MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ff45850f2e31480bb0020b00786bc290a3979c3db934975e6d15155ba59b453. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ff45850f2e31480bb0020b00786bc290a3979c3db934975e6d15155ba59b453
SHA3-384 hash: 958e62c6c0887251babda5699d6a73013cc77e37033d932f9d3ff68b99a5099575a7f9c4d98ba423efab7cfc36e3e343
SHA1 hash: 106681ea8909a2de5732e51868245963f8b87b32
MD5 hash: f0dc88bce28dcc9005164930e94eacd6
humanhash: green-enemy-yellow-earth
File name:f0dc88bce28dcc9005164930e94eacd6.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:217'600 bytes
First seen:2021-02-18 08:42:02 UTC
Last seen:2021-02-18 09:59:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e581094a58b72785d499e04aa2b948ce (1 x Formbook)
ssdeep 3072:fTj5l3felhnSOKlTt/IlxX4VYwiW+faL5ysXTvaledstcYE4xDRv:xREhnKHQ74HRa4QsDvssstcYnZ
Threatray 3'821 similar samples on MalwareBazaar
TLSH DA24E00E34F0C872C887503548A4DAF57BBAF8A0176856CF77686B3E2E703D29775259
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://5.206.227.101/private/slim.exe
Verdict:
Malicious activity
Analysis date:
2021-02-18 11:31:29 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/53f95235-4b0c-4b46-b810-8c95292f6f73

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/117717/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.73052.18197.17455.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/611287
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 354663 Sample: zMJhFzFNAz.exe Startdate: 18/02/2021 Architecture: WINDOWS Score: 100 35 www.epoxmarket.com 2->35 37 www.afirecma.com 2->37 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 4 other signatures 2->49 11 zMJhFzFNAz.exe 2->11         started        signatures3 process4 signatures5 57 Detected unpacking (changes PE section rights) 11->57 59 Tries to detect virtualization through RDTSC time measurements 11->59 14 zMJhFzFNAz.exe 11->14         started        process6 signatures7 61 Modifies the context of a thread in another process (thread injection) 14->61 63 Maps a DLL or memory area into another process 14->63 65 Queues an APC in another process (thread injection) 14->65 17 explorer.exe 14->17 injected process8 dnsIp9 29 www.thysatis.com 203.88.111.71, 49729, 80 HENGTONG-IDC-LLCUS Hong Kong 17->29 31 hash-3.com 34.102.136.180, 49756, 80 GOOGLEUS United States 17->31 33 14 other IPs or domains 17->33 41 System process connects to network (likely due to code injection or exploit) 17->41 21 msdt.exe 12 17->21         started        signatures10 process11 dnsIp12 39 www.htmachinetoos.com 21->39 51 Modifies the context of a thread in another process (thread injection) 21->51 53 Maps a DLL or memory area into another process 21->53 55 Tries to detect virtualization through RDTSC time measurements 21->55 25 cmd.exe 1 21->25         started        signatures13 process14 process15 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2ff45850f2e31480bb0020b00786bc290a3979c3db934975e6d15155ba59b453/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-02-18 07:27:23 UTC
AV detection:
24 of 47 (51.06%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f72fquhs4mkiboyaecyapbv4fefds6od3ojus5pg2fivloszwrjq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
149bc7bb666f2eabcf946822bd316709ddeeef787f059687415f98c71ad47783
Formbook
170eb254fe7cae506272dd7f934000734f55648fcefab6843eca50311a98a07d
Formbook
1c2c212dbad3b81d9c6225c3a9f9f6211b10782d228a090f9aa4f038b0270663
Formbook
45fda70b08542ae52a8228a61e317973f42b477583841e384e9817d7d2dd3709
Formbook
5101663e1850401504dd1e56231725be9a3001ed01e99fa88d348b9511c52f4d
Formbook
5ec36ac5ba843f29bb0dc75d7d527ab9cee34a681bad704a89fd5ed12cdea337
Formbook
67bf85e54212cc6dd8e3f3bdfe292d7440ae7f7ad5f131f9c8b5ea51a86c1e96
Formbook
a4ed754c1a38fd8fc24bb4ec7f5da899c254df070bcc8cfd7b16778701c4b72d
Formbook
a8fe6d7fa624e8e96f71d3ff6375a012b44b51f06179feb7cef8c33fd6d38570
Formbook
c1dc214e929541d1f9d0ede9422bf40f61f766de5e8a32bc2fb2d73a91e4a71e
Formbook
+ 3'811 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/210218-yhgrxdxbv2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.mediasupernova.com/idir/
Unpacked files
SH256 hash:
10f6238595281c48c58933db2f4708b88fac889f1a00b5ebd10a2dde5edd7871
MD5 hash:
5c7d82782e7b2cf9c30f249a4acfd825
SHA1 hash:
4c2400593898d9c71d684069c4b40f133664d58a
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/a29ab303-4dee-44f0-b09d-1b7d1bb05a7f/
Parent samples :
2ff45850f2e31480bb0020b00786bc290a3979c3db934975e6d15155ba59b453
de7e8ed0bd9ad8231adb43f89717a72375e29c9360e2b78bbc918992093bc217
SH256 hash:
2ff45850f2e31480bb0020b00786bc290a3979c3db934975e6d15155ba59b453
MD5 hash:
f0dc88bce28dcc9005164930e94eacd6
SHA1 hash:
106681ea8909a2de5732e51868245963f8b87b32
Link:
https://www.unpac.me/results/a29ab303-4dee-44f0-b09d-1b7d1bb05a7f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2ff45850f2e31480bb0020b00786bc290a3979c3db934975e6d15155ba59b453

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 2ff45850f2e31480bb0020b00786bc290a3979c3db934975e6d15155ba59b453

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1017211/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/117717/

Comments