MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2de49b3102da5350531a70b7d670ce8c1a9da5d664d7530325780b9d19aed395. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2de49b3102da5350531a70b7d670ce8c1a9da5d664d7530325780b9d19aed395
SHA3-384 hash: c449b1b6300ad892f37282e6dee669a2e1e05b7b80beb7905b68ab58c15aca5b2783ef09ba0c374c07cfc59063478997
SHA1 hash: 73b27ebf534c0eac7016cd1b0e85f170bfd8b0d2
MD5 hash: 8c011e2a34e20105d657432648779b10
humanhash: red-jig-blossom-edward
File name:New order pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:598'016 bytes
First seen:2022-05-20 10:45:52 UTC
Last seen:2022-05-21 00:43:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:NvezoGdPhxKUAlGz0vsyFKOGbj+ckESmSMCz78swlg:kNPhoRGdyF4vzkE7S3z78T
Threatray 15'635 similar samples on MalwareBazaar
TLSH T1FFD4124876D68F36E5BC87FAA1506110137A6269B947FB5E0FA150C898377304BA3BF3
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 60f0a68c8ca6f070 (6 x Loki, 3 x AgentTesla, 3 x SnakeKeylogger)
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
249
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
New order pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-05-20 21:26:33 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/51ece319-1f20-4d67-a1ec-bb58504b89c4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/272946/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1348.32663.22756.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/62877179054dcf0ecad16be6/reports/931e1df9-aefe-477e-8580-902c884f6669/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f69dd235-437a-4d42-8f7c-07426793c670
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/998464
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 630960 Sample: New order pdf.exe Startdate: 20/05/2022 Architecture: WINDOWS Score: 100 31 www.dunglass-aco.com 2->31 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for URL or domain 2->39 41 7 other signatures 2->41 11 New order pdf.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\...29ew order pdf.exe.log, ASCII 11->29 dropped 53 Injects a PE file into a foreign processes 11->53 15 New order pdf.exe 11->15         started        signatures6 process7 signatures8 55 Modifies the context of a thread in another process (thread injection) 15->55 57 Maps a DLL or memory area into another process 15->57 59 Sample uses process hollowing technique 15->59 61 Queues an APC in another process (thread injection) 15->61 18 explorer.exe 15->18 injected process9 dnsIp10 33 www.dunglass-aco.com 44.227.76.166, 80 AMAZON-02US United States 18->33 43 System process connects to network (likely due to code injection or exploit) 18->43 22 svchost.exe 18->22         started        signatures11 process12 signatures13 45 Self deletion via cmd delete 22->45 47 Modifies the context of a thread in another process (thread injection) 22->47 49 Maps a DLL or memory area into another process 22->49 51 Tries to detect virtualization through RDTSC time measurements 22->51 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2de49b3102da5350531a70b7d670ce8c1a9da5d664d7530325780b9d19aed395/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-20 01:06:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fxsjwmic3jjvauy2oc35m4gorqnj3jowmtlvgazfpafz2gno2okq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2e2143c83b9fc796a895f54f602789ae3bf706bcc38c753339665678f930c226
Formbook
3f38d14b57be8821c36b5a3b35fee281a0371fb2b41cbecb2f788c29a34f05ef
Formbook
6eef88d9b2ada286ff5f0ee740bd12a593a6111f2e29e0b86cc43dc437701edf
Formbook
b01852366a757d7a668950fe78fe78113c184d24db59aefe7dd52c44eaed2c77
Formbook
c483fdd57cf8e05985e6e09ae3c74a7b53cccff68ddccd0cfea136591ec5c306
Formbook
cc715fcd2300c306a1254671a3119516a60d0662b5776a690e0c2b451f868d34
Formbook
d1436252b743d1f522311de28d13a2ec5d8e399990f5c5c26f3479414076ee26
Formbook
+ 15'625 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader campaign:dahn loader persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220520-mtys7sdecr/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Xloader Payload
Formbook
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Unpacked files
SH256 hash:
b8a64a2274939bbde60a0a5f0113677de915972dfff262e8825f03df0b1a1274
MD5 hash:
a88b103f6485b2343118642da019c7be
SHA1 hash:
b66686dbb46215583daa65dfe5c0875212e6112c
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/147fbff3-1a29-465f-b379-1b9809a5db0e/
Parent samples :
2de49b3102da5350531a70b7d670ce8c1a9da5d664d7530325780b9d19aed395
bbf76a25feb60b000b42552adce5f72d871a82d6c6ed3bb72a7f8d94c8886f4d
ed072604ebceced91d3493f0805453f7e75f2ddbc22158ac6d3c2081a4a6c922
f274c2da05a52d01da16c287803a7ea79306fe51c4220f55c19f2bfbe34288b7
SH256 hash:
187700e1704dbfc438d8e0e47ed6d15b4d4e0bffa638216eddfcc51ec0a2d617
MD5 hash:
3a0fe46229da323fff01b7e23b6c484b
SHA1 hash:
f795f8ad1a08e3ab98bc3db2b51683fdfba99f66
Link:
https://www.unpac.me/results/147fbff3-1a29-465f-b379-1b9809a5db0e/
SH256 hash:
57eb0447a7068c29a78bdb497be88c6ecaf3006885064f0f67cc0ac3e19c13fe
MD5 hash:
45f9cd77091177104c05230aa249a955
SHA1 hash:
49f1568188db6d8181afb1c507e36af845ef86fc
Link:
https://www.unpac.me/results/147fbff3-1a29-465f-b379-1b9809a5db0e/
SH256 hash:
a5d5b8873932fbed16d66e003155c681be89cdcc938c58a1f5a371d6c1d1985f
MD5 hash:
c11bc6e7beda81c12835d56af9fbf424
SHA1 hash:
4254572bd8ea03f6ef0fb55af5ad527fcbdb0b79
Link:
https://www.unpac.me/results/147fbff3-1a29-465f-b379-1b9809a5db0e/
SH256 hash:
2de49b3102da5350531a70b7d670ce8c1a9da5d664d7530325780b9d19aed395
MD5 hash:
8c011e2a34e20105d657432648779b10
SHA1 hash:
73b27ebf534c0eac7016cd1b0e85f170bfd8b0d2
Link:
https://www.unpac.me/results/147fbff3-1a29-465f-b379-1b9809a5db0e/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2de49b3102da/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/2de49b3102da5350531a70b7d670ce8c1a9da5d664d7530325780b9d19aed395

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/272946/

Comments