MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e6817886ae8c6bfaf55499d950bb963b5c176dd5adb5a9dfb8cde49d5bf394d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e6817886ae8c6bfaf55499d950bb963b5c176dd5adb5a9dfb8cde49d5bf394d
SHA3-384 hash: 839d7cb11fc9fd879a5760ba1f14a59f61f880e286387ce76a3bf1898b87dd4d603f0d3ae6ec466b415a39808b8fb6db
SHA1 hash: 49dc2e15979f0af2f6d2cb195ef69f0290dcb935
MD5 hash: 9fa1936a54b38a2f6b45e46a397a3c3f
humanhash: carpet-jig-network-zebra
File name:z8PEDIDODECOMPRAURGENTEpdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:585'728 bytes
First seen:2023-08-02 16:04:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'633 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:iK2iN8JJ1v+UYtBy2qUdrsYeKOODp72louEwNqylhdK+:iK1uJDIBHdrWQ9Dmqylh
Threatray 1'768 similar samples on MalwareBazaar
TLSH T1E1C42325912856F5D65D87FA3892814503730A1E6432EBD6DFE318EE7FD2B301A12BB3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter FXOLabs
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
283
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
z8PEDIDODECOMPRAURGENTEpdf.exe
Verdict:
Malicious activity
Analysis date:
2023-08-02 16:05:42 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/e6ed8f82-6ad6-42a7-b650-3c8acf355631

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/439874/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Porcupine.MSIL.GenKryptik.GMAH.155213.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Launching the process to change network settings
Launching cmd.exe command interpreter
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/64ca7eb1cbfeb5bd5751314b/reports/8cab6d0e-e10d-4f15-9637-bb60bfd33cc9/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/2e6817886ae8c6bfaf55499d950bb963b5c176dd5adb5a9dfb8cde49d5bf394d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/608fc93f-8c08-4829-9b2c-94127bd572a5
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1284554
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1284554 Sample: z8PEDIDODECOMPRAURGENTEpdf.exe Startdate: 02/08/2023 Architecture: WINDOWS Score: 100 64 www.evesbreaths.com 2->64 66 evesbreaths.com 2->66 80 Snort IDS alert for network traffic 2->80 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 8 other signatures 2->86 11 z8PEDIDODECOMPRAURGENTEpdf.exe 6 2->11         started        15 EzDeNgs.exe 5 2->15         started        signatures3 process4 file5 52 C:\Users\user\AppData\RoamingzDeNgs.exe, PE32 11->52 dropped 54 C:\Users\user\...zDeNgs.exe:Zone.Identifier, ASCII 11->54 dropped 56 C:\Users\user\AppData\Local\...\tmpC2D6.tmp, XML 11->56 dropped 94 Uses schtasks.exe or at.exe to add and modify task schedules 11->94 96 Writes to foreign memory regions 11->96 98 Adds a directory exclusion to Windows Defender 11->98 17 RegSvcs.exe 11->17         started        20 powershell.exe 21 11->20         started        22 schtasks.exe 1 11->22         started        100 Multi AV Scanner detection for dropped file 15->100 102 Machine Learning detection for dropped file 15->102 104 Injects a PE file into a foreign processes 15->104 24 RegSvcs.exe 15->24         started        26 schtasks.exe 1 15->26         started        28 RegSvcs.exe 15->28         started        30 RegSvcs.exe 15->30         started        signatures6 process7 signatures8 68 Modifies the context of a thread in another process (thread injection) 17->68 70 Maps a DLL or memory area into another process 17->70 72 Sample uses process hollowing technique 17->72 74 2 other signatures 17->74 32 explorer.exe 3 1 17->32 injected 36 conhost.exe 20->36         started        38 conhost.exe 22->38         started        40 conhost.exe 26->40         started        process9 dnsIp10 58 www.thesurfing.xyz 64.190.63.111, 49700, 80 NBS11696US United States 32->58 60 qmspharma-jo.com 34.102.136.180, 49703, 80 GOOGLEUS United States 32->60 62 8 other IPs or domains 32->62 76 System process connects to network (likely due to code injection or exploit) 32->76 78 Performs DNS queries to domains with low reputation 32->78 42 explorer.exe 32->42         started        45 cmd.exe 32->45         started        signatures11 process12 signatures13 88 Modifies the context of a thread in another process (thread injection) 42->88 90 Maps a DLL or memory area into another process 42->90 92 Tries to detect virtualization through RDTSC time measurements 42->92 47 cmd.exe 42->47         started        process14 signatures15 106 Tries to detect virtualization through RDTSC time measurements 47->106 50 conhost.exe 47->50         started        process16
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2e6817886ae8c6bfaf55499d950bb963b5c176dd5adb5a9dfb8cde49d5bf394d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-08-01 13:32:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fzubpcdk5ddl7l2vjgozkc5zmo24c5w5llnvvhp3rtpetvn7hfgq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
679e687ae1611a7eb7d00d06c9f8ae37b9168838c9ff9b822174f6b0de6304d0
Formbook
8f61fd5ce3c2fa9186c75e703ce9e38d66538b9fe2214dd78d2df4c2c7cbda1b
Formbook
97bd79e26600f552bfb5764aec1606acb63b830b5fefb807d12fe2088854a3cc
Formbook
a5a279ff939e0031e4c3d74d5605cfe84368628d404829bee3943e2e25ff2809
Formbook
b80d975ddd8e28bf201a5dd08cbfa50ef211aa5600f33b4c10e6d72068864f13
Formbook
bbce59cd09b98759f1e8de287441906c11a8698581e9a84e302626e48abc7c38
Formbook
bdc8c2c8c2cf14b3189551124ff820c303a36139830b0ce299f2538ef9c2ff06
Formbook
bf6a195481cb4cba11f09c03c4fca9be90f011fc883dad09b8b79a4b94e3aafc
Formbook
c250549bfd9382d9489d8a0905c0b8bde28ec07f5af5d8b92e4ec8eb6cc72248
Formbook
ce902a74a974d8abadef885c3aa91a41ad495d0d22a187b0bb4c87645d3ae0a8
Formbook
+ 1'758 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:d0i9 rat spyware stealer trojan
Link:
https://tria.ge/reports/230802-tjg62afe28/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Formbook payload
Formbook
Unpacked files
SH256 hash:
e97015efa7b3c6373206d9f8e70ecd94da555837d3bdba4d301b73384490fbe9
MD5 hash:
3201888be03eda737b8f62aba68f9199
SHA1 hash:
9b64226fb85b69e2af66ce64ffdd90c54010e854
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/df193b9b-9ffd-44c4-88e7-eb9368af3634/
Parent samples :
a200ca72553397e7d6a4c746a52411f62819d7860e7330e2d45df32f3c952dfa
ba5cfc9373499678bbd2a9ca62e554be9c114d913cf97c00822917226df0bbe2
5cbfb7154648241fbec88e87e2ea973816c38ee892344bd742dfc4aeb044fae3
c22f7e6ed2e27a1863b7bf519f4254afafeffc69cadbee3ff2eadd3b3ed36492
2e6817886ae8c6bfaf55499d950bb963b5c176dd5adb5a9dfb8cde49d5bf394d
7fba8c621fc9192e73139b70878ccf8ed761b025fe13bef1bf74e1d5181ae48b
739428d0a73e227de5c5d32a2e9cb7b5dacce36cd48c05cce21e2dde28730a97
SH256 hash:
f0c01e00d7f152f495675266f543390efed0376eb0e977394b20d77ee72372f8
MD5 hash:
cec50afb3d3ca4c9412d2b7f32973898
SHA1 hash:
f2ba73f9d144e258e37de23a7e92f96e73c23b0f
Link:
https://www.unpac.me/results/df193b9b-9ffd-44c4-88e7-eb9368af3634/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/df193b9b-9ffd-44c4-88e7-eb9368af3634/
SH256 hash:
9339b1eb80d33ecf43b431cdcf9f75a16b6b528d2cec30f84b8c68fa474d9439
MD5 hash:
fc38ee4ca0edf6c96e94ce8713cc9529
SHA1 hash:
a78a6912162d903001a58a908d0f5e22de3a444f
Link:
https://www.unpac.me/results/df193b9b-9ffd-44c4-88e7-eb9368af3634/
SH256 hash:
2e6817886ae8c6bfaf55499d950bb963b5c176dd5adb5a9dfb8cde49d5bf394d
MD5 hash:
9fa1936a54b38a2f6b45e46a397a3c3f
SHA1 hash:
49dc2e15979f0af2f6d2cb195ef69f0290dcb935
Link:
https://www.unpac.me/results/df193b9b-9ffd-44c4-88e7-eb9368af3634/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2e6817886ae8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2e6817886ae8c6bfaf55499d950bb963b5c176dd5adb5a9dfb8cde49d5bf394d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 2e6817886ae8c6bfaf55499d950bb963b5c176dd5adb5a9dfb8cde49d5bf394d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/439874/

Comments