MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2cf9a6fd4361184dbe79b2067472bdb6ac2907b89e78e213cf0eadd69ed10cd1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	2cf9a6fd4361184dbe79b2067472bdb6ac2907b89e78e213cf0eadd69ed10cd1
SHA3-384 hash:	cbf3e30462172f3ca9922bdefb8bf37b29a0076257b886af156a828a37cb4c32074dc6b37f1d474bab871e4ee7e1a128
SHA1 hash:	e53dd70d0d35583353cf489881f068785e0ad37b
MD5 hash:	85213e1206276fffba22c310ce7b802a
humanhash:	wolfram-low-crazy-cola
File name:	85213e1206276fffba22c310ce7b802a.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	669'184 bytes
First seen:	2021-09-30 17:27:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	37eb007caca04517136e6f2437bd7b42 (6 x RemcosRAT, 4 x Formbook)
ssdeep	12288:6xAWXql73WhMWZP6I2Wjh2h785jWU1bjjx:6xfXqlKCW92chM85SU1bj
Threatray	9'825 similar samples on MalwareBazaar
TLSH	T14EE47E175ED68937E36B1AB98507BB24D93CB841A8E03173BBEC6BC8277538070519E7
File icon (PE):
dhash icon	e1b0b6c2736a7878 (6 x RemcosRAT, 4 x Formbook)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

179

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

85213e1206276fffba22c310ce7b802a.exe

Verdict:

Malicious activity

Analysis date:

2021-09-30 17:43:20 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d71012f6-8215-4fdb-9e40-c885efa636c2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/193761/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Save.a.26590.16247.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Modifying an executable file

Launching the default Windows debugger (dwwin.exe)

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4af3c62d-986b-4b79-aa6e-8030d6dd6779

Result

Threat name:

DBatLoader FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/862155

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Sigma detected: Execution from Suspicious Folder

Tries to detect virtualization through RDTSC time measurements

Yara detected DBatLoader

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2cf9a6fd4361184dbe79b2067472bdb6ac2907b89e78e213cf0eadd69ed10cd1/

Threat name:

Win32.Trojan.Phonzy

Status:

Malicious

First seen:

2021-09-30 17:28:07 UTC

AV detection:

10 of 45 (22.22%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

Formbook

50c6754cbbd313acc6a250182439a1191d8f8318f0794feea75bd647b6205f7a

Formbook

6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c

Formbook

75772375acbcfb6cb668fc2449671a6a83afe1434184ac7c01fd895825fcf5e6

Formbook

99a52f15cbd0ceb13b15070bbbab2eee59974d15e8d4aaed562b015d888294c5

Formbook

a4c0f021f7b7e196e3a5d8e324cb4084c14941c94d2aab667eb886464948b44a

Formbook

a7acd97fcff334160640901d977010aa55397f5a6da375ab38bcb1622b800f7d

Formbook

cf3038247c7a2a5779f655fdf594bdad56b22d198b6edb1c3197b84d9c4f153a

Formbook

d079479dd85fb94fe08f6cd70cfff35e39c14294174a8ed6f9b480ffc1cbc9b2

Formbook

dae6ba220bb0a34de731b57965753391343bfe96f9f3fa4fea48102d3377ccf7

Formbook

+ 9'815 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:scb0 loader persistence rat

Link:

https://tria.ge/reports/210930-v11kdaacb6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.llaa11.xyz/scb0/

Unpacked files

SH256 hash:

f808a11e5b1cb4332bb4d65cdbcf1e0ca7323b15bcf73cb7462ad3eb30f05703

MD5 hash:

6cfdeebc3c72279486ddd229eb14b009

SHA1 hash:

e3a2a0a2a0fabd55415c9007f52c79fe9e19e0a7

Link:

https://www.unpac.me/results/c8acfb0e-1c56-4a36-bdc6-a28cc1f24642/

SH256 hash:

2cf9a6fd4361184dbe79b2067472bdb6ac2907b89e78e213cf0eadd69ed10cd1

MD5 hash:

85213e1206276fffba22c310ce7b802a

SHA1 hash:

e53dd70d0d35583353cf489881f068785e0ad37b

Link:

https://www.unpac.me/results/c8acfb0e-1c56-4a36-bdc6-a28cc1f24642/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.50

Link:

https://yomi.yoroi.company/submissions/2cf9a6fd4361184dbe79b2067472bdb6ac2907b89e78e213cf0eadd69ed10cd1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DiscordURL Create hunting rule
Author:	ditekSHen
Description:	Detects executables Discord URL observed in first stage droppers