MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2cb7c7c1cb918607912be236d42152a8f9d5347cabf4e815940f2b85c5d9f026. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2cb7c7c1cb918607912be236d42152a8f9d5347cabf4e815940f2b85c5d9f026
SHA3-384 hash: 5faef863911e4283a0dda2eef4a50c1ccd02f26a6ca3da8c05dde3fd9ab6a0de8f557e95251f41004a9860685a47677d
SHA1 hash: f294cb34db5a3a40b2f3ce054220746fb47ab9f2
MD5 hash: 3b6c42f05964fe8f2625c9a812651305
humanhash: fish-idaho-single-zulu
File name:PO pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:841'216 bytes
First seen:2021-08-30 13:43:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:s5oe6E5G3lQ1ONKigEieHbfZ1FgZoA2k5txnf:QUE5G3AiDHTIn
Threatray 8'618 similar samples on MalwareBazaar
TLSH T1BB053C7E19BDA227C161C6F58BE38423F0508B6F3110A96476D357664332A7AB5F332E
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
208
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-08-30 13:50:20 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/5b830ca6-bbef-4abb-8463-7a8da30b2365

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/183784/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.16053.19608.15982.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/90745edc-ce69-4f2c-8107-5fd399744044
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/841605
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 474034 Sample: PO pdf.exe Startdate: 30/08/2021 Architecture: WINDOWS Score: 100 32 www.villa-sardi.com 2->32 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 11 other signatures 2->48 9 PO pdf.exe 3 2->9         started        signatures3 process4 dnsIp5 40 192.168.2.1 unknown unknown 9->40 30 C:\Users\user\AppData\...\PO pdf.exe.log, ASCII 9->30 dropped 13 PO pdf.exe 9->13         started        16 PO pdf.exe 9->16         started        18 PO pdf.exe 9->18         started        file6 process7 signatures8 60 Modifies the context of a thread in another process (thread injection) 13->60 62 Maps a DLL or memory area into another process 13->62 64 Queues an APC in another process (thread injection) 13->64 20 help.exe 13->20         started        23 explorer.exe 13->23 injected 26 cmd.exe 1 16->26         started        process9 dnsIp10 50 Self deletion via cmd delete 20->50 52 Modifies the context of a thread in another process (thread injection) 20->52 54 Maps a DLL or memory area into another process 20->54 56 Tries to detect virtualization through RDTSC time measurements 20->56 34 www.sexcam-live-sex.net 162.255.119.93, 49724, 80 NAMECHEAP-NETUS United States 23->34 36 whyyousuckatgolfmovie.com 184.168.131.241, 49720, 80 AS-26496-GO-DADDY-COM-LLCUS United States 23->36 38 5 other IPs or domains 23->38 58 System process connects to network (likely due to code injection or exploit) 23->58 28 conhost.exe 26->28         started        signatures11 process12
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2cb7c7c1cb918607912be236d42152a8f9d5347cabf4e815940f2b85c5d9f026/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2021-08-30 13:42:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
13 of 46 (28.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fs34pqolsgdapejl4i3niiksvd45knd4vp2oqfmub4vylroz6ata._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
016e6200c368ec7e158572673568037338e92642721c8e543a01571fd0ee2571
Formbook
3cec9bd714745b020366af9537184c619794ef4dee36c99093f53b243c97dcc1
Formbook
6bb8fa14bf9c650a67541ffedff2e3f1c055454b90489653c95aa39284d7eb92
Formbook
837d5ed2867ffbf6b718264ecc27e620ffd9d14b1a4d2255f56b04181713830f
Formbook
95eedb3eaf98ec12d5f66609278d43f94e1f635420d413ee0672bbf9434aafa4
Formbook
9d5847197dc6764bc3ef98ab27c48b41b156f64da2a26798b2f3814682ce4a4d
Formbook
b2c2371d92995eb349a4d6be53af3c42798af56b94f59adf1d765d2905fd5871
Formbook
c75c953e098f6999fd4a1674f4fd325d538502aead639872dec4cb89ca3ffee9
Formbook
+ 8'608 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:k8b5 loader rat suricata
Link:
https://tria.ge/reports/210830-t18k3h8852/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.chongzhi365.com/k8b5/
Unpacked files
SH256 hash:
fb2708faaa182dcb378ed514dd3aa8eade73f6ba95b2c1ce3bb050790ea94345
MD5 hash:
60681cd2406501f4e4342559485cd1ca
SHA1 hash:
4f5b06688f779dbe5a35d93baa7ec38792a16fc2
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/818fcbcd-b221-431b-9f57-5e4c39b3f566/
Parent samples :
837d5ed2867ffbf6b718264ecc27e620ffd9d14b1a4d2255f56b04181713830f
2cb7c7c1cb918607912be236d42152a8f9d5347cabf4e815940f2b85c5d9f026
3085d62628657edccc65a18edda86f253fb86712a4e50b1cf67828bfa2d33e80
f621e1b5cd41932d5afac294e228f4f62b056ef322103c8ec06b9123a4eac2d0
e182055e80f1d8a84eab0f3738276043d0c95bcd50492dcc3c711bde472cd1af
cb410693d5e96ef42263250f76d0d16925e54620e350a5faf6053b49a14a07e1
f1619d4c36e975b2cc880b6a72db99282df847ebb72dc6446950dbcbf4d0f487
SH256 hash:
c0ee1071e444f415f8b62856a0896f3b22e563f1bb4f03d14142583efe49a565
MD5 hash:
29db2e114b88ae1f6a00c9aa71690043
SHA1 hash:
ec82db71443556a5b320357b0b8b09e70ec1db9c
Link:
https://www.unpac.me/results/818fcbcd-b221-431b-9f57-5e4c39b3f566/
SH256 hash:
a7ce556e423b27fea183f273fc52319a75721be161cbe7dd41aff3a81fd4769e
MD5 hash:
87cc94c9de5521bee6ae4d0b394cf49d
SHA1 hash:
aade94312537bf99c3281eaa143e071f51ab50e2
Link:
https://www.unpac.me/results/818fcbcd-b221-431b-9f57-5e4c39b3f566/
SH256 hash:
2cb7c7c1cb918607912be236d42152a8f9d5347cabf4e815940f2b85c5d9f026
MD5 hash:
3b6c42f05964fe8f2625c9a812651305
SHA1 hash:
f294cb34db5a3a40b2f3ce054220746fb47ab9f2
Link:
https://www.unpac.me/results/818fcbcd-b221-431b-9f57-5e4c39b3f566/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/2cb7c7c1cb918607912be236d42152a8f9d5347cabf4e815940f2b85c5d9f026

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/183784/

Comments