MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d14644ecb7e3d6a7f6e2c8888ecda848a2a9dbf30dd534c5aa531a5c4bcef2e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	2d14644ecb7e3d6a7f6e2c8888ecda848a2a9dbf30dd534c5aa531a5c4bcef2e
SHA3-384 hash:	45864ec32d8a57a7f27d8d50695d4484d29f3b768fa8534dd2486b0a27ff8488f9f0c13caccb818f9d2cd9b103578c3d
SHA1 hash:	3020be5efe03b3c4742db11e1cca01f421c03453
MD5 hash:	f1be2d3aba304e09e49b4aae176f236c
humanhash:	washington-mobile-kentucky-spring
File name:	vbc.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'672'192 bytes
First seen:	2021-01-26 13:39:04 UTC
Last seen:	2021-01-26 16:20:40 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:Vbckj83KxPr9U9/QAHSXZBQFE/QBZYOE9Mad9bz940SL0R0z4VLpPeoqO1gmotsG:Vbckj8
Threatray	3'628 similar samples on MalwareBazaar
TLSH	047573382E3F3946E80555CE0C4BCF7AAF6D42355568502C96BF7029B20FD16AAEBC71
Reporter	JAMESWT_WT
Tags:	FormBook VelvetSweatshop

Intelligence

File Origin

# of uploads :

# of downloads :

135

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

P.O EME39134.xlsx

Verdict:

Malicious activity

Analysis date:

2021-01-26 13:33:20 UTC

Tags:

encrypted exploit CVE-2017-11882 loader trojan formbook stealer

Link:

https://app.any.run/tasks/a6e65c12-b63a-47b3-abdc-8f42678cc994

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/113906/

Detection(s):

SecuriteInfo.com.BehavesLike.Win32.Generic.tz.4010.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Launching cmd.exe command interpreter

Setting browser functions hooks

Unauthorized injection to a system process

Unauthorized injection to a browser process

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/590712

Signature

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/2d14644ecb7e3d6a7f6e2c8888ecda848a2a9dbf30dd534c5aa531a5c4bcef2e/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2021-01-26 13:40:07 UTC

File Type:

PE (.Net Exe)

AV detection:

16 of 28 (57.14%)

Threat level:

2/5

Verdict:

malicious

Label(s):

formbook

Formbook

143848b6d47c7c571df87a7dee1892aa571b94fca0d9d60c6b7a2141f644950a

Formbook

2736eab1d4bbb2dd220e5e34b8ea16a2495f6607d29f13d6314c07efc6cf757e

Formbook

420f06103fac607a08bc7ff557201ffc5fc4f693aa52df9476171ed5398d8bf5

Formbook

470d8938f9eedf84f9f75a9862f09d98bd0c9d265ede33a2f0983a5c26d17a7f

Formbook

7538931bad1762c44d0d66ea730a3ca6c5acb18d326f3a2f5bffa1f81864354e

Formbook

b6247c787ec362f884203a581049a638a59a9db8dc6bac8cb88869a45704dfc9

Formbook

bc7980d8d26972345c934f05a7f5f596b72957e06630c20a853b0c3146c5461c

Formbook

e34426ec0d12a3acde221f2a5e5476528e028c1fc980a7c2d35dcfdde9caccab

Formbook

ed9c5c6d05892ce64f553810dcb3e3f2e8f0f58d46888bbfeeb744e89dd1cf8e

Formbook

+ 3'618 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/210126-f44avcvg4n/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Uses the VBS compiler for execution

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.paeonystore.com/kre/

Unpacked files

SH256 hash:

d86f948ccf8cee19c4c9c35a6f750160773b7705552d1f64b6e7f731184bbea7

MD5 hash:

0d0b6976d29e17127a6475f3b942ab8a

SHA1 hash:

c85b9ad98410acd1884d0e531671721279e015c1

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/99818729-9d93-49f7-9427-6eed9cff4d86/

SH256 hash:

fa869a8a53cb7f718a39de9c45706cf3a5de0aa7a5dfa0f0657f8f04fa8c88ad

MD5 hash:

adf0b75d48bfc5cb01d2347ab4811399

SHA1 hash:

53b64f774cd6c09fac135b8bff71ac385517414d

Link:

https://www.unpac.me/results/99818729-9d93-49f7-9427-6eed9cff4d86/

SH256 hash:

2d14644ecb7e3d6a7f6e2c8888ecda848a2a9dbf30dd534c5aa531a5c4bcef2e

MD5 hash:

f1be2d3aba304e09e49b4aae176f236c

SHA1 hash:

3020be5efe03b3c4742db11e1cca01f421c03453

Link:

https://www.unpac.me/results/99818729-9d93-49f7-9427-6eed9cff4d86/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.61

Link:

https://yomi.yoroi.company/submissions/2d14644ecb7e3d6a7f6e2c8888ecda848a2a9dbf30dd534c5aa531a5c4bcef2e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 2d14644ecb7e3d6a7f6e2c8888ecda848a2a9dbf30dd534c5aa531a5c4bcef2e

(this sample)

Cape

https://www.capesandbox.com/analysis/113906/

URLhaus

https://urlhaus.abuse.ch/url/978932/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample