MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e0b3113f22af36c4fe68ba67012b0d023f2d6e34a702585127b3da89dc989c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	2e0b3113f22af36c4fe68ba67012b0d023f2d6e34a702585127b3da89dc989c8
SHA3-384 hash:	bb25d8f48ceaebd90b2320b140c65e229595704fd19e8d905438344f8eb91d68bc3706ae3ede0206093b22871f4801c9
SHA1 hash:	958eaad629760ef4d937c761343b542976b0df8c
MD5 hash:	b6c05638d08dcd6aae39a25a34348781
humanhash:	equal-massachusetts-low-utah
File name:	SecuriteInfo.com.Trojan.Siggen11.60040.2930.681
Download:	download sample
Signature	Formbook Create hunting rule
File size:	582'656 bytes
First seen:	2021-01-28 22:52:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:fTr4kTMah5eRtDBN4nzzD9UgdZWq0IIGIIxMlaZ:fTskBwr47DdMVIOl
Threatray	3'658 similar samples on MalwareBazaar
TLSH	9DC4BF211289AE50E07EA7B19270D13097F5AC03C361DD9EFDD84CDB3E22BC65A5F266
Reporter	SecuriteInfoCom
Tags:	FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

115

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

NEW ENQUIRY.xlsx

Verdict:

Malicious activity

Analysis date:

2021-01-28 06:27:43 UTC

Tags:

encrypted opendir exploit CVE-2017-11882 loader trojan formbook stealer

Link:

https://app.any.run/tasks/27b0a865-b0d4-49bf-999f-5e947ca80a7f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/114637/

Detection(s):

SecuriteInfo.com.Trojan.Siggen11.60040.2930.681.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/593430

Signature

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM_3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/2e0b3113f22af36c4fe68ba67012b0d023f2d6e34a702585127b3da89dc989c8/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-01-28 04:26:46 UTC

AV detection:

19 of 29 (65.52%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

Formbook

410e324656b57d2eb5e1c0eabbdbda34d787f346ab817f1afbc388ea615c2585

Formbook

52a4e8e4fa40648531d4195cd66facc83b27d62f9183a12bc6b756628ffb0a3a

Formbook

5844c46897bed7fe14055a67a96610d8f81d68af270d698a600bb234bf813653

Formbook

62713d398ac2401fa51569449d65c583fb907a316c134897c21ebfa71ae36f2a

Formbook

7ca6fd35f23ebe9ef2a3dc7a1d6e95fa1569a80eff9987e2b4126c3b757aabda

Formbook

93a1fa9f19e45c921bc4e377c74e666ebcfc5b3dab60efe5e0c7d04438cf1794

Formbook

c9bc1c7f21e628959622a569b2a4221b8a4cbcc34f3d01684da97bea5cd9caf7

Formbook

da42b1ff5f54cd474134945accc49d5fddb9b27ccf84772219dc64bee8c43bbc

Formbook

f59df25daa1bbe11f38724ad0b36eebc535f1f36ae3796ce5bebe1049cbb57ed

Formbook

+ 3'648 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/210128-nws84d36zx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.freshpixels.agency/wls/

Unpacked files

SH256 hash:

45717915496b651fbf1504b60ddfd7d2e6bd800913aecf1d24c54b98ac29855a

MD5 hash:

a2c5eca2d91b19c140dfb4b37d21c20f

SHA1 hash:

c2bf64b36697687c043efa406fc047c6ab78bc68

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/3c73d941-e12c-477a-9a61-ad70078b575c/

Parent samples :

3df48002a1199ab680bea952851cdc0a93f905f21d09245889d6332af639fe68
7ca6fd35f23ebe9ef2a3dc7a1d6e95fa1569a80eff9987e2b4126c3b757aabda
2e0b3113f22af36c4fe68ba67012b0d023f2d6e34a702585127b3da89dc989c8
865114b9f103c739212beb94ede2a4c67f58b9f02268673109b452452803e88a

SH256 hash:

cfc2a672566a6c8c44facb3065695876c1165cfdbe46b6450227dddd33e263e4

MD5 hash:

d92e0c939b7300df96fa7b1439c22671

SHA1 hash:

cd1645ec9271628fe227cf1bc9b848152d1ed583

Link:

https://www.unpac.me/results/3c73d941-e12c-477a-9a61-ad70078b575c/

SH256 hash:

ac4512c817c309261d8198967719f4e284f6b701a81c0ccc58d64c81aeb9048a

MD5 hash:

f7b258e18e4a156535d10710b26d0f4e

SHA1 hash:

402934203483bb6e2afa1705905c470a374bb44a

Link:

https://www.unpac.me/results/3c73d941-e12c-477a-9a61-ad70078b575c/

SH256 hash:

2e0b3113f22af36c4fe68ba67012b0d023f2d6e34a702585127b3da89dc989c8

MD5 hash:

b6c05638d08dcd6aae39a25a34348781

SHA1 hash:

958eaad629760ef4d937c761343b542976b0df8c

Link:

https://www.unpac.me/results/3c73d941-e12c-477a-9a61-ad70078b575c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2e0b3113f22af36c4fe68ba67012b0d023f2d6e34a702585127b3da89dc989c8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 2e0b3113f22af36c4fe68ba67012b0d023f2d6e34a702585127b3da89dc989c8

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/982104/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/114637/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample