MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f0d0cc43b73c43c520254a97834211ab8e0d8704d5886f5ff0ccca4f0bb7eea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f0d0cc43b73c43c520254a97834211ab8e0d8704d5886f5ff0ccca4f0bb7eea
SHA3-384 hash: c41fbcea41ed63d3163e65ead7c2f684b337832a5e2919f1fafae5128e93c75b78d61ac7be3c140eb25e22c4646d2807
SHA1 hash: da41f66a9f9584f6c44a1607075a3a03549701f3
MD5 hash: 66e5ad25d42769c0e217add994434ff2
humanhash: harry-ten-music-fillet
File name:2f0d0cc43b73c43c520254a97834211ab8e0d8704d5886f5ff0ccca4f0bb7eea
Download: download sample
Signature Formbook
Create hunting rule
File size:1'168'384 bytes
First seen:2020-11-14 18:29:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:0MzoKfBPWsN9i7QGjaYTDniBuxmHaWI5E6j1oGrQ3iH5:1fBg7j7DiBwYaWI5EEDs3q
Threatray 2'904 similar samples on MalwareBazaar
TLSH 3B45BE0273E1D032FFABA1739B6AF641967878294173852F13A82DB8BD701B1567D723
Reporter seifreed
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Trojan.Autoit-9790147-0
Create hunting rule

Win.Trojan.Autoit-9790232-0
Create hunting rule

Win.Trojan.Autoit-9790239-0
Create hunting rule

Win.Trojan.Autoit-9790240-0
Create hunting rule

Win.Trojan.Autoit-9790242-0
Create hunting rule

Win.Trojan.Autoit-9790245-0
Create hunting rule

Win.Trojan.Autoit-9790251-0
Create hunting rule

Win.Trojan.Autoit-9790262-0
Create hunting rule

Win.Trojan.Autoit-9790267-0
Create hunting rule

Win.Trojan.Autoit-9790695-0
Create hunting rule

Win.Trojan.Nanocore-9789919-1
Create hunting rule

Win.Trojan.Autoit-9791035-0
Create hunting rule

Win.Trojan.Autoit-9791037-0
Create hunting rule

Win.Trojan.Autoit-9791624-0
Create hunting rule

Win.Trojan.Autoit-9792204-0
Create hunting rule

Win.Trojan.Autoit-9792227-0
Create hunting rule

Win.Trojan.Autoit-9792274-0
Create hunting rule

Win.Trojan.Autoit-9792322-0
Create hunting rule

Win.Trojan.Autoit-9792870-0
Create hunting rule

Win.Dropper.NetWire-9792905-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
DNS request
Sending an HTTP GET request
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/535095
Signature
Binary is likely a compiled AutoIt script file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 316646 Sample: dB7XQuemMc Startdate: 14/11/2020 Architecture: WINDOWS Score: 100 32 www.mostposh.com 2->32 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 2 other signatures 2->46 11 dB7XQuemMc.exe 2->11         started        signatures3 process4 signatures5 56 Binary is likely a compiled AutoIt script file 11->56 58 Maps a DLL or memory area into another process 11->58 60 Tries to detect virtualization through RDTSC time measurements 11->60 14 dB7XQuemMc.exe 11->14         started        17 dB7XQuemMc.exe 11->17         started        19 dB7XQuemMc.exe 11->19         started        process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 14->62 64 Maps a DLL or memory area into another process 14->64 66 Sample uses process hollowing technique 14->66 68 Queues an APC in another process (thread injection) 14->68 21 explorer.exe 14->21 injected process8 dnsIp9 34 bajrangproperties.com 173.208.235.235, 49741, 80 WIIUS United States 21->34 36 zitatewelten.com 81.169.145.74, 49734, 80 STRATOSTRATOAGDE Germany 21->36 38 19 other IPs or domains 21->38 48 System process connects to network (likely due to code injection or exploit) 21->48 25 cmd.exe 21->25         started        signatures10 process11 signatures12 50 Modifies the context of a thread in another process (thread injection) 25->50 52 Maps a DLL or memory area into another process 25->52 54 Tries to detect virtualization through RDTSC time measurements 25->54 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2f0d0cc43b73c43c520254a97834211ab8e0d8704d5886f5ff0ccca4f0bb7eea/
Threat name:
Win32.Trojan.Predator
Create hunting rule
Status:
Malicious
First seen:
2020-11-14 18:34:33 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
018bc083a823092a92d1c114dd649d85f63b19feda836cf32b44bc1e5c2f3aa9
Formbook
28e6b82a33e2b7e7ce02e684b90aae380c6e4ec244d111a5d16833ddf288981b
Formbook
4173f8d221525a3414e606763b5a61b649ec421c145e7a9bc683d3e8ff5d5c96
Formbook
59be3e15ddff51758d23796f5528e93ff6c5164486bd0416ff25dc0ddc33f29c
Formbook
754b53cd03dcc7c3d854a9628e5d01447fd778aae73f7890b5f7527ad4bd76ea
Formbook
79fe9749c4a7e8297e056cc4f0fbed7130900cd9aa2be3a1339acde4a11ca171
Formbook
7ac0888e83ebfc1401796d95250dcfae864d1db479bd741bd44847722a03555e
Formbook
ac320ccfb00631656e4ffddeb052255a8a52bbcdfd7559f943b62fd4aada1f42
Formbook
b6138e4d197c59380c87723cb54c9cf7d5e4600a4273c98723470a57a591edda
Formbook
b868ded573176e58f1d498447a375a73ff901fe072c28af6be9f851f8d0cdacc
Formbook
+ 2'894 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201114-ks4abtmw82/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.brandonprattdrums.com/nt8e/
Unpacked files
SH256 hash:
2f0d0cc43b73c43c520254a97834211ab8e0d8704d5886f5ff0ccca4f0bb7eea
MD5 hash:
66e5ad25d42769c0e217add994434ff2
SHA1 hash:
da41f66a9f9584f6c44a1607075a3a03549701f3
Link:
https://www.unpac.me/results/e6da68e3-6363-4c41-bd17-396cb4d9ab80/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Babar
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/2f0d0cc43b73c43c520254a97834211ab8e0d8704d5886f5ff0ccca4f0bb7eea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments