MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2fa81f4a4c64e5595c5d538062b4e8435e10fccd9f81b73c6ddf752b9ace38af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs 3 YARA File information Comments

SHA256 hash:	2fa81f4a4c64e5595c5d538062b4e8435e10fccd9f81b73c6ddf752b9ace38af
SHA3-384 hash:	807578ad45adf911d9f28d7189838df5854918daf42e1f84c56d85d6f6f4c77d0abbe4ba95cea171c65b7e0563912439
SHA1 hash:	13b7d7941c368903579f40c16daed4735f3ff627
MD5 hash:	c4e74637b48c8a662a28f24c2feca67f
humanhash:	fish-pip-vegan-dakota
File name:	2FA81F4A4C64E5595C5D538062B4E8435E10FCCD9F81B.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	3'722'073 bytes
First seen:	2021-11-07 15:30:52 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep	49152:9glYRvyQJxnCGOmCIDCAOlRri2/i1GwynCFCKbDd3zHmXljcLw+Baw4VY+pbqnMf:yCvyyhOH7Hriwi1GYFL422VJQSz1yW
Threatray	1'517 similar samples on MalwareBazaar
TLSH	T1680633AC2A995BD9F4F2093B3F7319175E9DCA2AF8BED5190F40244739309F2608D16B
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Formbook C2:
94.26.230.203:48759

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.215.113.99:21438	https://threatfox.abuse.ch/ioc/244756/
135.125.40.67:49126	https://threatfox.abuse.ch/ioc/244769/
94.26.230.203:48759	https://threatfox.abuse.ch/ioc/244776/

Intelligence

File Origin

# of uploads :

# of downloads :

157

Origin country :

n/a

Vendor Threat Intelligence

Detection:

CookieStealer

Link:

https://www.capesandbox.com/analysis/203051/

Detection(s):

Win.Packed.Barys-9859531-0

Win.Malware.Generic-9863888-0

Win.Packed.Jaik-9863991-0

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

barys mokes overlay packed socelars tiny

Link:

https://www.filescan.io/uploads/6187f1382084b424af0e2562/reports/f63daf79-29a1-40c4-97dc-dddc304a10a1/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0dc47c62-1d63-46da-8e47-10b7d465a968

Result

Threat name:

Backstage Stealer FormBook RedLine Socel

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/884815

Signature

Adds a directory exclusion to Windows Defender

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates HTML files with .exe extension (expired dropper behavior)

Detected VMProtect packer

Disable Windows Defender real time protection (registry)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Obfuscated command line found

PE file contains section with special chars

PE file has a writeable .text section

PE file has nameless sections

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Script Execution From Temp Folder

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Backstage Stealer

Yara detected FormBook

Yara detected RedLine Stealer

Yara detected Socelars

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

vidar

Link:

https://mwdb.cert.pl/sample/2fa81f4a4c64e5595c5d538062b4e8435e10fccd9f81b73c6ddf752b9ace38af/

Threat name:

Win32.Spyware.Socelars

Status:

Malicious

First seen:

2021-09-25 04:37:49 UTC

AV detection:

24 of 27 (88.89%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=f6ub6ssmmtsvsxc5koagfnhiinpbb7gnt6a3opdn352sxgwohcxq._file

Verdict:

malicious

Label(s):

formbook

Formbook

62be0ca52ea9ebc4c577d597b919f6b90cebdcc2179d7d482a04bf5731eec720

Formbook

96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e

Formbook

d7b0380241e4d47fc00e72faa08831b51b0ae360d5ccc45717f39f3106c3020a

Formbook

ddeebc8cccc58e25ce1709b0e9a519b2bd46472e928606bc4b0eee2553303203

Formbook

ee96df216161f048ee9c50853b018f779d71bce1498f28a4d1b1bc3d797f14ac

Formbook

+ 1'507 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:redline family:smokeloader family:socelars family:vidar family:xloader botnet:706 botnet:932 botnet:jamesbig campaign:s0iw aspackv2 backdoor evasion infostealer loader rat spyware stealer suricata themida trojan

Link:

https://tria.ge/reports/211107-sx2l6affhl/

Behaviour

Creates scheduled task(s)

Delays execution with timeout.exe

Kills process with taskkill

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Looks up geolocation information via web service

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Themida packer

ASPack v2.12-2.42

Downloads MZ/PE file

Executes dropped EXE

Modifies Windows Firewall

Vidar Stealer

Xloader Payload

Modifies Windows Defender Real-time Protection settings

Process spawned unexpected child process

RedLine

RedLine Payload

SmokeLoader

Socelars

Socelars Payload

Vidar

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata: ET MALWARE GCleaner Downloader Activity M5

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

Malware Config

C2 Extraction:

http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
http://www.hhgenice.top/
https://mas.to/@killern0
https://mas.to/@kirpich
http://govsurplusstore.com/upload/
http://best-forsale.com/upload/
http://chmxnautoparts.com/upload/
http://kwazone.com/upload/
65.108.20.195:6774
http://www.kyiejenner.com/s0iw/

Unpacked files

SH256 hash:

1778a6b25f9ac7d1bf1782d1196ac5254ed46e70033a38f391d02939d5b733da

MD5 hash:

3b32aabc7aad3bbfd7226cc614743f48

SHA1 hash:

ea748309ac48558506ddf93b45369b41f641126e

Link:

https://www.unpac.me/results/f1f4d4c5-b66d-4b25-af33-380acf376335/

SH256 hash:

aaff20cedfc7c867eca9cf24924c4a782639cbac290ef608b5f278b4722f5cfc

MD5 hash:

f49417599d52e898d5eeac2279552152

SHA1 hash:

2f962e94bdb1d6bb9d04b01fbc62683c451c5d55

Link:

https://www.unpac.me/results/f1f4d4c5-b66d-4b25-af33-380acf376335/

SH256 hash:

66d9e7d002b91df4aa572228d3c4a1d41997fff54555d0aa2e903f993f307814

MD5 hash:

17df2b7340cf3291107bfd454d0ca856

SHA1 hash:

00458e02751bb0e2cc268730a0cac2689249b1a7

Link:

https://www.unpac.me/results/f1f4d4c5-b66d-4b25-af33-380acf376335/

SH256 hash:

b1920edd533a39e340a58a6e720a38b6fd703d91ec097b9f2b1a69ce9d7fbbf8

MD5 hash:

8b78a03d45ea20b55ad506929729ec1d

SHA1 hash:

c0c2b7ce1f68b41d1d72f07939387dabf9ffc597

Link:

https://www.unpac.me/results/f1f4d4c5-b66d-4b25-af33-380acf376335/

SH256 hash:

e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4

MD5 hash:

0dedd909aae9aa0a89b4422106310e9e

SHA1 hash:

271d36afa5b729ee590cf8066166ca5e9c9d0340

Link:

https://www.unpac.me/results/f1f4d4c5-b66d-4b25-af33-380acf376335/

SH256 hash:

66652d9926e2e2b7c05e750cbba2372d61ea01849b757c7b36514e8cc37a822f

MD5 hash:

440cebc61c2bebcd4eaf2bd4fe8547f1

SHA1 hash:

f5d4a7965cd28cc0eaa17ed8c6588bfa64f240c3

Link:

https://www.unpac.me/results/f1f4d4c5-b66d-4b25-af33-380acf376335/

SH256 hash:

52587a260b384278c789b134c8f08d8af9997aedd818c3c6a280d00aaaa77d2d

MD5 hash:

2c509753fac93810c09574a8b56af1e4

SHA1 hash:

e53da7ff5a9cfc3bda21794d639ed1f02cd7a881

Link:

https://www.unpac.me/results/f1f4d4c5-b66d-4b25-af33-380acf376335/

SH256 hash:

5141105c9c19b2a274176f5a265a081c364e5389dafb07cafe99fdb060bef420

MD5 hash:

868975fcdfd05739c805d55951c714f5

SHA1 hash:

bc6b5cbd3d54d989f4763096feed1f7fa4d6fa74

Link:

https://www.unpac.me/results/f1f4d4c5-b66d-4b25-af33-380acf376335/

SH256 hash:

1e629aed37f3000defe4e315bc6fc1e4481a88d40b2d18d9ef843b23327520b3

MD5 hash:

c72bbaa56b27c06d032357ef7fbb9ca0

SHA1 hash:

b5934d5e3b9034f3e1e0eca95b3048f6cb9fd523

Link:

https://www.unpac.me/results/f1f4d4c5-b66d-4b25-af33-380acf376335/

SH256 hash:

5752c695f8cf0e47cb597b2ad2ac6071bf31bd8c5f5b3555e58d62cafdadc10e

MD5 hash:

5eb95a1441bd1c76a7bbf1edd536a589

SHA1 hash:

7f567577cf6773df37eb55d41e2569738adeb6c3

Link:

https://www.unpac.me/results/f1f4d4c5-b66d-4b25-af33-380acf376335/

SH256 hash:

66e031fe18df7aeaad8a8ef86597054291840ec2b851d1effcf09a69a91a910c

MD5 hash:

dcae606b9ec78a96f9204f76bda9d149

SHA1 hash:

7b0bfe0bf17f859fdd2c8395a6f31e18a9c96719

Link:

https://www.unpac.me/results/f1f4d4c5-b66d-4b25-af33-380acf376335/

SH256 hash:

861895aa232e33ba9a3ac7657b42ca2cbec88839d7c52594dc577999af3d6bb6

MD5 hash:

471f3ec4b7662fb89a67a87b85ecdca1

SHA1 hash:

5de38985dcf3e4f72b7c117b74713b6a00e4467a

Link:

https://www.unpac.me/results/f1f4d4c5-b66d-4b25-af33-380acf376335/

SH256 hash:

98bccdfbb18698e9c1e644b16c1c7969b2664994a0567c9b49385c3e8d56a14b

MD5 hash:

9a85640fac877f863f8d1d7d0e31a99d

SHA1 hash:

19078d13ef37f562fd534ca5c8dd4c013c0ce640

Link:

https://www.unpac.me/results/f1f4d4c5-b66d-4b25-af33-380acf376335/

SH256 hash:

a6b52035d1b78da50f5f797a0812b980597f4d744c68858b50a1a693d86406f6

MD5 hash:

25145682427b3cc39bdb47d5ef44962e

SHA1 hash:

0fb934dc78b3ef61ba250f85111b1201c16fd40d

Link:

https://www.unpac.me/results/f1f4d4c5-b66d-4b25-af33-380acf376335/

SH256 hash:

e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963

MD5 hash:

f707252b9c9579677fffb013e0cfc646

SHA1 hash:

8ab483023fa8773afb8c13464c39c5b8e687f126

Link:

https://www.unpac.me/results/f1f4d4c5-b66d-4b25-af33-380acf376335/

SH256 hash:

73bbac84a5eed29db3e53d01298eef42716017974157431545f76964f584c10d

MD5 hash:

d1f83636ec9accfe43f6f696e87dbad9

SHA1 hash:

6702a4c0987a2b16759fac9b1e55e93ad66e7308

Link:

https://www.unpac.me/results/f1f4d4c5-b66d-4b25-af33-380acf376335/

SH256 hash:

9191cfd164191e776510c834c52cb02eede7528d9b82913812e98b760aeb98a4

MD5 hash:

138a8cbb0ff866f1f61d5dcb8ba0caa1

SHA1 hash:

66fe6eb674de5637d4bf3e0666e90543bba2e154

Link:

https://www.unpac.me/results/f1f4d4c5-b66d-4b25-af33-380acf376335/

SH256 hash:

519bf90783f1900e3658213fc992301bc8e36c24597d697e32813f3d04931d26

MD5 hash:

97045e83230dc4d05e91ba82c2c677a0

SHA1 hash:

3597109d5cf04e15ff95d39cfa49f70f47a31b14

Link:

https://www.unpac.me/results/f1f4d4c5-b66d-4b25-af33-380acf376335/

SH256 hash:

048b3eff633ef149a8f4b4795e4cbc88ca5ad10fea12413a2a4fbfc9681a979f

MD5 hash:

a0d997f1225a17da6564cb8fac1704a2

SHA1 hash:

70c87f6efc170b62682622285d89c7d0a7eff508

Link:

https://www.unpac.me/results/f1f4d4c5-b66d-4b25-af33-380acf376335/

SH256 hash:

3ca50227f30bf667ffa9500dd27bacb4e31c420559551878cd86f8424feed420

MD5 hash:

78dfe18ea1bb0da8d08ee6c4884c827b

SHA1 hash:

abe7005994ab7e239845fec1dea96c2e4324fb26

Link:

https://www.unpac.me/results/f1f4d4c5-b66d-4b25-af33-380acf376335/

SH256 hash:

4c263d3246f29361838650f92cd298d866a6c9c26aded7039bebebdd8b3ce19d

MD5 hash:

9c1e745e23ce3debc067cc037f65291d

SHA1 hash:

0612a0b4b3ce481e1069744de4489e48a5b7d8fa

Link:

https://www.unpac.me/results/f1f4d4c5-b66d-4b25-af33-380acf376335/

SH256 hash:

2fa81f4a4c64e5595c5d538062b4e8435e10fccd9f81b73c6ddf752b9ace38af

MD5 hash:

c4e74637b48c8a662a28f24c2feca67f

SHA1 hash:

13b7d7941c368903579f40c16daed4735f3ff627

Link:

https://www.unpac.me/results/f1f4d4c5-b66d-4b25-af33-380acf376335/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2fa81f4a4c64e5595c5d538062b4e8435e10fccd9f81b73c6ddf752b9ace38af

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/203051/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample