MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f632953c841eb5cedc70338e9a5f1835a77092df387abab131f34b5ba783799. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f632953c841eb5cedc70338e9a5f1835a77092df387abab131f34b5ba783799
SHA3-384 hash: 2a77d4e7fdff838fa86afb75219596d732f85c1924b2ca841df9a4bab2c6ebe004f8579b5d925549901fe07eda9cbfe4
SHA1 hash: ef8b3871b056b86c0aa741cf4d41a660cbbbd6c3
MD5 hash: fdfddd06a4729599548a545c3c638448
humanhash: arizona-dakota-louisiana-triple
File name:SecuriteInfo.com.Trojan.PackedNET.1344.20097.31686
Download: download sample
Signature Formbook
Create hunting rule
File size:598'016 bytes
First seen:2022-05-19 15:07:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:EkL3dv7VuLdWxGIpyIAcRZ9O0YL21pZLYGfUbs26sfZE/PJUj:XOExG5kO0YL21pZxsbscBJj
Threatray 15'610 similar samples on MalwareBazaar
TLSH T129D4125D72F956A9E0B68BB587759009CF73BC709C32C3292C9530CF2879F908591BA7
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
259
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.PackedNET.1344.20097.31686
Verdict:
Malicious activity
Analysis date:
2022-05-19 22:42:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5767439e-b65e-4fa2-bfe9-afa9146ccf4a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/272632/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1344.20097.31686.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/62865da58d5de69653cb8905/reports/feadbf7c-5aed-4939-b6bb-86628c952c4e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0c713b48-96e1-41f4-8d0a-24d088ec6f0c
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/997861
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2f632953c841eb5cedc70338e9a5f1835a77092df387abab131f34b5ba783799/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-05-19 15:08:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
10 of 41 (24.39%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=f5rssu6iihvvz3oham4otjprqnnhocjn6od2xkytd42llotyg6mq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0e5dd52da4fa3d13be08ae1fdf59eddbcce0fe300006f0e84d7f885cb61ff0bb
Formbook
3f38d14b57be8821c36b5a3b35fee281a0371fb2b41cbecb2f788c29a34f05ef
Formbook
5e0b3793ea67f580aa658ab4629f7a4f4f9e307083c4ac4b6604a959d204b856
Formbook
6eef88d9b2ada286ff5f0ee740bd12a593a6111f2e29e0b86cc43dc437701edf
Formbook
84483ed46317d2ba114e3b5f49c4a54a8801bf648b73578135372dedd3f8a9ca
Formbook
c483fdd57cf8e05985e6e09ae3c74a7b53cccff68ddccd0cfea136591ec5c306
Formbook
cc715fcd2300c306a1254671a3119516a60d0662b5776a690e0c2b451f868d34
Formbook
d7dc569e0cf8cc6afc0a4a922263195ea12051b1db428fcf9fba724d90261a5e
Formbook
+ 15'600 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:tdht loader rat
Link:
https://tria.ge/reports/220519-shv6tsgge4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
d7d9d5821c659a9fc245b737662dd3d4742b7833ee7bce8b87c654f82b1f60ca
MD5 hash:
011afda79b12125a9c6557c506b36138
SHA1 hash:
9d26e2d3489e81ac1db4a2c8f560d4c8405375ed
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/b87d683f-9a05-45d8-af8f-d6add1fbcfb9/
Parent samples :
3f38d14b57be8821c36b5a3b35fee281a0371fb2b41cbecb2f788c29a34f05ef
cc715fcd2300c306a1254671a3119516a60d0662b5776a690e0c2b451f868d34
15b61780aef551ad610fe1b93e8dee8789bd557b79bdb9a0cdc66e23603fa6d0
2f632953c841eb5cedc70338e9a5f1835a77092df387abab131f34b5ba783799
b0d8448b8f1001c389a1d64989666d531e4a82339d3f63c3156a078af86ebbcf
fc753d6a1adb745147ae129b7745f4d5bdb7c02fcad71e96bb40b305ca0b45b8
706daa6b72e92fa8645d1e31a7ddb3c9a45b4beaedd71e7b1c8f3518cfe641bd
210a555fe6605921805e7c4772dfed9c99d5054f618fcc3024a06c725f0d4e4f
SH256 hash:
519bf078297949f1b8217b5df6a966bbd610298226a113089b45a9d983b7f9d6
MD5 hash:
5d0927c5f16378cb9ae8f155f0f08651
SHA1 hash:
ff5af4670f4fdfa2d8d23d9f9f8fd5873bee8a9d
Link:
https://www.unpac.me/results/b87d683f-9a05-45d8-af8f-d6add1fbcfb9/
SH256 hash:
573986234a30f8cf12f753c112bc3a3740cadde693bb213ffa0ad0856873a3cb
MD5 hash:
dd4ce79964a6e7ddba30036a96c17f46
SHA1 hash:
770c95d66079b41c5e6afe868a777669284bda99
Link:
https://www.unpac.me/results/b87d683f-9a05-45d8-af8f-d6add1fbcfb9/
SH256 hash:
09602efe05dc6b9738b23b91708978231d20c08329940541a086561795a6c9fd
MD5 hash:
1521132bd568891debf24b4973aaa24e
SHA1 hash:
393fafe43a177d02d2a8be164101fc2add2748dc
Link:
https://www.unpac.me/results/b87d683f-9a05-45d8-af8f-d6add1fbcfb9/
SH256 hash:
2f632953c841eb5cedc70338e9a5f1835a77092df387abab131f34b5ba783799
MD5 hash:
fdfddd06a4729599548a545c3c638448
SHA1 hash:
ef8b3871b056b86c0aa741cf4d41a660cbbbd6c3
Link:
https://www.unpac.me/results/b87d683f-9a05-45d8-af8f-d6add1fbcfb9/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2f632953c841/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/2f632953c841eb5cedc70338e9a5f1835a77092df387abab131f34b5ba783799

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/272632/

Comments