MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2de6c19efc14f316864c8245e3db27439515e4f06114e048e1868cfb45153343. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2de6c19efc14f316864c8245e3db27439515e4f06114e048e1868cfb45153343
SHA3-384 hash: 70ec514c2a8862626171fa1d160b7e68a6d2535317ec5642a0b126def027c1864aee5b495a4bb1ee7a9cabf7e6f6f409
SHA1 hash: c3ca4aeac90b3ded4d0959c3ff27edc64c6f9e93
MD5 hash: e9680ac76be7504b3aff5ed7a8d43031
humanhash: network-fruit-floor-december
File name:INV91052.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:261'487 bytes
First seen:2022-10-24 07:21:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (724 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 6144:mbE/HUb4i8Plz8lmoUeOe9chqJUUG0XNjRAP8gY3Gf:mb/4D6pO6sWG0X/gYWf
Threatray 3'757 similar samples on MalwareBazaar
TLSH T1454412026721D613F8B79B3569796BFF4DFEE0246528AE171350AC403D32ACCAA0E757
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
INV91052.exe
Verdict:
Malicious activity
Analysis date:
2022-10-24 07:29:53 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/47f2a560-eb8e-4e14-acac-0c8d03c40426

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/323263/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching the default Windows debugger (dwwin.exe)
Searching for synchronization primitives
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Searching for the window
Setting browser functions hooks
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cecfb272-204a-4e3c-83a3-71d97f244cc6
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1096372
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found hidden mapped module (file has been removed from disk)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 729012 Sample: INV91052.exe Startdate: 24/10/2022 Architecture: WINDOWS Score: 100 36 Multi AV Scanner detection for domain / URL 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for URL or domain 2->40 42 7 other signatures 2->42 11 INV91052.exe 18 2->11         started        process3 file4 32 C:\Users\user\AppData\Local\...\dfokgdtv.exe, PE32 11->32 dropped 14 dfokgdtv.exe 1 11->14         started        process5 file6 34 C:\Users\user\AppData\Local\Temp\9E6.tmp, PE32 14->34 dropped 58 Multi AV Scanner detection for dropped file 14->58 60 Machine Learning detection for dropped file 14->60 62 Found hidden mapped module (file has been removed from disk) 14->62 64 Tries to detect virtualization through RDTSC time measurements 14->64 18 dfokgdtv.exe 14->18         started        21 WerFault.exe 20 9 14->21         started        signatures7 process8 signatures9 44 Modifies the context of a thread in another process (thread injection) 18->44 46 Maps a DLL or memory area into another process 18->46 48 Sample uses process hollowing technique 18->48 50 Queues an APC in another process (thread injection) 18->50 23 explorer.exe 18->23 injected process10 process11 25 svchost.exe 23->25         started        signatures12 52 Modifies the context of a thread in another process (thread injection) 25->52 54 Maps a DLL or memory area into another process 25->54 56 Tries to detect virtualization through RDTSC time measurements 25->56 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2de6c19efc14f316864c8245e3db27439515e4f06114e048e1868cfb45153343/
Threat name:
Win32.Trojan.NSISInject
Create hunting rule
Status:
Malicious
First seen:
2022-10-21 00:57:32 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fxtmdhx4ctzrnbsmqjc6hwzhiokrlzhqmekoashbq2gpwrivgnbq._file
Verdict:
unknown
Similar samples:
167f095c678aad5d26949f46d21bd2bc07744b09968d780e310484b42404580e
Formbook
9966eeca950694ba48db989a27ee8d42beda2612e0c33ca19fc55607709e9aa9
Formbook
a9731f99c6a49a98e6ecc244f7fc6b4263be8255559a883c58e154bb9be68b44
Formbook
b1bc91086e6fe98ad32079eec01e28b01ae0706d513bf494bd321aaf22e641ec
Formbook
d476dd03b89f907816cb87f2182926791494de65269e1b82356c61a7350e1fad
Formbook
f448dfefcbd40ad805030d90957598cf16c67ace42cf1107fa95f041f78883f2
Formbook
ff4cff76876cda952a48855396ca07f5fb5216a5df0efd10c9701c135552703c
Formbook
+ 3'747 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:f48y rat spyware stealer trojan
Link:
https://tria.ge/reports/221024-h68rqafbe9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook payload
Formbook
Unpacked files
SH256 hash:
39fe1f4d8a6a1ea85403431ed454d0f0c5b196af8f0836f0c13e4800ebd4a72b
MD5 hash:
ab41e51ffefb3aeb38258da1ee5b726f
SHA1 hash:
b4189e65c59b686529b7ac582840950754501a7b
Detections:
FormBook
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/9b88b3c4-64ad-4084-ae32-f0c37a5f45d5/
Parent samples :
93838af8cffda60213137f5bd1fb3dd149d2d1d58133a5911c277829f8f7f95b
77b910c55fbbd7f039208e66d79081fc98114685535974d5985546aea049d502
4c509e5a6dcc6cf9a2981d5fd6c02d0e55de7e63c5f33713425ed415fbfd2b0f
2de6c19efc14f316864c8245e3db27439515e4f06114e048e1868cfb45153343
SH256 hash:
73a6662434e4da27b6a3d5498640a8bddc8f16f7b34a77d17031923bf10252ce
MD5 hash:
e6a3fe15e0f3b406a9f1573c78877bc1
SHA1 hash:
ee4d2a2b99e58a0ff55ecd364a7edfb666aefdef
Link:
https://www.unpac.me/results/9b88b3c4-64ad-4084-ae32-f0c37a5f45d5/
SH256 hash:
2de6c19efc14f316864c8245e3db27439515e4f06114e048e1868cfb45153343
MD5 hash:
e9680ac76be7504b3aff5ed7a8d43031
SHA1 hash:
c3ca4aeac90b3ded4d0959c3ff27edc64c6f9e93
Link:
https://www.unpac.me/results/9b88b3c4-64ad-4084-ae32-f0c37a5f45d5/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2de6c19efc14/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2de6c19efc14f316864c8245e3db27439515e4f06114e048e1868cfb45153343

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_Formbook_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 2de6c19efc14f316864c8245e3db27439515e4f06114e048e1868cfb45153343

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/323263/

Comments