MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2deb22be02f4464416048e124a39c1a8df4f29ba90d783d27bfcefa29ddce161. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2deb22be02f4464416048e124a39c1a8df4f29ba90d783d27bfcefa29ddce161
SHA3-384 hash: 61180771d41c831bb78663828a9c37b3420d898f36197e72c09b922460e7bc960ddf0ded061ed4042d49fd3a261d0575
SHA1 hash: 57ea4b26a34c0779ae9767cc957452883475cadc
MD5 hash: 72014c837d630e0eb8b79d0995166d47
humanhash: pennsylvania-mountain-beryllium-asparagus
File name:Booking Declined.scr
Download: download sample
Signature Formbook
Create hunting rule
File size:1'137'664 bytes
First seen:2021-05-05 11:46:37 UTC
Last seen:2021-05-05 12:01:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:4NXBQfytIslZRxRtGlXwaeXCoociczxtrB9zztzzK:4N6dsPVt5yovBbrB9zztzzK
Threatray 5'080 similar samples on MalwareBazaar
TLSH 28358FA7D349ECDDE5077C324C7D94210067FE8D98A6C66ABC09396494F338236ABD4B
Reporter abuse_ch
Tags:FormBook scr

Intelligence

File Origin
# of uploads :
2
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/150558/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.624-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2deb22be02f4464416048e124a39c1a8df4f29ba90d783d27bfcefa29ddce161/
Threat name:
ByteCode-MSIL.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2021-05-05 07:20:32 UTC
AV detection:
11 of 47 (23.40%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fxvsfpqc6rdeifqeryjeuoobvdpu6kn2sdlyhut37tx2fho44fqq._file
Verdict:
malicious
Similar samples:
0cfcc28cdab9675c1a09f88af826490e0e35e4292d7eedf174f9dac055d8085d
Formbook
395171260fafe84055b84b5cae4ddd1d48ae4c49088867ed7a4e58de2394ac55
Formbook
56368dfb68347ec22ba4d8d1d16e1acc9dbf37acf30803ef92f75f27f0a6a6a5
Formbook
6a0c21a5a37e307becd9ed9bdee0f3f41e3d1a61847a6e9ae272ec891d4f7728
Formbook
78f83f782f8d2077dd50d65badb4ed36ec24c029241287f76560e60733b61c29
Formbook
850ba9cb8e16d04b40e1499ea65f614d760af29ed7f0892f99e10c88e1f80c68
Formbook
8f0337a6ceabb0f235950c20db817d766d4b9e5cf8831e60ef766c82f33f7dec
Formbook
e836c2aecd7a2ae83a5bb088780d9e7b8cd6c3a7ff6b9c3f1261bfd1f53dbef7
Formbook
ef77a8918ed19e4c73ba620ee2fba77e1058d8b132768ef034dc10322d560aa0
Formbook
f130539b2d2324246449abb99f5a0effb214feee629b092d48ac63aca14e2ba6
Formbook
+ 5'070 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook evasion rat spyware stealer trojan
Link:
https://tria.ge/reports/210505-jys3cd7cz2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Deletes itself
Looks for VMWare Tools registry key
Formbook Payload
Looks for VirtualBox Guest Additions in registry
Formbook
Malware Config
C2 Extraction:
http://www.evolvekitchendesign.com/ffw/
Unpacked files
SH256 hash:
bdf79e57b5574f9bafb56f6d0592f5ee429df7eb0ad536fbdb4f2956aae36f87
MD5 hash:
826b29e2a141b055a5491c9d7dc6eea7
SHA1 hash:
af4201362b8603bf7e4b6e2ead1cfb610dd7c0a9
Link:
https://www.unpac.me/results/6963fdbd-0ac8-4287-89b4-d92d22658854/
SH256 hash:
2deb22be02f4464416048e124a39c1a8df4f29ba90d783d27bfcefa29ddce161
MD5 hash:
72014c837d630e0eb8b79d0995166d47
SHA1 hash:
57ea4b26a34c0779ae9767cc957452883475cadc
Link:
https://www.unpac.me/results/6963fdbd-0ac8-4287-89b4-d92d22658854/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/150558/

Comments