MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e2143c83b9fc796a895f54f602789ae3bf706bcc38c753339665678f930c226. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e2143c83b9fc796a895f54f602789ae3bf706bcc38c753339665678f930c226
SHA3-384 hash: cd01e72aacac88f5cd5bc0616a6dc784fee46794dd39d06732a2f7fced1ccb4b5badcacc0a6b68dc865471cd4c4e24bb
SHA1 hash: 488404e1eef36f3585b165a9c793faacb93b2b97
MD5 hash: a976de15c5149e328122fba6ca13a0b7
humanhash: kilo-uniform-magazine-helium
File name:a976de15c5149e328122fba6ca13a0b7
Download: download sample
Signature Formbook
Create hunting rule
File size:675'328 bytes
First seen:2022-05-20 06:17:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:am02LQzEPZmRQK4WR5ArNNoyQkR5oO5spQrCYgrGeTNXWoT9OS:ajArNWphSeRWIA
Threatray 15'629 similar samples on MalwareBazaar
TLSH T148E4138D734471DEC913C132EAEC5D646FB0B9B3931B9607900B21AC6E1D69AAF610F3
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
265
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
pago111GR.xlsx
Verdict:
Malicious activity
Analysis date:
2022-05-20 05:22:36 UTC
Tags:
encrypted trojan exploit CVE-2017-11882 loader formbook stealer
Link:
https://app.any.run/tasks/60c9df4f-79c6-4256-b5e4-ba04867d8ff4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/272856/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.23753.14508.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a process
Creating a window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/6287329d945ebb7eb170dba2/reports/17647660-6e53-4603-9697-99f85982d065/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ad39c2d1-9bbc-4c04-82af-1f34805bf57f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/998290
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 630786 Sample: 8EvYss6pm7 Startdate: 20/05/2022 Architecture: WINDOWS Score: 100 31 www.klotzsynthetics.com 2->31 33 klotzsynthetics.com 2->33 35 2 other IPs or domains 2->35 43 Snort IDS alert for network traffic 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 8 other signatures 2->49 11 8EvYss6pm7.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\8EvYss6pm7.exe.log, ASCII 11->29 dropped 61 Tries to detect virtualization through RDTSC time measurements 11->61 63 Injects a PE file into a foreign processes 11->63 65 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 11->65 15 8EvYss6pm7.exe 11->15         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 Queues an APC in another process (thread injection) 15->73 18 explorer.exe 15->18 injected process9 dnsIp10 37 rknsportapps.com 172.96.191.115, 49764, 80 LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG Canada 18->37 39 prestigefinsburypark.site 206.189.141.151, 49761, 80 DIGITALOCEAN-ASNUS United States 18->39 41 6 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 22 cmmon32.exe 18->22         started        signatures11 process12 signatures13 53 Self deletion via cmd delete 22->53 55 Modifies the context of a thread in another process (thread injection) 22->55 57 Maps a DLL or memory area into another process 22->57 59 Tries to detect virtualization through RDTSC time measurements 22->59 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2e2143c83b9fc796a895f54f602789ae3bf706bcc38c753339665678f930c226/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-05-20 06:18:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
20 of 26 (76.92%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
25eeb802abf823d4836eade09779e221790692500abd83cb011f8a4b87d46c95
Formbook
3f38d14b57be8821c36b5a3b35fee281a0371fb2b41cbecb2f788c29a34f05ef
Formbook
5e0b3793ea67f580aa658ab4629f7a4f4f9e307083c4ac4b6604a959d204b856
Formbook
6eef88d9b2ada286ff5f0ee740bd12a593a6111f2e29e0b86cc43dc437701edf
Formbook
84483ed46317d2ba114e3b5f49c4a54a8801bf648b73578135372dedd3f8a9ca
Formbook
c483fdd57cf8e05985e6e09ae3c74a7b53cccff68ddccd0cfea136591ec5c306
Formbook
cc715fcd2300c306a1254671a3119516a60d0662b5776a690e0c2b451f868d34
Formbook
d3386ecd38090e862e444c4dd7ddf031190f2b73d1fd2f828fc95534d7eb5afd
Formbook
+ 15'619 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:cshi loader rat
Link:
https://tria.ge/reports/220520-g2lkysdfh9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
.NET Reactor proctector
Xloader Payload
Xloader
Unpacked files
SH256 hash:
dbd3fc216a972ef8dd9059e796ee8d1c9823524dbb05551842ebc6980560525f
MD5 hash:
e7654c0b2ef58bbd4d8183c3becf22f7
SHA1 hash:
04f94fb1d4421bcce2bbe27ae4393f1deb0a8c8a
Link:
https://www.unpac.me/results/48fd9f20-2a2a-41ae-9cf1-b0e7c36c53ce/
SH256 hash:
0e93440f1d9717fdf21e7e8591794dad144b8f597358256207ffd86a0b8f25a8
MD5 hash:
c3bacdf048163d6916cf4e0232a9d645
SHA1 hash:
05669d717624a209fc71a9a1fae379c3be963eef
Link:
https://www.unpac.me/results/48fd9f20-2a2a-41ae-9cf1-b0e7c36c53ce/
SH256 hash:
4a73aaa468e29d2bb3701db0a34f75d355abae3ba9fd5a1ed2e16d0abbca547a
MD5 hash:
728af3c82102ea0a99a021dc3dbe6728
SHA1 hash:
dfbbc552869787f5033f218db9f8f8b97a20babd
Link:
https://www.unpac.me/results/48fd9f20-2a2a-41ae-9cf1-b0e7c36c53ce/
SH256 hash:
5a96094d0a28f0c5ca37453d7aaf56db9e943b6a3947681bb03c43e1dfbafb39
MD5 hash:
761452ca58202ca57f27a60e544b29d1
SHA1 hash:
111523263156a88ef7da831dbc656843b8f6a1cd
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/48fd9f20-2a2a-41ae-9cf1-b0e7c36c53ce/
SH256 hash:
2e2143c83b9fc796a895f54f602789ae3bf706bcc38c753339665678f930c226
MD5 hash:
a976de15c5149e328122fba6ca13a0b7
SHA1 hash:
488404e1eef36f3585b165a9c793faacb93b2b97
Link:
https://www.unpac.me/results/48fd9f20-2a2a-41ae-9cf1-b0e7c36c53ce/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2e2143c83b9f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/2e2143c83b9fc796a895f54f602789ae3bf706bcc38c753339665678f930c226

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 2e2143c83b9fc796a895f54f602789ae3bf706bcc38c753339665678f930c226

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2203527/
Cape
Cape
https://www.capesandbox.com/analysis/272856/

Comments


Avatar
zbet commented on 2022-05-20 06:17:34 UTC

url : hxxp://107.172.75.159/PAGO111.exe