MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2fa540a1679ecd37874e53b50eb4c756223420d5f970c935ce053345f1f231f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	2fa540a1679ecd37874e53b50eb4c756223420d5f970c935ce053345f1f231f4
SHA3-384 hash:	d875fad38b38a0346df6c529564635ace2a6a410b29250ffeacd2526ed5e75427e79f7bc41a7d394759253a07c180067
SHA1 hash:	4eeb4fa7a57f39c7e0e33f069da955086926976a
MD5 hash:	a2f2b4df19c4e17b1ee75386984be107
humanhash:	item-alpha-music-lithium
File name:	Potvrda narudzbe u prilogu.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	878'592 bytes
First seen:	2022-03-07 07:30:07 UTC
Last seen:	2022-03-07 15:47:17 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	82a1cae1fecf80fb86b60ffd5ef79ccb (2 x Formbook, 1 x RemcosRAT)
ssdeep	24576:FGNaPiQO/G8s8kcIYdwT6au1wgR15k7Ft8:FGNXIUUF
Threatray	14'110 similar samples on MalwareBazaar
TLSH	T10C15AF22F1C15437C773293D6C175299A429BF002D2B58467BFC6E8CAF39682393D9A7
File icon (PE):
dhash icon	3c2c6c9c97cc6493 (7 x Formbook, 2 x DBatLoader, 1 x RemcosRAT)
Reporter	FORMALITYDE
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

200

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/247759/

Detection(s):

SecuriteInfo.com.Trojan-FNTXA2F2B4DF19C4.23452.6449.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

DNS request

Sending a custom TCP request

Creating a file

Launching a process

Launching cmd.exe command interpreter

Searching for synchronization primitives

Setting browser functions hooks

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Unauthorized injection to a browser process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/8433/overview

Behaviour

MalwareBazaar

CheckCmdLine

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e72afe08-d187-4be8-87e6-049b8654fde7

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/951580

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Drops PE files to the user root directory

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Application Executed Non-Executable Extension

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Sigma detected: Execution from Suspicious Folder

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Suspicious Program Location with Network Connections

Sigma detected: Suspicious Rundll32 Without Any CommandLine Params

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2fa540a1679ecd37874e53b50eb4c756223420d5f970c935ce053345f1f231f4/

Threat name:

Win32.Trojan.Remcos

Status:

Malicious

First seen:

2022-03-07 05:32:04 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 27 (74.07%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=f6subilht3gtpb2oko2q5nghkyrdiigv7fymsnooauzul4psgh2a._file

Verdict:

malicious

Label(s):

formbook

Formbook

4768bc4db58542167ce61a3e0a78bfaa79a3b7dee0b54a587886545ed83a13f7

Formbook

4d80ab79360b092bb5d8fa41d14388dffe5ef42839b6dbbf741f0ce5c3424d1e

Formbook

6b93224c145b221ac786bf10b1471af61722e45bbd41a029789170ea7f1c0751

Formbook

87946dcd976eb13af37e24ff68e36a03d2f46a9ae474f336207cf03cbbb0b508

Formbook

8bc32885f532e286073afa7781733d97338f3bab7b22f55680b38fe1926d103b

Formbook

b6788527f99a436b0e8925eb14c8800ced61fd406edd4182aa00072b3f74f39e

Formbook

c839e1036e4c8c7568d66cfb7c269ab8ed8048f9fc5a89464d82572a6efc1c28

Formbook

d87618f7840361408c1bd318a1977714dedc8b346684986842e0f32cdc94f758

Formbook

dfca1bf3a2bc630e60ee036b0fd5be55b2f2b44e7dc8d2005b86d763bfc7c8ac

Formbook

+ 14'100 additional samples on MalwareBazaar

Result

Malware family:

modiloader

Score:

10/10

Tags:

family:formbook family:modiloader campaign:3nop persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/220307-jcdj6aadg3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Adds Run key to start application

Formbook Payload

ModiLoader Second Stage

Formbook

ModiLoader, DBatLoader

Unpacked files

SH256 hash:

e0f0812898ccc9c325dc08dc1377365ec34bf8b6da18aa90e6b7f7aa2a13c548

MD5 hash:

289caf1027c7b756ce8da53d02485cea

SHA1 hash:

2f583c1c335fd45d56929dcf54c85ec37251edf7

Detections:

win_dbatloader_w0

Link:

https://www.unpac.me/results/05dc8883-603f-41c1-8521-a673bdb0fe6b/

Parent samples :

6a7dd66c29530f7ed8f03ebd4b5f843639b34581d2e9ecd85c9fbdfb60450607
8051703485faca901060ae5b39054e5efee88909d2e1d4bb0f65126cda3230c1
1977d11ffc5195546fb8d5d8c660d7553c3961bf87ad4b972ee0cb1794d2168d
d4a859db98f9fd7473592c49c36ac926a2a29b27d7db8fc311f468bf82e64588
f35eab27c7c3c148fc5aec8351e7e5bd612214c91937d9867c8683ea7cde130d
974c776e5c3d20d4e254a4a493757f482931a2c48cdde33c76a0097eafbfdc85
83650c9dbbc1f4c607efa7934674da5f6237b234a81116744288be02cf2ead54
ee2440922354d6be2dce4ab27274ae2cc2108d8dde37837a739a7e2a36e317d5
f80a58564f070acf295b2a76ce6331402b3e9e71eed07cf3e017376e1bdb0f36
fb98f0f50c30ffdacfa3ea67a2990fa5ec2ee2646dc2226179f8589aec41f5d1
5289d529e7d53da3449ddf8400d12ae7622ede25284c2823ed46d0800fd94736
46c2da007a993c4b1ecfa3ff91364bc98341c9c228517eac38b50c4567fb78dc
ea43c71d7ec447e2483c7f0c8488972648209f2b487f2e6e64227d3d729c1d88
23ebe8ce49e895139f26f190d36a37ec52e924db63a995901948f30111efe6fc
526f4e19614eb20343647b92758df4c1f9227e77bec90af22256af4b3b091596
02466f10b00992a56b5fbfd4f8117e8572c2f64b27fd7bed8b51acc159004fd5
d8842d4c311c9e35f77ef0ee038f34061be70a55b38f949e0624d32e5a6a4212
d3c632c33688b9d7ae817a7932ddb1a48dbaad0410a681304c6c88211a020fdb
641726e045898d15c39c11559c01e297aff22924a4cd3543e0ce2e3cdc3c2277
9e3aeccf79c4c92f97410817a161701c59affa07403748695e61fef0d1d082e7
564d91f37b294e7a10fe79495dc9da5ae6733b20f2d7c732ff0c692110b0e01a
ac59a96a7600ffeacec6db910d9ff04e5ddfaf5f325ca41a0c06028a739509da
7391303e2231d2f0143f8b0e86df253054e461a52279139fb800180d32271dbb
03c24fbe7c863e8337b0c944f96847b5166297283727edccca056c4f6f688d4e
c1c5eecc6b6b1138ad43a1b2793d3872dca1c6ab4ec53d34e354e49e35d045d0
82c24935270870bb35719f35c29075f8bf02894bf81ba28e66983aa2247472a8
7146b418cdd99ac478a67e603bffb10c10f1c32745da1fd60c931f54f1f114a6
a7f53b92008e8a3678035fc366bc1b88d152efc8466e9e82c754752d000a5ad5
d423d7edf718ca00f8410a93834a6f9c99216c3a60860700f1fc6e493fedcc43
53685ac5f275b61fc580f2203e7d7e431d2b03b8e4320015b428745d68d5e333
3bada4f5bcaee92a5979aecaa24326988226e9886815ccba28904d30735fe506
50365c827bd768ec7fdf1a5b688d19ec0645042e92f04dad712a1955e9bb4c8b
e0cee79b01870e15ca64195ba9d953f91173b189b9fb8c45a2bae916dd8f95a5
3fbc9c55133b3d51ba2221836cffc08e727826e9514233706781f897ca0988f3
15bff226310e77a5ff67a9e131c8e5d7ec0686e967e0863dca784f20fd8d0268
3d256cfde83a4560df279fbe2b4ef03ccd52fa13b31bc1daebcb3bed353c215b
03610e21a01afd8dc19c986d69a4c13eeda93fbec0e6eae7828065781ca028bf
6d3ef9ddf5f1d57d353e5d8b9bedbca6ab42765de06abf381534126d24142948
bd54feaedda33ef8e611cd540e84b8c44d989f2417ddca33472cea3b7892afaf
3f8e7640849ec23964af23d6e70ccc62510a3cec9bd775b30d18d5db7215a22b
b65b5c308318e1e0fc2228dd022300099273dc340aa8faba81abc1d3868707ea
4195e6b7bfb7263798034048a5a2d34780ecdddae25576e23e9c6b0df9316ccd
5ab614491453ac799f4944620f8d433d42427aaea0ad0f1d55f240bc1ba6a057
b3b8ceafdfc6bde8a73c68005414b709ca2b08f5eecfd9a49d769460d6c17c98
67708b9f3764b349b6cdb3d8cef073edc22303181f0a1c6f129ac1dae18feb1d
714e06d12bf6f481cfd3dfa64a13d37c614a759543d87b38ca2c6a03ee936f7a
fa6d0f34d7c69bc4e525cf1830beffa3aec08c9b69aae24f55a6232d89680421
4a59190e199b69f65aa69f2f5f1f6b568d49a052868e2c853b7ea1d70c04a953
5a288a8a3fd0158f2d9e11713cc4eaf951e12e4f196fcea95d74a14fc37d16d1
6c18b064240861b42aa8fadbea5472fdce174a4d2b1510d53cba2b28779602d7
988d086b6ca75da2fca905b090c6f20b21749335f7e2ee99d8dab2001d4667e3
aeb38f72dfa11e848a65cf0814a530e24df08dc818348d9e80978cb330f24af3
90b5404ae697363f350f8c78220428a79ce57b743e5f0eac06137b27fea25400
c1b7572079230fd99c0ca004448f526420c124efbd0e1f6027fb950fbac5e05e
952d3a3e3d19204bf7bb614623aa0d78e0be4ee05b0313c5c68e0e10f6e390e0
f1d8f8c8bb9871fabbd6a001c48bc001c5181b512d2989e87f08280b74ada33b
42dfb1aeb19afac4595bc0146dd42ee251896ea1bf3ea8ab05d4bd28a7edbed1
8dffb14c55c2880b40767aadf5615a6652403d59f357b0b77da3e00b875a0e32
a02d52f23eb9e8a857c9ed01d81e6220e787a1e2838d42c2734e99bc73cff250
2fa540a1679ecd37874e53b50eb4c756223420d5f970c935ce053345f1f231f4
8f9f3e0d7eebe0304aeb35eb75be87c7bfe13859e00851df037f54d14765cbb9
44d963269f8d6e5ec5c15354be28c9078f58eea78943d39eb78c6485dea5065d
55d580190c976f23c945cb65feac487555e1b919079d930fe6201e22b5538905
d7d7882cc702fc76252e2b4fe7cdc7fbffa038e2329e579142e64acf81a26304
c7c0d3e8cd6fb36ceb4b5c2e32b019dd209fdd38fdf1bcb215f973da80437dd8
b0842f8285062f38c030bdd15264ec38fb23624888d135121f1cc11084c765ba
a85b95364a9cfc74c4219a544a20deca3f2a30b666aa1f84073fc1f56e1330b2
42cbad41d36d2c0f5ae498e89024822907894f02e173802d6e96dc57f0bff2ef

SH256 hash:

2fa540a1679ecd37874e53b50eb4c756223420d5f970c935ce053345f1f231f4

MD5 hash:

a2f2b4df19c4e17b1ee75386984be107

SHA1 hash:

4eeb4fa7a57f39c7e0e33f069da955086926976a

Link:

https://www.unpac.me/results/05dc8883-603f-41c1-8521-a673bdb0fe6b/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/2fa540a1679e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2fa540a1679ecd37874e53b50eb4c756223420d5f970c935ce053345f1f231f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	malware_Formbook_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 2fa540a1679ecd37874e53b50eb4c756223420d5f970c935ce053345f1f231f4

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/247759/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample