MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d086daa30c03800b673011e6ee10d5ccdfa56842f67188ac348e30ed5cc803c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d086daa30c03800b673011e6ee10d5ccdfa56842f67188ac348e30ed5cc803c
SHA3-384 hash: 984f44e6dcd109de9cae243c98104cdb187686bfa67439544db5e4577a8dc4beac955c3d9fc9896a8ef247b1fbd5d2e4
SHA1 hash: f5ca2912562d74716cdb8f978c9e5265a80843a6
MD5 hash: 7bfcb4bfd40c98a6ced867192d98fd0d
humanhash: colorado-alpha-enemy-seventeen
File name:098765545355.DOC.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:740'864 bytes
First seen:2021-11-29 17:44:00 UTC
Last seen:2021-12-06 14:53:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 01f42bb56bd8196b0da3b3826e73efd5 (4 x Formbook, 1 x RemcosRAT, 1 x DBatLoader)
ssdeep 12288:HOYMYlxIimj6qr9wMiE+wGFYjA2KY59roDBM6nGplGJY:HOJYMimv+9wGqfKY59cM6GplGJ
Threatray 11'968 similar samples on MalwareBazaar
TLSH T1FAF44A63EA477872C55319FBBCAE5A10F458FE712A19255E6ED83C050FB92813C36A33
File icon (PE):PE icon
dhash icon 74f0888a8c8880b4 (5 x Formbook, 2 x RemcosRAT, 2 x DBatLoader)
Reporter TeamDreier
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
098765545355.DOC.exe
Verdict:
Malicious activity
Analysis date:
2021-11-29 17:59:19 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/f74926cc-f813-4782-b396-99b3d5f97a81

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Zusy.408309.14966.9919.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Launching cmd.exe command interpreter
Searching for synchronization primitives
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/181/overview
Behaviour
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dealply keylogger packed remcos zusy
Link:
https://www.filescan.io/uploads/61a51165c4c5314148221103/reports/17c9f40b-51c3-4bc7-8f53-e847d3dbe53d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8a84c851-120d-4525-8c5d-319cd41a5bdc
Result
Threat name:
DBatLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/898109
Signature
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2d086daa30c03800b673011e6ee10d5ccdfa56842f67188ac348e30ed5cc803c/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-11-27 00:38:07 UTC
File Type:
PE (Exe)
Extracted files:
49
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fueg3krqya4abnttaepg5yinltg7uvuef5trrcwdjdrq5vomqa6a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
19428f9c431fb0f8d6fbd9ca194589bacf9d9d3e475717031373b71982bea2a5
Formbook
46e51f41840a1a08e695f8b5dbd03efd3b3f7071edc00d9e916a73a02d8176a1
Formbook
5627d54b0f87a8fa0e9a33d2cbce145140eb0e88e77f1076e7658310b742aa83
Formbook
6c6411e168c6e04022e9314130b25ae03380de6791d6a801f150679fddb64934
Formbook
bc42c1e528e70d0f4152e78278ed1a0e4bacf4cab8bb21da9ea8f99a48676355
Formbook
d78094f3b6eac87e2d4249671bdc4e044afb31e2e78aac8f2db7186c6d5b6db1
Formbook
f8d9fbcef6907460baa7c91e53d1a40865901bb50906b5519cba440fdbc65032
Formbook
fc791a24b4250988196f8c8b174d778e0ed1f4ea2a3c8601b25ab4431df56f08
Formbook
ff577215d4aaa29ae63860167282ceeb0a703daadfdaef2155102500c269caa2
Formbook
+ 11'958 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:euv4 loader persistence rat suricata
Link:
https://tria.ge/reports/211129-wa58lscecr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.rematedeldia.com/euv4/
Unpacked files
SH256 hash:
80862d46bdac152572d0faa96c99edb9bcb3d5d3ff5d1d41771f5cb8ad164a2c
MD5 hash:
7c09b28f7639c8b2a033e88db5d9df53
SHA1 hash:
fbcccc3c2d024228a3e1dab743b3912ed8ccbb3c
Detections:
win_temple_loader_w0
Create hunting rule
Link:
https://www.unpac.me/results/c87d0b6b-057a-41f6-931b-386b533bf91c/
Parent samples :
e50290f9b9cf781a2d64f7e3190de28d2b673cd24099675d3b65a80ab70cf9e1
a00a856f0d85fcb7f485777ae81a0b1c52974bb1cd2482ba5e987a7ce8207511
7c491171fbe25c5f47f560db3a857cfc716d0c4733466ac08660e8a8be9bc8cd
5627d54b0f87a8fa0e9a33d2cbce145140eb0e88e77f1076e7658310b742aa83
46e51f41840a1a08e695f8b5dbd03efd3b3f7071edc00d9e916a73a02d8176a1
bc42c1e528e70d0f4152e78278ed1a0e4bacf4cab8bb21da9ea8f99a48676355
62d54d23908b06fb851da8829798a3d82110e0c189a8794f9d7deb9642f1542d
91b5c318543587a212464565a4df06eae2ad2823338389134f06c4409047e18e
57e117773ebe7caaac7d1db9759f5c8313d15db896f7b736459c65164770a5f5
6c2c4e5bb1275643184f07bd2bce3f51722e3b3e0557fbf0d83c0dc6461c4a5b
2d086daa30c03800b673011e6ee10d5ccdfa56842f67188ac348e30ed5cc803c
SH256 hash:
2d086daa30c03800b673011e6ee10d5ccdfa56842f67188ac348e30ed5cc803c
MD5 hash:
7bfcb4bfd40c98a6ced867192d98fd0d
SHA1 hash:
f5ca2912562d74716cdb8f978c9e5265a80843a6
Link:
https://www.unpac.me/results/c87d0b6b-057a-41f6-931b-386b533bf91c/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2d086daa30c0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2d086daa30c03800b673011e6ee10d5ccdfa56842f67188ac348e30ed5cc803c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 2d086daa30c03800b673011e6ee10d5ccdfa56842f67188ac348e30ed5cc803c

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments