MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f47cecb0ac0c17ad38f1e8b65e4bbb7180d87d750ed7e93ce9fc5db11e5cae5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	2f47cecb0ac0c17ad38f1e8b65e4bbb7180d87d750ed7e93ce9fc5db11e5cae5
SHA3-384 hash:	4ef44719313e9ac20dce46c3fe1a69ab84eec1331ac97e77c8ddb0fa6fd88e885b08fe5843912b2a3a40d62ad166daf2
SHA1 hash:	10293fa919e4ee560d1d075fe5c68b2dade96552
MD5 hash:	4b5652391f647d57a6e592ac5319e8de
humanhash:	burger-fillet-beryllium-mountain
File name:	4b5652391f647d57a6e592ac5319e8de.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	248'962 bytes
First seen:	2022-03-22 18:48:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep	3072:rS17XJiDxmJJ7kK26axD5ma04mso1puiVwdijTTACjxtzBwKoEsmAEzMdNb8Uu6q:rGiGBYy4K/u0g2TPpSUsmFzWDDofXzD
Threatray	10'939 similar samples on MalwareBazaar
TLSH	T14D341283A395CEF7D6521832B4FA66B7C77BE10C42989F2307B0926A6E671F70601177
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

185

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/255076/

Detection(s):

SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.29977.21639.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Сreating synchronization primitives

Searching for synchronization primitives

Launching a process

Launching cmd.exe command interpreter

Sending a custom TCP request

DNS request

Sending an HTTP GET request

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/623a1a3ddfdfa8501cce2114/reports/96ef8e1a-03d7-46da-b30a-4c7d3f042d02/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3deca6a2-0f1a-4986-bd48-11a2e9567783

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/962071

Behaviour

Behavior Graph:

n/a

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/2f47cecb0ac0c17ad38f1e8b65e4bbb7180d87d750ed7e93ce9fc5db11e5cae5/

Threat name:

Win32.Trojan.NSISInject

Status:

Malicious

First seen:

2022-03-22 12:04:53 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=f5d45sykydaxvu4pd2fwlzf3w4ma3b6xkdwx5e6ot7c5wepfzlsq._file

Verdict:

malicious

Label(s):

formbook

Formbook

417c951fb4d744d1446011b1e2e36e76d450801fa8072d72ea600d323d03a8c5

Formbook

4eac3744a1240baa0ba6a519876425b8c52ddaefcb6e65afe077d71b1393ae52

Formbook

5f8d69976e4d3c9b6508cd376dcab4971a605d8d1122952ad604f7b48d2ef1e1

Formbook

98c9c20fcffa6fe99c0841a33f4a9283552b9393d958818b9b2b610d5467822e

Formbook

9cd0bbacb06bc4a961772ad5dac574736247fa7604116855118ecabb6926643b

Formbook

ab12ca2a034e07fbdd6c9d6c31270f52173cd8559e12aad0aea593cc460867cd

Formbook

d3fae1feacb2e75560f838099213ae33385d6a0a11caa222a4f09024721e2720

Formbook

e3c2718738a6d4d07664a951dee401b2c4e9416ac6a989f6aa21c3564fdaf241

Formbook

e812adcd8f8470a1be64d92dafaebf717db1c45d58fe04a9160d88a468cf7e3c

Formbook

+ 10'929 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:wesd loader rat suricata

Link:

https://tria.ge/reports/220322-xgcejsdbaq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

Xloader Payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Unpacked files

SH256 hash:

9cba583956dc3a86d34547dd4664a252f462caeee10dfcaa1e5680bc30ff8745

MD5 hash:

55b4d82b5b8b6ca5ef51e542ed771531

SHA1 hash:

581983e28e7f9845c35bce90c4d792fd1ee8a032

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/6714eefc-bb1d-4e89-a10f-2467ab80e03a/

Parent samples :

58a3b0684756dd561c0300547a910b82c2b177d7644cca51b1e746302fe8fdbc
2f47cecb0ac0c17ad38f1e8b65e4bbb7180d87d750ed7e93ce9fc5db11e5cae5
ff04141e60160f0454edc8feeda14c75e74b1d2a571a80d5ddc14566dc175053

SH256 hash:

cde9f4c85e0b09e917e3fdaeb49cb98a70878c5a8078bdd7ff7485bf26b2c8ac

MD5 hash:

3efec20313149429647af2bc6f6088fa

SHA1 hash:

6c281b0cf9e3792c22e59352531ea4bf61d46d54

Link:

https://www.unpac.me/results/6714eefc-bb1d-4e89-a10f-2467ab80e03a/

SH256 hash:

2f47cecb0ac0c17ad38f1e8b65e4bbb7180d87d750ed7e93ce9fc5db11e5cae5

MD5 hash:

4b5652391f647d57a6e592ac5319e8de

SHA1 hash:

10293fa919e4ee560d1d075fe5c68b2dade96552

Link:

https://www.unpac.me/results/6714eefc-bb1d-4e89-a10f-2467ab80e03a/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/2f47cecb0ac0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.18

Link:

https://yomi.yoroi.company/submissions/2f47cecb0ac0c17ad38f1e8b65e4bbb7180d87d750ed7e93ce9fc5db11e5cae5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 2f47cecb0ac0c17ad38f1e8b65e4bbb7180d87d750ed7e93ce9fc5db11e5cae5

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2111139/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/255076/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample