MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ea01def771f0e57b541d4819dd9a543c5adb3a4452c6f5c03eac2c49c542bfa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ea01def771f0e57b541d4819dd9a543c5adb3a4452c6f5c03eac2c49c542bfa
SHA3-384 hash: 916fe34881d3e3ea587b4651bd33d1d170a10892756e5713008703cf567a7adc6f7d3aa20de3e21ffc447f6e43cbda71
SHA1 hash: de41acf047697977c93c64b72bbab6dcc975e5a8
MD5 hash: 14224847f3c3ebfbb06589e0418d1577
humanhash: fourteen-alaska-charlie-winner
File name:RFQ FOBPDF.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:612'864 bytes
First seen:2023-09-29 09:15:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:la725xeBmijd1YkdxAk1LcxOYVVVSP0W46MyDM8w4Lg7L6OOhiF:LJaYkr9lyRoP0W46MYM8w4Lg7L6O
Threatray 88 similar samples on MalwareBazaar
TLSH T1E9D4225CF5B64722DDD4233E62C8672A83717561E001F3AECA8E5ADB0E357581A60F4F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon b26969e8e8e8f0f0 (23 x AgentTesla, 13 x Formbook, 3 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
305
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
RFQ00 FOBPDF.r00
Verdict:
Malicious activity
Analysis date:
2023-09-27 05:52:40 UTC
Tags:
formbook xloader stealer spyware
Link:
https://app.any.run/tasks/b0d0d932-d075-4537-b78b-d33754a62a76

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Restart of the analyzed sample
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/651695d532ffdb7a7a18ad72/reports/d1308431-cc73-475d-b1af-e3b414b463b3/overview
Verdict:
Malicious
Labled as:
TROJ_FR.5D194D90
Link:
https://www.hybrid-analysis.com/sample/2ea01def771f0e57b541d4819dd9a543c5adb3a4452c6f5c03eac2c49c542bfa
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e7cbad32-4246-4b14-a99d-9a8afa4c6c66
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1316331
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1316331 Sample: RFQ_FOBPDF.exe Startdate: 29/09/2023 Architecture: WINDOWS Score: 100 27 Malicious sample detected (through community Yara rule) 2->27 29 Antivirus / Scanner detection for submitted sample 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 5 other signatures 2->33 9 RFQ_FOBPDF.exe 3 2->9         started        process3 process4 11 RFQ_FOBPDF.exe 9->11         started        signatures5 35 Maps a DLL or memory area into another process 11->35 37 Queues an APC in another process (thread injection) 11->37 14 SjKmNsufoEiEQFyvajfSUbsmqwIX.exe 11->14 injected process6 process7 16 mstsc.exe 14->16         started        19 autoconv.exe 14->19         started        signatures8 25 Maps a DLL or memory area into another process 16->25 21 explorer.exe 2 16->21 injected 23 SjKmNsufoEiEQFyvajfSUbsmqwIX.exe 16->23 injected process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2ea01def771f0e57b541d4819dd9a543c5adb3a4452c6f5c03eac2c49c542bfa/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-09-25 06:11:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f2qb333xd4hfpnkb2saz3wnfipc23m5eiuwg6xad5lbmjhcufp5a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1290bedfe236cb0894d63d8ea46b115ff26bd7694a16ae290fdcbc91291096a4
Formbook
3b79e392617523720c040a2e0b39f0ff47593a420ecc9edcb9cd8b9e1d7baca6
Formbook
50b7c22b62b792c34ad69ec219ee468803d070257b57902a33248f953444caf7
Formbook
6de402e896d0ecf6b4d55fe0ffc1b978e511a632a842e188200e5cb736893210
Formbook
712f1dd153cfa3cdc0d32d481f58aff6b583bc7a60a94597a8c47ced99360d89
Formbook
7d0d45caa5fb24fef82b7ab932fcfa907db162db0e7e821d3adcc457f30764bd
Formbook
95216d71fff102892599ac2c3e12742cc687eb8ab3eecb475366f69a38297511
Formbook
96a3709a8156268f9daaeac2aab9c66146967ef173e5d5d2e8a0ed8bde75ab63
Formbook
a81a0d29652f5c3497d905b124fefc89e7149f61c87b2198872c4dbe8f0c0048
Formbook
becae35d75141130a7aedcba04c2161c38b3664e82dbdca5ba6a595db6c36789
Formbook
+ 78 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230929-k8ggcshb7y/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
155e12a2a3bc3aa67929e82664414c85fac854feafeceb5e4275a99c907a84e1
MD5 hash:
354b2c35d29118f6a491bd6979502e32
SHA1 hash:
06dc134c4b3298716e0797afe9d2838c699b2b0c
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/5ca42dc3-37c2-44e0-9b95-e30ff617682d/
Parent samples :
2ea01def771f0e57b541d4819dd9a543c5adb3a4452c6f5c03eac2c49c542bfa
2f3907711c04a9022fda6818f25989480f3be29409ad60aa6eebb418aea443df
SH256 hash:
d63dcac5acfbefd1af13a1f4a885f6c714a3d00c7ec2827a5cf23949a8a000e5
MD5 hash:
6aeee2c1026c0b2bc7894ec5102fce6d
SHA1 hash:
d907f0107172e430ce72df51cf870714fee7795e
Link:
https://www.unpac.me/results/5ca42dc3-37c2-44e0-9b95-e30ff617682d/
SH256 hash:
fc5b07638eb48abe85dce0f04edf304aaa44b6e8cf6b0d32a20e99c19091454a
MD5 hash:
9e754b3dce2afdca0cfc2a127f487249
SHA1 hash:
bf744e854748cd3ba87a55e774f1bb488ba99f7c
Link:
https://www.unpac.me/results/5ca42dc3-37c2-44e0-9b95-e30ff617682d/
SH256 hash:
abed99881ce1e05907653d1697ae232575d0cf067fd5cc646e2e5ee9f7337c82
MD5 hash:
491a7170bd8a7ed81d03a64ff2598bdf
SHA1 hash:
8325a5bccba80878a14032c06b78b34db808b910
Link:
https://www.unpac.me/results/5ca42dc3-37c2-44e0-9b95-e30ff617682d/
SH256 hash:
7ec118e70613ce2d9aee29cda2918ca710dde346c68d4da75c2ea0402e6d4391
MD5 hash:
1622a62bf6805b2dca82a8632eceac71
SHA1 hash:
071b72a5a1231149dfe4b9fcfa3a6ee49265ab7c
Link:
https://www.unpac.me/results/5ca42dc3-37c2-44e0-9b95-e30ff617682d/
SH256 hash:
2ea01def771f0e57b541d4819dd9a543c5adb3a4452c6f5c03eac2c49c542bfa
MD5 hash:
14224847f3c3ebfbb06589e0418d1577
SHA1 hash:
de41acf047697977c93c64b72bbab6dcc975e5a8
Link:
https://www.unpac.me/results/5ca42dc3-37c2-44e0-9b95-e30ff617682d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2ea01def771f0e57b541d4819dd9a543c5adb3a4452c6f5c03eac2c49c542bfa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 2ea01def771f0e57b541d4819dd9a543c5adb3a4452c6f5c03eac2c49c542bfa

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments