MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f4c024e90b8fdb3077395f4b7b59c38d1feca1e8477636a8dfe4ab0b0da77e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f4c024e90b8fdb3077395f4b7b59c38d1feca1e8477636a8dfe4ab0b0da77e0
SHA3-384 hash: 8af33b6dbf0c49c4b2c173629fab230c4762438afd8e0d45a337afb6142ea53505a90bbacc45c0d389453a72750c196e
SHA1 hash: f2d136b68ed475bf392e261921eff844dcf39602
MD5 hash: dbc9e12fcae4f6808bd89b2cdfb92e2a
humanhash: floor-princess-alabama-lactose
File name:dbc9e12fcae4f6808bd89b2cdfb92e2a.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'448'448 bytes
First seen:2021-01-20 14:43:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:TkunGZ1Lq8aPBfC5IehiDMloFsAhDcCj39K2nmES7:IunGZ1Lq8aNCOMloFFhha
Threatray 3'575 similar samples on MalwareBazaar
TLSH 5165C59C751C71EEC8D7C4629AAB1C64EA536CBA431B410390273DB9BA3C897CF547B2
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Inquiry PR11020204168 (1).xlsx
Verdict:
Malicious activity
Analysis date:
2021-01-20 05:07:17 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/58edca36-e28e-4223-aa1f-d054234dd45c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/113131/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/586302
Signature
Detected unpacking (changes PE section rights)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 342186 Sample: 1tqW2LLr74.exe Startdate: 20/01/2021 Architecture: WINDOWS Score: 100 33 www.breaking-news4u.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 7 other signatures 2->47 11 1tqW2LLr74.exe 3 2->11         started        signatures3 process4 file5 31 C:\Users\user\AppData\...\1tqW2LLr74.exe.log, ASCII 11->31 dropped 57 Detected unpacking (changes PE section rights) 11->57 59 Tries to detect virtualization through RDTSC time measurements 11->59 61 Injects a PE file into a foreign processes 11->61 15 1tqW2LLr74.exe 11->15         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 18 explorer.exe 15->18 injected process9 dnsIp10 35 learnhour.net 142.147.98.180, 49771, 80 UNREAL-SERVERSUS Canada 18->35 37 wayupteam.com 50.31.188.183, 49764, 49777, 80 SERVERCENTRALUS United States 18->37 39 21 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 wlanext.exe 18->22         started        25 autofmt.exe 18->25         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 27 cmd.exe 1 22->27         started        process14 process15 29 conhost.exe 27->29         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2f4c024e90b8fdb3077395f4b7b59c38d1feca1e8477636a8dfe4ab0b0da77e0/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2021-01-20 00:37:23 UTC
AV detection:
22 of 27 (81.48%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f5gaetuqxd63gb3tsx2lpnm4hdi75sq6qr3wg2un7zflbmg2o7qa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2d876129c69f0f4be0c87aeb20cdc38ae8f5db29bea6f87807946b89e0b61a50
Formbook
5551c39b0838a38711babfe60b36dda8855791ce1512553858fbaff025d31122
Formbook
79a5735a233925fa0fbbae9a0d38411de1d697dd5bbed65970c94bdf2be1a16a
Formbook
8fe13da45a5732ae42c27687b9cf9105a3f2028857729bdfbe3ae31514a6b298
Formbook
9787e886d7536b9343db7b8b78a9f87f5177b5d11460130d2aced11ccb44de8f
Formbook
b88d84be2994a05ac716dac99a689356d8c7ecbd541989a5339be403da909430
Formbook
b9a286880c70bf7b6b049c8be7b7b14d8318b6c38d04185eced4bc48795330ff
Formbook
c41c3e04f58d643f5d30f52077a53a8c151d835aa44da144b9165a0297314f14
Formbook
d433e7ca5197ed83d851161b45aa94ae8b469a2c711b7a327d749c32279785f5
Formbook
edcbf58883f09441ef7eb461421b7ec33655663420ba2722ef5c45b62600f25c
Formbook
+ 3'565 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/210120-91v19nsvv2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.learnhour.net/eaud/
Unpacked files
SH256 hash:
1c164e64adcbefb8250fa4cafab93cebc9c312add6e7ea5c240c878c7824e303
MD5 hash:
340fc2829d18eb310efe7a09b1faaa8e
SHA1 hash:
6a0eaccf2b68df2bcd4092e361bedd1fc395b8e1
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/7cb9c0eb-d56b-4e08-aa38-543c1b1e9603/
Parent samples :
edcbf58883f09441ef7eb461421b7ec33655663420ba2722ef5c45b62600f25c
c41c3e04f58d643f5d30f52077a53a8c151d835aa44da144b9165a0297314f14
9787e886d7536b9343db7b8b78a9f87f5177b5d11460130d2aced11ccb44de8f
d433e7ca5197ed83d851161b45aa94ae8b469a2c711b7a327d749c32279785f5
8fe13da45a5732ae42c27687b9cf9105a3f2028857729bdfbe3ae31514a6b298
79a5735a233925fa0fbbae9a0d38411de1d697dd5bbed65970c94bdf2be1a16a
2f4c024e90b8fdb3077395f4b7b59c38d1feca1e8477636a8dfe4ab0b0da77e0
e29bf0082c57f6a228883a9c3c8b727dc68705f4780d6275870958c81d747290
fed11979ec84668f90bec2df7dde9872c7569080bbc832415746cde54bb3c384
b31d626131ee37bcb3366db2dda9cf1967ee57051f132e85425de1f1e495ca75
SH256 hash:
232c4a2b3e780581f756cfb09310d92748331b3354a2156bc7027ef5e8ccab97
MD5 hash:
1a21af697dc5e1f378b3115b2ba00f60
SHA1 hash:
fe45f9a0dded9ccf3af215c4ce43e692d31dd946
Link:
https://www.unpac.me/results/7cb9c0eb-d56b-4e08-aa38-543c1b1e9603/
SH256 hash:
9ebb83082125eb8caa625d260aa4eed7a57ca1bddaa3f86327d44db70dc86786
MD5 hash:
f64490ee615d766cb4fe4896e3c211ec
SHA1 hash:
be329cc1e4f209ba558dc4f1e0f7760bfef74bc3
Link:
https://www.unpac.me/results/7cb9c0eb-d56b-4e08-aa38-543c1b1e9603/
SH256 hash:
2f4c024e90b8fdb3077395f4b7b59c38d1feca1e8477636a8dfe4ab0b0da77e0
MD5 hash:
dbc9e12fcae4f6808bd89b2cdfb92e2a
SHA1 hash:
f2d136b68ed475bf392e261921eff844dcf39602
Link:
https://www.unpac.me/results/7cb9c0eb-d56b-4e08-aa38-543c1b1e9603/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2f4c024e90b8fdb3077395f4b7b59c38d1feca1e8477636a8dfe4ab0b0da77e0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 2f4c024e90b8fdb3077395f4b7b59c38d1feca1e8477636a8dfe4ab0b0da77e0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/971516/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/113131/

Comments