MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ff07642867f534743f26a3783850d83f59d74bf6860831577ccf26d52ae88ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ff07642867f534743f26a3783850d83f59d74bf6860831577ccf26d52ae88ee
SHA3-384 hash: 8369ca1d77af6548f242628da41b08343cfa5ffed8a1374660900a38f0cf1e5d5ba5865ca7be3a974f7189834239cf24
SHA1 hash: ba49730f90414720603a1bed0811443b3459a47b
MD5 hash: 80764ca0b93848c21c2b6afe75ab4329
humanhash: apart-indigo-eleven-sad
File name:vbc.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:738'304 bytes
First seen:2022-01-10 13:44:37 UTC
Last seen:2022-01-10 15:58:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:Y0xGOg5d1WNwtDTmilHq1QR6uDQVGaXAbApUXvMe4KZgeXLU9t:YUg1WatDTmitq1QR60OGQkGUXvMe5ZXg
Threatray 13'090 similar samples on MalwareBazaar
TLSH T193F4C0067A4AD902E2690973C5DBC2B447F47E44A553D32B79E53E3F3D723A1BC0868A
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
vbc.exe
Verdict:
Malicious activity
Analysis date:
2022-01-10 13:47:56 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/5ae05c64-522a-496e-b7f4-b5201552681e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/218006/
Detection(s):
SecuriteInfo.com.Artemis80764CA0B938.10270.26762.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/61dc38611c0d769df9de944a/reports/7921e523-2a2e-4149-9879-08eefdc8b5a8/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/857e239b-b437-47e5-a582-04a3738cf1c3
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/917676
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 550154 Sample: vbc.exe Startdate: 10/01/2022 Architecture: WINDOWS Score: 100 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 8 other signatures 2->45 10 vbc.exe 3 2->10         started        process3 file4 29 C:\Users\user\AppData\Local\...\vbc.exe.log, ASCII 10->29 dropped 59 Tries to detect virtualization through RDTSC time measurements 10->59 61 Injects a PE file into a foreign processes 10->61 14 vbc.exe 10->14         started        signatures5 process6 signatures7 63 Modifies the context of a thread in another process (thread injection) 14->63 65 Maps a DLL or memory area into another process 14->65 67 Sample uses process hollowing technique 14->67 69 Queues an APC in another process (thread injection) 14->69 17 explorer.exe 14->17 injected process8 dnsIp9 31 www.memf.xyz 17->31 33 www.kisah.xyz 17->33 35 37 other IPs or domains 17->35 47 System process connects to network (likely due to code injection or exploit) 17->47 49 Performs DNS queries to domains with low reputation 17->49 21 rundll32.exe 12 17->21         started        signatures10 process11 dnsIp12 37 www.kisah.xyz 21->37 51 System process connects to network (likely due to code injection or exploit) 21->51 53 Performs DNS queries to domains with low reputation 21->53 55 Self deletion via cmd delete 21->55 57 3 other signatures 21->57 25 cmd.exe 1 21->25         started        signatures13 process14 process15 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2ff07642867f534743f26a3783850d83f59d74bf6860831577ccf26d52ae88ee/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-10 13:44:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f7yhmqugp5juoq7sni3yhbinqp2z25f7nbqigflxztzg2uvordxa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
19428f9c431fb0f8d6fbd9ca194589bacf9d9d3e475717031373b71982bea2a5
Formbook
2f08f5b23a062671fba5957b98d05a728299bb1ae98695b9b5d36e75528ccab7
Formbook
768252369536d1e56aad57c5015925ec464642d13d76468db72e60f9ac4e1a54
Formbook
9050768f69225078f05d535401510a5b361dd071430e40639e869c7247621908
Formbook
9f5649294d8a9d4cc583e6bbcb11d8287e02f5221d3f7be4109048271f1112c2
Formbook
d78094f3b6eac87e2d4249671bdc4e044afb31e2e78aac8f2db7186c6d5b6db1
Formbook
f8d9fbcef6907460baa7c91e53d1a40865901bb50906b5519cba440fdbc65032
Formbook
+ 13'080 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:cxbz loader rat
Link:
https://tria.ge/reports/220110-q2ebbaecf4/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Xloader Payload
Xloader
Unpacked files
SH256 hash:
b39800cf836f6df567f9deaeacd5038c4e077324a8e95d99d856d7261258f4ff
MD5 hash:
b638dd70c1634680fabf704d9d61ccd3
SHA1 hash:
8d6eef404c1f76a9435b795482b11932ac541069
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/55944a1b-03a9-4c39-978b-a10831cdfb6e/
Parent samples :
2ff07642867f534743f26a3783850d83f59d74bf6860831577ccf26d52ae88ee
5cdd172f465ceffd3bcf25b11515fb6cf382045856f18cf05da436353f672aa4
2e78cdf6c6b9c395801561d0d01452c34069c5584f4827e454d5ce951895c771
c68187b173ad6e5f68910e7e23137e30c348192f861ef27e45bf82c0bc8663e8
0adfc99fefcb09f082e85f53025764a8ea4b0f35a4140540022be9de71bb58e9
9655ee4ca1167f87d9245041ab59e861d6b3bdde7897a3b4cb2deee8550bdaaa
ea94995d23d53a98a949a242022cbd9bc5b7a4320c3fb6c045370b15704e4004
6394de1149bac235402b7a6453331c0585bfcd54d2a31ce7e44b42fb24caf615
8d6fcc0c461c48ee2da0b00354d946342c3521662cafc0b0d519b5d875279939
SH256 hash:
92f76e0d0e8cc8a55080368a2f060dd9271bce88e1504f6a846465dc879dfa2b
MD5 hash:
8febf378a62939f3356d7dee166d73ba
SHA1 hash:
6572642312cc5a9d196d56d9b8039d5e0a0ed7fb
Link:
https://www.unpac.me/results/55944a1b-03a9-4c39-978b-a10831cdfb6e/
SH256 hash:
bf9413ef17298c8e0823e2aa4fd24fa5b7cea724b9187a96baf079f5175b769f
MD5 hash:
00bcc1888e92eab0df0b73ecca54968d
SHA1 hash:
60dc9a0527b7b223deac8cc10f3beac17329cb26
Link:
https://www.unpac.me/results/55944a1b-03a9-4c39-978b-a10831cdfb6e/
SH256 hash:
2ff07642867f534743f26a3783850d83f59d74bf6860831577ccf26d52ae88ee
MD5 hash:
80764ca0b93848c21c2b6afe75ab4329
SHA1 hash:
ba49730f90414720603a1bed0811443b3459a47b
Link:
https://www.unpac.me/results/55944a1b-03a9-4c39-978b-a10831cdfb6e/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2ff07642867f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2ff07642867f534743f26a3783850d83f59d74bf6860831577ccf26d52ae88ee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/218006/
  
URLhaus
https://urlhaus.abuse.ch/url/1962556/

Comments