ypbrydlwckcxr234a._file

Verdict:

malicious

Label(s):

formbook

Formbook

3023483cc305946575fd1d72187025aba439c95753d39d586d129880a40052ad

Formbook

68561f9a18130d1f0e2a8ca14b9e9344a7f624bb599a766a5b41e16fd728e192

Formbook

85a1f72cea6e68484aad8f6d170705a9af25bbbcd9727a965294b14712451362

Formbook

8bb4dbfeb12ea6c27f6a4bf9ba8188cc231208519e0d7c42bb48c1d75062c76d

Formbook

99748c64e8ad4e2f8877b76cda4e7a8c3ddd4ad8290d18ea6e3dce09ddd92e9b

Formbook

9e6e021c6deed0f7538b92df6a47667f2c52919628fa4886c6948860720f9214

Formbook

b532a96b9e9f065c4c82099e4ee5f3714110cd15290874fe7d20e453b89f6a8d

Formbook

bf72c2caa17e8d579ea996b2bf36bb251498e56e26375b88703f1d59289d9e80

Formbook

e7104f2261f0eac61f2f5c3e316f32475d10b1e4a0df6323f400d1446807d4a0

Formbook

+ 3'616 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/230801-ql8vzsga49/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

4d731c5206f96365adab326003f2c41622a7e546e447876b5352fc52ca38f404

MD5 hash:

0e248bb3c32ec890c51157b03e0de992

SHA1 hash:

365209e6c3aec46b09107404b781c22500bb1801

Detections:

XLoader

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/e8d7bdd2-7fd3-4429-8cfc-3d5c7ddeed57/

Parent samples :

2c9e58b98c0929168074d7742170d85eb83c23f97aff8786381aec250af1d6f8
9ef1acce35cd1f22cf8d2e59dd9ff59a284631d403d27e1413444ec00ad45542
e521a08be704593a2045c00da7c999fb2a7901564db511c398fe5ff51a710bdd

SH256 hash:

18d65ddda9726a1e1900b0df3ae460bac26238ace3602a4e05fb8196e9cc3ac5

MD5 hash:

85fcc3aa54d50cf780845c6a439f9185

SHA1 hash:

7e7933c406d7ce1bdb186899ec806a877c884c58

Link:

https://www.unpac.me/results/e8d7bdd2-7fd3-4429-8cfc-3d5c7ddeed57/

SH256 hash:

53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77

MD5 hash:

37e82d3e2864e27b34f5fbacaea759c3

SHA1 hash:

a87024a466e052bff09a170bb8c6f374f6c84c32

Link:

https://www.unpac.me/results/e8d7bdd2-7fd3-4429-8cfc-3d5c7ddeed57/

SH256 hash:

dcbd8442762f90cd583050546d2eb8ce4d06dc1c786d16e93651cff0827b6312

MD5 hash:

145ffe28b2e53f9ab5cf7a21e43157fa

SHA1 hash:

639421307a16f0bec62a15f3ce46535faed8babe

Link:

https://www.unpac.me/results/e8d7bdd2-7fd3-4429-8cfc-3d5c7ddeed57/

SH256 hash:

7ed826287a07656058e080236b15c125b4f63f0b31a05040702bd9bf13e2ea5a

MD5 hash:

03c027d9ecf40e65927f989e53ae3cad

SHA1 hash:

40060c18ef3441eafb0512417777fa25750507ba

Link:

https://www.unpac.me/results/e8d7bdd2-7fd3-4429-8cfc-3d5c7ddeed57/

SH256 hash:

2c9e58b98c0929168074d7742170d85eb83c23f97aff8786381aec250af1d6f8

MD5 hash:

cdd6c89e919974fd8f8fa65ece0de766

SHA1 hash:

1186ac8cf82ce7178556a93efae8c800f8afc9c0

Link:

https://www.unpac.me/results/e8d7bdd2-7fd3-4429-8cfc-3d5c7ddeed57/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2c9e58b98c09/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2c9e58b98c0929168074d7742170d85eb83c23f97aff8786381aec250af1d6f8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.