MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e01e0d0ed8a638d461d7b2355e9c5c370f3698b2b75bb3e60341179c7116ad3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e01e0d0ed8a638d461d7b2355e9c5c370f3698b2b75bb3e60341179c7116ad3
SHA3-384 hash: 0f3e5a11574dce6eab2459785ecc134a5cf62125d46103fb1f6da56261434db05187f421fe32d8b18a374ed13665ba26
SHA1 hash: 5d8b898147b3396695d574dd8a9c7914260b47ec
MD5 hash: f198b1daf9f6d86610f3361b67e64bbf
humanhash: music-river-robert-georgia
File name:f198b1daf9f6d86610f3361b67e64bbf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:861'696 bytes
First seen:2020-12-02 15:35:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:tIG6pWGLGe+mWx0TrC34X8WfUAAByDXnRB+u2GIdtJyyNS2qPVGNbTuMuKBD7hp9:/UBhWWH5X8FAAByDXnRBiR4ST0sDdV1
Threatray 3'002 similar samples on MalwareBazaar
TLSH C0057D3AAE582939F57A573EC5E02051F6AD9F83A707CC7D28F521CD0763BD989C012A
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/106433/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Launching cmd.exe command interpreter
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/553761
Signature
.NET source code references suspicious native API functions
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 325979 Sample: Ck3QG7gfay.exe Startdate: 02/12/2020 Architecture: WINDOWS Score: 100 41 g.msn.com 2->41 49 Malicious sample detected (through community Yara rule) 2->49 51 Sigma detected: Scheduled temp file as task from temp location 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 6 other signatures 2->55 11 Ck3QG7gfay.exe 7 2->11         started        signatures3 process4 file5 35 C:\Users\user\AppData\Local\Temp\tmpA00.tmp, XML 11->35 dropped 37 C:\Users\user\AppData\...\Ck3QG7gfay.exe.log, ASCII 11->37 dropped 39 C:\Users\user\AppData\...\zySImCpOZU.exe, PE32 11->39 dropped 59 Tries to detect virtualization through RDTSC time measurements 11->59 15 Ck3QG7gfay.exe 11->15         started        18 schtasks.exe 1 11->18         started        20 Ck3QG7gfay.exe 11->20         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 Queues an APC in another process (thread injection) 15->73 22 explorer.exe 15->22 injected 26 conhost.exe 18->26         started        process9 dnsIp10 43 155tg.com 102.141.201.141, 49737, 80 sun-asnSC Seychelles 22->43 45 www.baxcol.com 192.64.116.180, 49734, 80 NAMECHEAP-NETUS United States 22->45 47 2 other IPs or domains 22->47 57 System process connects to network (likely due to code injection or exploit) 22->57 28 mstsc.exe 22->28         started        signatures11 process12 signatures13 61 Modifies the context of a thread in another process (thread injection) 28->61 63 Maps a DLL or memory area into another process 28->63 65 Tries to detect virtualization through RDTSC time measurements 28->65 31 cmd.exe 1 28->31         started        process14 process15 33 conhost.exe 31->33         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2e01e0d0ed8a638d461d7b2355e9c5c370f3698b2b75bb3e60341179c7116ad3/
Threat name:
ByteCode-MSIL.Ransomware.TeslaCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-12-02 15:35:07 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
03f5b9544b3bb2db290e54dfe203f425374d973ac225df52a7cb29adc7998726
Formbook
187785c7830aff67dd03a3bf3a067e9b760cb76f7367ee42c8e4b9c92b78d2e2
Formbook
2aa2a644cc059d9314a783e295e4c35102ffce374e2bf1b49f8fb8631ffdbb65
Formbook
5c262eeac56f9ceeb0b44f0b0c46535aa23c3f1317d2c03148648342854fb98c
Formbook
795646c4ff39c86fc65ee70c8eb130b51013645a4446fcd8971520f8ad4bb4cd
Formbook
867ec49152a23a8e5ea628a48ec1810db588a716b922e6d1c8e7c45116908d24
Formbook
9f1f45b03b4f7909d0bbd7aa98895a0fcd314db228a7a233512c857ad86e7e86
Formbook
ac84fce48dc5fc0ece582c6cd8f5486d044f48f2923e949d27c5ea44cb0a80a0
Formbook
c5bfbac52396976e672116e5fb07d6cae05d2b07b749d08283a26bcf29677dbe
Formbook
c813f48272b6106bf37619e57fbde62d1edb5fa5772a1a131374ca05685450a7
Formbook
+ 2'992 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201202-f9vgvagvte/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.poweruppowerwashing.com/21m/
Unpacked files
SH256 hash:
2e01e0d0ed8a638d461d7b2355e9c5c370f3698b2b75bb3e60341179c7116ad3
MD5 hash:
f198b1daf9f6d86610f3361b67e64bbf
SHA1 hash:
5d8b898147b3396695d574dd8a9c7914260b47ec
Link:
https://www.unpac.me/results/50552913-91be-4c6b-a44e-0263cbddc008/
SH256 hash:
9584f6d01e6452371cc9b4828030a13045d99c243c497b63628828e66aabe26f
MD5 hash:
7476e403eef14ac403c63c7279831780
SHA1 hash:
8387f558e30dc115987ac2b5c174a41302471abf
Link:
https://www.unpac.me/results/50552913-91be-4c6b-a44e-0263cbddc008/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2e01e0d0ed8a638d461d7b2355e9c5c370f3698b2b75bb3e60341179c7116ad3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 2e01e0d0ed8a638d461d7b2355e9c5c370f3698b2b75bb3e60341179c7116ad3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/880428/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/106433/

Comments