MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ed038df20b8f41a844651ed1c2cdca2ccabac5b7a946ac06a0892f641481973. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ed038df20b8f41a844651ed1c2cdca2ccabac5b7a946ac06a0892f641481973
SHA3-384 hash: b551ad46333bfdddefa2e4273facacd4c215a7c13b20cc7a93b577268fd597e06615105d473c16f2b7afdefbfed718e3
SHA1 hash: f88110dbbe4877a343a7bc4aa36f56366f200496
MD5 hash: 4e44665c0e3efa79b5860eb6f0fb018d
humanhash: kansas-december-steak-ink
File name:2ed038df20b8f41a844651ed1c2cdca2ccabac5b7a946ac06a0892f641481973
Download: download sample
Signature Formbook
Create hunting rule
File size:807'424 bytes
First seen:2021-07-07 09:56:15 UTC
Last seen:2021-07-07 10:44:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:cCwyBP6NsBvx7JZlyjsPEwZcFLlJ35qVfKVv8pCS8cN+TN6yZAM:cChP6NMxpyjsfcFJSJKZ8cQYxd
Threatray 6'244 similar samples on MalwareBazaar
TLSH 67058CBA60764B91EDBFC7380331161C4FA9B37ED21BFAB85D98B59801D0F450A92937
Reporter madjack_red
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2ed038df20b8f41a844651ed1c2cdca2ccabac5b7a946ac06a0892f641481973
Verdict:
Malicious activity
Analysis date:
2021-07-07 09:57:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a380b07d-79bc-449e-9e25-75d971670950

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170162/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.908.9156.16222.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a8fb9e6c-cb02-414c-87d8-42adc3723fe9
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/812793
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: CMSTP Execution Process Creation
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 445204 Sample: 83s7VhjKIg Startdate: 07/07/2021 Architecture: WINDOWS Score: 100 31 www.titpervert.com 2->31 33 titpervert.com 2->33 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 45 4 other signatures 2->45 11 83s7VhjKIg.exe 3 2->11         started        signatures3 43 System process connects to network (likely due to code injection or exploit) 31->43 process4 file5 29 C:\Users\user\AppData\...\83s7VhjKIg.exe.log, ASCII 11->29 dropped 55 Tries to detect virtualization through RDTSC time measurements 11->55 57 Injects a PE file into a foreign processes 11->57 15 83s7VhjKIg.exe 11->15         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 65 Queues an APC in another process (thread injection) 15->65 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.553865.com 18->35 47 System process connects to network (likely due to code injection or exploit) 18->47 22 cmstp.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2ed038df20b8f41a844651ed1c2cdca2ccabac5b7a946ac06a0892f641481973/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-06 02:49:52 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f3idrxzaxd2bvbcgkhwrylg4ulgkxlc3pkkgvqdkbcjpmqkidfzq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0726096c82c2c643c7de2ed48533e0a545e71f2294433cd7df473aebe9f17681
Formbook
0881127ba3ada84a8259b0e923fb8723a89016ae555bb59c44a9b372bba7daab
Formbook
2450d5f5fa69393262ee4d935acf867ff537ffaaa0a927823b748d5d77dd9fcc
Formbook
612978b3f26f015bba90e038b5fff1fd337818713e639dfd292e72d3109bc931
Formbook
74743d6468cedf3e66f1171ef32981dca4fb211b3fd7be519045fc42b077ced2
Formbook
8943af6c4da94f93c169ef98a7b8393ca92b01753e89ea5503d5740bcc45296d
Formbook
92fee75dbfa7cb48d837b580cc3544832cf116d9991ac9cd0135cef22e535510
Formbook
932d535ab92b682eff0f74322211abd760021a9003d18b953e7226a6ebc38902
Formbook
ee3cd0b8ec089cdcec65b22189ecc9efb9f356afe0870e424cbdedcf19920e13
Formbook
fb6e849cd3af7e8b0c8143397e62a595a42abbfbbac81f2cdd0b2cb4d18ea543
Formbook
+ 6'234 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210707-jqcn7be1ke/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.fabricwarehousebrla.com/mjf5/
Unpacked files
SH256 hash:
687a2ac1ccda161bbb4c669880d72acffa2a950833ae53834ba1bb32de2b4c8a
MD5 hash:
a948ee8c46dbfe097f510355ba5d0944
SHA1 hash:
8774e6de3760585df767f8086054c50c6b28ccd1
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/c6f17171-6eb6-4282-b514-6225da8a6965/
Parent samples :
2ed038df20b8f41a844651ed1c2cdca2ccabac5b7a946ac06a0892f641481973
ac4d23b56b2aac65756dafc7d6ff505ba986f40410370ca4c094f0530e399d79
35a2017af959b6e43cb129fc6c18c7e21bc0a1d850b1e74101bbb95d8c5bd3c0
SH256 hash:
5209992fd1f96cd1959efb5e1afa71f5c9ae2ab4430e258fe9d0ec915098d110
MD5 hash:
257ca10e5cbb2f8bdf0ae6f3e900e11e
SHA1 hash:
9d25ee80dbe3bbce5ab4479912c5e21b19b6aeec
Link:
https://www.unpac.me/results/c6f17171-6eb6-4282-b514-6225da8a6965/
SH256 hash:
5eed88a77cb1688b04c48c9e07801d283e953ed778d77d447167fc42b9b58abd
MD5 hash:
f430d5909be419a67ca0644d08bdc3c2
SHA1 hash:
35ea8a6c2749deee68513680034c7564c22f8e97
Link:
https://www.unpac.me/results/c6f17171-6eb6-4282-b514-6225da8a6965/
SH256 hash:
b0d702253994ef423adc11a83dd356683f7c8b16c6a0dbb14190bb68997859d9
MD5 hash:
16ed44f7effff9c743fee9b6068aa688
SHA1 hash:
3339626dd9810dcf791e7e2a54c430be51623007
Link:
https://www.unpac.me/results/c6f17171-6eb6-4282-b514-6225da8a6965/
SH256 hash:
2ed038df20b8f41a844651ed1c2cdca2ccabac5b7a946ac06a0892f641481973
MD5 hash:
4e44665c0e3efa79b5860eb6f0fb018d
SHA1 hash:
f88110dbbe4877a343a7bc4aa36f56366f200496
Link:
https://www.unpac.me/results/c6f17171-6eb6-4282-b514-6225da8a6965/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2ed038df20b8f41a844651ed1c2cdca2ccabac5b7a946ac06a0892f641481973

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/170162/

Comments