MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d40f472fa610ec9068b1bb4d057ca2293e2389fe7915acd2237b6df85e9b6b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d40f472fa610ec9068b1bb4d057ca2293e2389fe7915acd2237b6df85e9b6b3
SHA3-384 hash: 5261f66a782ff9d79a307347b8ce15141746936275c315ed69f5fa1f08a9b2d4c4a1a250a68f445e23ea8a81efd30f1c
SHA1 hash: b97b22599b0b87bab09f24a7531c89d4cf35f5c2
MD5 hash: dce983778e604b799e0470fd69e833f2
humanhash: quiet-fourteen-earth-beryllium
File name:dce983778e604b799e0470fd69e833f2
Download: download sample
Signature Formbook
Create hunting rule
File size:178'176 bytes
First seen:2022-01-21 18:54:28 UTC
Last seen:2022-01-21 21:18:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 768:xTa3zG/zbQAaYPtSHPWcmhVm13jPJXtO5k4ZaDBo+CO8nYjj0/:xTsC/zbX5k4ZaDBo+CO8nWj0/
Threatray 13'229 similar samples on MalwareBazaar
TLSH T1D604D435EAF7DE70CA52093BA52CFA2D0D1D2D791D67F8092458FD23AEB6ACC9840171
File icon (PE):PE icon
dhash icon 58cbdadadadadd58 (9 x SnakeKeylogger, 6 x Formbook, 4 x Loki)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
337
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dce983778e604b799e0470fd69e833f2
Verdict:
Malicious activity
Analysis date:
2022-01-22 04:12:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/57ea0166-6ed4-412b-9938-421715b2552b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/221559/
Detection(s):
SecuriteInfo.com.Trojan.DownloaderNET.288.12661.12925.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a window
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd.exe obfuscated packed replace.exe strictor
Link:
https://www.filescan.io/uploads/61eb018e0f8c757253d60078/reports/6e1c06ae-baa1-4126-b616-6e79f2d6c1b4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8d7ee3ed-7b38-41a4-ad66-527c47d4bbc8
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/925449
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect virtualization through RDTSC time measurements
Uses ping.exe to check the status of other devices and networks
Yara detected Costura Assembly Loader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 557923 Sample: PicfEIo5Yq Startdate: 21/01/2022 Architecture: WINDOWS Score: 100 75 google.com 2->75 83 Malicious sample detected (through community Yara rule) 2->83 85 Antivirus detection for URL or domain 2->85 87 Antivirus / Scanner detection for submitted sample 2->87 89 7 other signatures 2->89 10 PicfEIo5Yq.exe 19 9 2->10         started        15 update..exe 2->15         started        signatures3 process4 dnsIp5 79 trietlongvinhvien.info 150.95.104.46, 49749, 49793, 49794 RUNSYSTEM-AS-VNGMO-ZcomRunsystemJointStockCompanyVN Viet Nam 10->79 65 C:\Users\user\AppData\Roaming\...\update..exe, PE32 10->65 dropped 67 C:\Users\user\...\update..exe:Zone.Identifier, ASCII 10->67 dropped 69 C:\Users\user\AppData\...\14mbfslt5u4.vbs, ASCII 10->69 dropped 71 C:\Users\user\AppData\...\PicfEIo5Yq.exe.log, ASCII 10->71 dropped 101 Injects a PE file into a foreign processes 10->101 17 PicfEIo5Yq.exe 1 5 10->17         started        20 cmd.exe 1 10->20         started        23 wscript.exe 2 1 10->23         started        103 Antivirus detection for dropped file 15->103 105 Multi AV Scanner detection for dropped file 15->105 107 Machine Learning detection for dropped file 15->107 25 cmd.exe 15->25         started        file6 signatures7 process8 file9 61 C:\Users\user\AppData\...\FB_4CC9.tmp.exe, PE32 17->61 dropped 63 C:\Users\user\AppData\...\FB_3894.tmp.exe, PE32 17->63 dropped 27 FB_4CC9.tmp.exe 17->27         started        30 FB_3894.tmp.exe 17->30         started        91 Uses ping.exe to check the status of other devices and networks 20->91 32 PING.EXE 1 20->32         started        35 conhost.exe 20->35         started        37 AcroRd32.exe 39 23->37         started        39 PING.EXE 25->39         started        41 conhost.exe 25->41         started        signatures10 process11 dnsIp12 93 Antivirus detection for dropped file 27->93 95 Multi AV Scanner detection for dropped file 27->95 97 Machine Learning detection for dropped file 27->97 99 4 other signatures 27->99 43 explorer.exe 27->43 injected 73 google.com 142.250.180.142 GOOGLEUS United States 32->73 45 RdrCEF.exe 67 37->45         started        48 AcroRd32.exe 12 6 37->48         started        signatures13 process14 dnsIp15 50 update..exe 43->50         started        81 192.168.2.1 unknown unknown 45->81 53 RdrCEF.exe 45->53         started        55 RdrCEF.exe 45->55         started        57 RdrCEF.exe 45->57         started        59 RdrCEF.exe 45->59         started        process16 dnsIp17 77 trietlongvinhvien.info 50->77
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2d40f472fa610ec9068b1bb4d057ca2293e2389fe7915acd2237b6df85e9b6b3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-21 02:07:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fvapi4x2mehmsbuldo2nav6kekj6eoe746ivvtjcg63n7bpjw2zq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
41477bedbe65980efdfe44fbf871c15273b68d114dcabb814ee9cf65f13851be
Formbook
6a7753dba591a0f953c07a4e13ef1682c3839bcc380545a647da6e24bef41786
Formbook
8426bc09e01e893337a5b15b947e6f176c1eb937768c70cd4c0526b0b710523a
Formbook
9b9e383f7635be680129b113ad1e827c61e2e2cf1ce7ccccd2f09b9a0a546494
Formbook
bbe645c9580d37f74350e17d80b68b6fa73fbeaee7c574320ff758d9c3cb7552
Formbook
e2682ee08233df5afc90d9295165ffed0373e4f34278d99d5a30622c2577639b
Formbook
e29100d2ecddd199e9b4b40d094b36f7a67981393cf3f58cfacabf91e3dd7eed
Formbook
ec575e5cdf3da323c27e65f3042586173ca50ba0682b733a61f0b47f80c3004e
Formbook
fa070ad21750a69c17bd104ae6fac4b05d12fe9d689101a38553619519f7edfb
Formbook
+ 13'219 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:oh75 persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220121-xkskyabadl/
Behaviour
Checks processor information in registry
Gathers network information
Modifies Internet Explorer settings
Modifies registry class
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
2d40f472fa610ec9068b1bb4d057ca2293e2389fe7915acd2237b6df85e9b6b3
MD5 hash:
dce983778e604b799e0470fd69e833f2
SHA1 hash:
b97b22599b0b87bab09f24a7531c89d4cf35f5c2
Link:
https://www.unpac.me/results/10b622c0-1436-4649-ab6e-7439598ffb9c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/2d40f472fa610ec9068b1bb4d057ca2293e2389fe7915acd2237b6df85e9b6b3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 2d40f472fa610ec9068b1bb4d057ca2293e2389fe7915acd2237b6df85e9b6b3

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/221559/
  
URLhaus
https://urlhaus.abuse.ch/url/1996281/

Comments


Avatar
zbet commented on 2022-01-21 18:54:30 UTC

url : hxxp://trietlongvinhvien.info/.tmb/ID4/121Oyzuedk.exe