MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f3907711c04a9022fda6818f25989480f3be29409ad60aa6eebb418aea443df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 12 File information Comments

SHA256 hash:	2f3907711c04a9022fda6818f25989480f3be29409ad60aa6eebb418aea443df
SHA3-384 hash:	579ca282633b534e8a01a36b3feb1cfed9b38369591efbbf54c0e1d9a87b71bbf83e34b7837161da18c9708cf1f39f4e
SHA1 hash:	0117ed9a62e581ac393d9992fbee7fc1b03769c4
MD5 hash:	85c1251aeed375e48a5ca828d3b6d43b
humanhash:	stairway-violet-connecticut-salami
File name:	2f3907711c04a9022fda6818f25989480f3be29409ad60aa6eebb418aea443df
Download:	download sample
Signature	Formbook Create hunting rule
File size:	714'752 bytes
First seen:	2023-10-12 11:03:28 UTC
Last seen:	2023-10-12 11:53:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:fcTAckjV4qobt0+L9YAcWjeDeHZn04imu82sxBuHkvJXTFa13ydt0i0eEfYv4:wkh4qobi+JY+iDeHZnO8VxZk3aGi0I
Threatray	32 similar samples on MalwareBazaar
TLSH	T1ABE402035BA21291E67E6675A9B2017207BBB295CD39CF2D0CCC509C1BFB691F914FA3
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	229878f8b4f031c4 (24 x AgentTesla, 5 x Loki, 4 x Formbook)
Reporter	adrian__luca
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

311

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2f3907711c04a9022fda6818f25989480f3be29409ad60aa6eebb418aea443df

Verdict:

No threats detected

Analysis date:

2023-10-12 11:06:02 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/14bdd681-88dd-4c43-aaab-41f0c7fa7814

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/453773/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Restart of the analyzed sample

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6527d2a4422e14c65a8e3509/reports/87af103f-d99d-4fa2-a540-fc1f08ab7306/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/2f3907711c04a9022fda6818f25989480f3be29409ad60aa6eebb418aea443df

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/ae9fc53f-285d-4ae5-8070-7816d763bb61

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1324606

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Uses ipconfig to lookup or modify the Windows network settings

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/2f3907711c04a9022fda6818f25989480f3be29409ad60aa6eebb418aea443df

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2f3907711c04a9022fda6818f25989480f3be29409ad60aa6eebb418aea443df/

Threat name:

ByteCode-MSIL.Trojan.LokiBot

Status:

Malicious

First seen:

2023-09-29 06:14:58 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 38 (65.79%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=f44qo4i4asuqel62nampewmjjahtxyuubgwwbkto5o2brlveippq._file

Verdict:

malicious

Label(s):

formbook

agenttesla

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/231012-m591lsef8s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

155e12a2a3bc3aa67929e82664414c85fac854feafeceb5e4275a99c907a84e1

MD5 hash:

354b2c35d29118f6a491bd6979502e32

SHA1 hash:

06dc134c4b3298716e0797afe9d2838c699b2b0c

Detections:

win_formbook_w0

win_formbook_g0

Link:

https://www.unpac.me/results/3481c247-5b19-466f-b34f-1d671577dd59/

Parent samples :

2ea01def771f0e57b541d4819dd9a543c5adb3a4452c6f5c03eac2c49c542bfa
2f3907711c04a9022fda6818f25989480f3be29409ad60aa6eebb418aea443df

SH256 hash:

d63dcac5acfbefd1af13a1f4a885f6c714a3d00c7ec2827a5cf23949a8a000e5

MD5 hash:

6aeee2c1026c0b2bc7894ec5102fce6d

SHA1 hash:

d907f0107172e430ce72df51cf870714fee7795e

Link:

https://www.unpac.me/results/3481c247-5b19-466f-b34f-1d671577dd59/

SH256 hash:

bc6e1487bee00a8fd2b639ee4e60867d7e409bd3cb6be1451f5ddbce26340766

MD5 hash:

fe233bfa89c7e26811c45fec198f7937

SHA1 hash:

6f0af0f155b841786f43b01e0c1c033aa277cdbd

Link:

https://www.unpac.me/results/3481c247-5b19-466f-b34f-1d671577dd59/

SH256 hash:

6bcd0ac28ccd01580ff354f56699e426613ca27d18dafc0615396b4863537e68

MD5 hash:

cd536ef75a2336613b4cc5ec964dc039

SHA1 hash:

44efbbe60c7ce1d1869b7f03a8269c444ce5843e

Link:

https://www.unpac.me/results/3481c247-5b19-466f-b34f-1d671577dd59/

SH256 hash:

7d451f7052e87d9c1e305565002f200d5e2e43fe04a773ad1d72f1f220fcff88

MD5 hash:

b23c837864ed6c0c0986b0de17ac063a

SHA1 hash:

44cd1740ff99efe039b0b9f23caa8158b46a9ed6

Link:

https://www.unpac.me/results/3481c247-5b19-466f-b34f-1d671577dd59/

SH256 hash:

9d82b529a45bc8b607bc5b4c6ee9bd2dc2022cdcb1cca444af0ebe9b46c2fbf3

MD5 hash:

5a6f5c961871c5971bd0bb43f6e576bd

SHA1 hash:

10a3eaab0721abf01e85907eb0d82bf3276e341a

Link:

https://www.unpac.me/results/3481c247-5b19-466f-b34f-1d671577dd59/

SH256 hash:

c90371cb7930c0599b294347dc944ba84775286306e75ce1565b6a18d3b81d05

MD5 hash:

ecfedee51f43054b472a279095a5e581

SHA1 hash:

9b9624d03314715406f60717059950b0b8d1f7b8

Link:

https://www.unpac.me/results/3481c247-5b19-466f-b34f-1d671577dd59/

SH256 hash:

5e451398dea1e51737e202824e01661086b6bfd2a5ad7f21ad065854b7e6a230

MD5 hash:

3e68b40a8fb6789d9eed0c297a0bd8d8

SHA1 hash:

8b5885bc951c86e91b773646bfd3d51131fd8acd

Link:

https://www.unpac.me/results/3481c247-5b19-466f-b34f-1d671577dd59/

SH256 hash:

729be4218106cce1a54022a37df3327b8d3c2e95efd135a9fab1334a4b99ce80

MD5 hash:

dec7ddeaaa4dd82c49430375c50f3d2d

SHA1 hash:

60ae6b51182099b338422068e5e33bb839352d0d

Link:

https://www.unpac.me/results/3481c247-5b19-466f-b34f-1d671577dd59/

SH256 hash:

4cdaca8b30279e5c3df87ae89c57630deb113e649d962ff236131241f4d69e5e

MD5 hash:

da7bd5fd1ec9f982a01dd874b632ea5e

SHA1 hash:

4421a6ad585ff5e9b72342be27e7c4bee2f79ec2

Link:

https://www.unpac.me/results/3481c247-5b19-466f-b34f-1d671577dd59/

SH256 hash:

3bf3d295ef72624a2b65b779d0c008462bae1df077153659f1bb41148254a329

MD5 hash:

639b87f3cd7f1bb37c447444da2a9590

SHA1 hash:

14c5be6cd42ae6d640ce3df78387fc944b8c49f2

Link:

https://www.unpac.me/results/3481c247-5b19-466f-b34f-1d671577dd59/

SH256 hash:

ae5e1dc0633311e4af00cf3ff8c35391f67f2af5e516bb2d5c8f0f0968106566

MD5 hash:

6edba5f0a5cdb1184ae8957ea261d47e

SHA1 hash:

067581112d1ab589e54ecc0e9139171ca5158055

Link:

https://www.unpac.me/results/3481c247-5b19-466f-b34f-1d671577dd59/

SH256 hash:

2f3907711c04a9022fda6818f25989480f3be29409ad60aa6eebb418aea443df

MD5 hash:

85c1251aeed375e48a5ca828d3b6d43b

SHA1 hash:

0117ed9a62e581ac393d9992fbee7fc1b03769c4

Link:

https://www.unpac.me/results/3481c247-5b19-466f-b34f-1d671577dd59/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2f3907711c04a9022fda6818f25989480f3be29409ad60aa6eebb418aea443df

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_Formbook Create hunting rule
Author:	@malgamy12

Rule name:	Windows_Trojan_Formbook_1112e116 Create hunting rule
Author:	Elastic Security

Rule name:	win_formbook_w0 Create hunting rule
Author:	@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/453773/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample