MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d7a273e89f10f65f578ab99082a23aecc948556f8e33a67f1eb9689b1cdc1d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 4 File information Comments

SHA256 hash:	2d7a273e89f10f65f578ab99082a23aecc948556f8e33a67f1eb9689b1cdc1d3
SHA3-384 hash:	614ad3e928df9fe4c87d28e3af5f5a64e3d7879220b898aebcc6c8fef23396105a7d5e7d8810eee211b0422a45ff21a5
SHA1 hash:	5b3e6c9006b1d7980700f4ccffbd8d8a5258eb30
MD5 hash:	ca86ee16c51a5081464eb585cf5467e4
humanhash:	helium-bacon-sodium-johnny
File name:	Payment Advice doc.bin
Download:	download sample
Signature	Formbook Create hunting rule
File size:	869'376 bytes
First seen:	2022-06-16 09:34:06 UTC
Last seen:	2022-06-16 10:39:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:8BsicGjBLbfwTKeVlS6PH8RdGdkLsmx7F:wdzeNlDP6cdkNBF
TLSH	T19B05023EEDD79D13C70C4232D4D38D1913ADD75AE263E79B26105AEA8E017C68C46ACB
TrID	69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.9% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	JAMESWT_WT
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

258

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

Payment Advice doc.ace

Verdict:

Malicious activity

Analysis date:

2022-06-16 09:33:28 UTC

Tags:

formbook opendir

Link:

https://app.any.run/tasks/db05aff5-088f-4548-8169-fde206b4445d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/280635/

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.7719.18634.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62aaf92fc07f2e38a14d3ffe/reports/ea39b8f1-9a65-4639-bccb-b969fbdbf435/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3173ad72-f7f9-4550-a341-5035eb333bd6

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1014421

Signature

.NET source code contains method to dynamically call methods (often used by packers)

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/2d7a273e89f10f65f578ab99082a23aecc948556f8e33a67f1eb9689b1cdc1d3/

Threat name:

ByteCode-MSIL.Backdoor.Androm

Status:

Malicious

First seen:

2022-06-16 09:35:28 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=fv5copuj6ehwl5lyvomqqkrdv3gjjbkw7drtuz7r5olitmonyhjq._file

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:h4st loader rat suricata

Link:

https://tria.ge/reports/220616-ljvhcschdl/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Xloader Payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Unpacked files

SH256 hash:

52a6b795c372635fae77393a0b9faae622743f1c2f71343c9c7033145c62f4db

MD5 hash:

5d0bbc5cf749729144dbbc42d6ffc7ec

SHA1 hash:

75b52947ab5490eaa62bd4c6e9ae29b9e568a9a6

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/b6791d59-6b1a-4fe7-88bb-86487b3768e6/

Parent samples :

b02d4d23621c721c923d3772118c91d76cbe9c268895aef2d1933ba3fed08a62
c16d13d0c7440147da615f254434e40d88ae3fa2f66ecbcb95db7ddc248c3975
542dc03979a99a044da2cb36be595045d7f8dee300dd2e48c27ccb5127202011
c2611311dcf606304c1dcff55aee197f17a3f46d12680732d97e64af99d91c9d
2d7a273e89f10f65f578ab99082a23aecc948556f8e33a67f1eb9689b1cdc1d3
7e05b0a9ffe1cfbc4cb926477d044ad7b6046352f8734b95037e4f5ef21bca99
f811d5dabefeddc18a4ecd848b7f24ecc8fe56817ed0baf6f9be68622cb3fd14

SH256 hash:

590db5eb1d964cd2aaca70aea96bd7b85ccccc526a1d98c3234beed04e823236

MD5 hash:

0b9b4b54230427dda9027c85dbde6241

SHA1 hash:

f39df5f609134e6bd27f00653435eded6cf7bca6

Link:

https://www.unpac.me/results/b6791d59-6b1a-4fe7-88bb-86487b3768e6/

SH256 hash:

423cc282b632c8fc03f86b1caa7ed75418ce095a07052ee807dc90ebf70a6f9c

MD5 hash:

a809b60f525cfa97744641d967780913

SHA1 hash:

e87b6125d3bae510de2e47cd889b9fcbc4fe65b5

Link:

https://www.unpac.me/results/b6791d59-6b1a-4fe7-88bb-86487b3768e6/

SH256 hash:

84238dc32dc2c72716d7233f509b43a45617e2a24ca07eecda58ae37a704b90b

MD5 hash:

1d6115ad56b1707c8afa1a65f22afc96

SHA1 hash:

58cbf25298e84cf9d91da78ae370ac5ddbb2c3fd

Link:

https://www.unpac.me/results/b6791d59-6b1a-4fe7-88bb-86487b3768e6/

SH256 hash:

2d7a273e89f10f65f578ab99082a23aecc948556f8e33a67f1eb9689b1cdc1d3

MD5 hash:

ca86ee16c51a5081464eb585cf5467e4

SHA1 hash:

5b3e6c9006b1d7980700f4ccffbd8d8a5258eb30

Link:

https://www.unpac.me/results/b6791d59-6b1a-4fe7-88bb-86487b3768e6/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2d7a273e89f1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/2d7a273e89f10f65f578ab99082a23aecc948556f8e33a67f1eb9689b1cdc1d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	exploit_any_poppopret Create hunting rule
Author:	Jeff White [karttoon@gmail.com] @noottrak
Description:	Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/280635/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample