MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ff41fc4d08d2049d6c7dcb47b28fcb1e73b896b3e33ee8b95da5a7a3b01a26c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ff41fc4d08d2049d6c7dcb47b28fcb1e73b896b3e33ee8b95da5a7a3b01a26c
SHA3-384 hash: d98782e61a07ac900aada7d6e61d8e79daf8a6a57089064204e3c104785b6ec3bdeac15f2dff1cbec6e9345d088b4a63
SHA1 hash: 3639a63993e020c06c8caca7263d2864d3148bf4
MD5 hash: 5ac4a45bb4afb4e0b7acd2980f8224d1
humanhash: don-island-green-nine
File name:PRUCHASE ORDER RFQ#8086A_461A_0000086_300_3550_2021.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:557'568 bytes
First seen:2021-10-19 11:35:48 UTC
Last seen:2021-10-19 11:36:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:eDfx5+wvXTE8QdYT554CRNTAorchp0D/Zbw:2OuNMYdPRJAorHZ
Threatray 10'635 similar samples on MalwareBazaar
TLSH T103C42680211AB729D6160BB1A796C00E4F7B59BAA9C6C50F36D47EFE77AC10CC74352B
File icon (PE):PE icon
dhash icon 30f0e0f0e0f0f030 (22 x Formbook, 12 x AgentTesla, 2 x RedLineStealer)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/198473/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.17696.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
greyware keylogger obfuscated packed
Link:
https://www.filescan.io/uploads/616eada6a9d585e6d52db188/reports/17b6c728-3bcf-4dd4-b909-8463450b0708/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/357cfcde-4b16-4ac0-a1ea-3b30c96d2914
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/873050
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 505478 Sample: PRUCHASE ORDER RFQ#8086A_46... Startdate: 19/10/2021 Architecture: WINDOWS Score: 100 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 10 other signatures 2->52 10 PRUCHASE ORDER RFQ#8086A_461A_0000086_300_3550_2021.exe 7 2->10         started        process3 file4 34 C:\Users\user\AppData\Local\...\tmpDB1F.tmp, XML 10->34 dropped 36 PRUCHASE ORDER RFQ...0_3550_2021.exe.log, ASCII 10->36 dropped 38 C:\Users\user\AppData\...\TQeWLsVyIqS.exe, PE32 10->38 dropped 56 Injects a PE file into a foreign processes 10->56 14 PRUCHASE ORDER RFQ#8086A_461A_0000086_300_3550_2021.exe 10->14         started        17 schtasks.exe 1 10->17         started        19 PRUCHASE ORDER RFQ#8086A_461A_0000086_300_3550_2021.exe 10->19         started        signatures5 process6 signatures7 66 Modifies the context of a thread in another process (thread injection) 14->66 68 Maps a DLL or memory area into another process 14->68 70 Sample uses process hollowing technique 14->70 72 Queues an APC in another process (thread injection) 14->72 21 explorer.exe 14->21 injected 25 conhost.exe 17->25         started        process8 dnsIp9 40 www.matchmakerfiji.com 21->40 42 matchmakerfiji.com 160.153.136.3, 49841, 80 GODADDY-AMSDE United States 21->42 44 2 other IPs or domains 21->44 54 System process connects to network (likely due to code injection or exploit) 21->54 27 colorcpl.exe 21->27         started        signatures10 process11 signatures12 58 Self deletion via cmd delete 27->58 60 Modifies the context of a thread in another process (thread injection) 27->60 62 Maps a DLL or memory area into another process 27->62 64 Tries to detect virtualization through RDTSC time measurements 27->64 30 cmd.exe 1 27->30         started        process13 process14 32 conhost.exe 30->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2ff41fc4d08d2049d6c7dcb47b28fcb1e73b896b3e33ee8b95da5a7a3b01a26c/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-10-19 11:36:06 UTC
AV detection:
14 of 25 (56.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f72b7rgqruqetvwh3s2hwkh4whttxcllhyz65c4v3jnhuoybujwa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2a2187ae775f286c2400957b71aac1c550779fc6652a710d126546d4d4879f0f
Formbook
7c7e7d1ad3f8afd0ffcba163bac7c1df9ceb8202a96a61b30b697569e00051b0
Formbook
8d0f3056715cf96af14714339ef1bc6fef37da86983bd0ba175e098eb0c2be8b
Formbook
c63cb761da677849b8382eb1d926569f00a04d57f2c789b63e7f2eb2e368a00c
Formbook
c6b8a03b94f79fb661cb2bdd0e8a332103ab2974c288b6ab7740acf6aa45af5d
Formbook
daac858e9ca5b0c8044385c2d94cbef17c41b0bd5c569ad7e03f0a51b4caab7a
Formbook
f136f4f9c59c4ff2582063222c6df106a3d1e3d7d9220ff73e3cb2ec487fe1db
Formbook
f358d592a02990a899bc4ca7c35804529237cbffac5dcabb3e7e3916a79afbb4
Formbook
+ 10'625 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:g8ni evasion rat spyware stealer trojan
Link:
https://tria.ge/reports/211019-nqk9dafga7/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Deletes itself
Looks for VMWare Tools registry key
Formbook Payload
Looks for VirtualBox Guest Additions in registry
Formbook
Malware Config
C2 Extraction:
http://www.er5544.com/g8ni/
Unpacked files
SH256 hash:
7ff44ff4c1a0fde1e903a0fe2ea55beb4b012959d08ec95f6c86c3d670ebe3cd
MD5 hash:
3387deb1ce85866f4f8be177b36c32d6
SHA1 hash:
dc15d3f4968d212094d2e21db290fb6b6e5495e8
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/dc17f7c6-96a9-4cb8-acd3-37ab2a9cd4e6/
Parent samples :
c6b8a03b94f79fb661cb2bdd0e8a332103ab2974c288b6ab7740acf6aa45af5d
8d0f3056715cf96af14714339ef1bc6fef37da86983bd0ba175e098eb0c2be8b
2a2187ae775f286c2400957b71aac1c550779fc6652a710d126546d4d4879f0f
2ff41fc4d08d2049d6c7dcb47b28fcb1e73b896b3e33ee8b95da5a7a3b01a26c
fcaa502268e22400e98ae6f0842b7cf3598cf5a920c09a0d74996bdb64add249
3df54d0e5f1741308cfb7373e54e700b507d690142e085c8d3c9a56741ed1c04
SH256 hash:
7b4ba24781e21b310e2749bc2f7a80b9670a4198a54d26e42079a6a1c1be6ae7
MD5 hash:
7b77d210bf6b00fd8ee8187198852052
SHA1 hash:
7f78d6294a269349fc9a49ad3c8ccb3c3d2665b4
Link:
https://www.unpac.me/results/dc17f7c6-96a9-4cb8-acd3-37ab2a9cd4e6/
SH256 hash:
2811409680549684466bd5a19371dc42441b3f4ea779d2587204fc320ee826c8
MD5 hash:
76906cdc74ef8d387b582925878f0313
SHA1 hash:
452990be70ba6569b2ccbe8a222793f1954e2c53
Link:
https://www.unpac.me/results/dc17f7c6-96a9-4cb8-acd3-37ab2a9cd4e6/
SH256 hash:
2ff41fc4d08d2049d6c7dcb47b28fcb1e73b896b3e33ee8b95da5a7a3b01a26c
MD5 hash:
5ac4a45bb4afb4e0b7acd2980f8224d1
SHA1 hash:
3639a63993e020c06c8caca7263d2864d3148bf4
Link:
https://www.unpac.me/results/dc17f7c6-96a9-4cb8-acd3-37ab2a9cd4e6/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2ff41fc4d08d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2ff41fc4d08d2049d6c7dcb47b28fcb1e73b896b3e33ee8b95da5a7a3b01a26c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 2ff41fc4d08d2049d6c7dcb47b28fcb1e73b896b3e33ee8b95da5a7a3b01a26c

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/198473/

Comments