MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31fcd3d5d4db88d5742905ad8c2717d6c107b246ff4423745c3bbaf8f66e1a7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 2 File information Comments 1

SHA256 hash:	31fcd3d5d4db88d5742905ad8c2717d6c107b246ff4423745c3bbaf8f66e1a7a
SHA3-384 hash:	c19bebe64894c6a26f7add34116e3e1c0c243c9cb25929f33bc20b402d510a7c3d30a6bad32db3e3efbda7b4fd7d50da
SHA1 hash:	9d68ba6b2d5cc05cdbabb844b5caf1e65e53599c
MD5 hash:	a98cf71171ec02471d5c9ccbda5f823a
humanhash:	network-november-thirteen-texas
File name:	a98cf71171ec02471d5c9ccbda5f823a
Download:	download sample
Signature	Formbook Create hunting rule
File size:	341'997 bytes
First seen:	2022-02-25 07:03:48 UTC
Last seen:	2022-02-26 07:53:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep	6144:TxDSlyk/SQxz935OClJRN+0n4r2gcz1hDOq9OM+mVIK2:PIG2XXQ2d1FVOM+mC
Threatray	13'669 similar samples on MalwareBazaar
TLSH	T1C674232625C572AFE8D1023092FBA711F7F7DF4412F018A7AFB15F7B58123AE5521162
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	zbetcheckin
Tags:	32 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

238

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

install.exe

Verdict:

Malicious activity

Analysis date:

2022-02-26 07:52:01 UTC

Tags:

installer trojan formbook stealer

Link:

https://app.any.run/tasks/4b423ee5-42bc-4594-a3dd-74e6d6c14fc1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/244622/

Detection(s):

SecuriteInfo.com.MemScan.Trojan.GenericKDZ.84301.19081.32629.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Сreating synchronization primitives

Launching a process

Launching cmd.exe command interpreter

Searching for synchronization primitives

Sending a custom TCP request

DNS request

Sending an HTTP GET request

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/62187f690cd58dbd92398946/reports/c4a5d303-28d3-45eb-ad42-a649b9648daf/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/07146505-ef3c-465a-be83-55795cc96efd

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/946247

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Uses netsh to modify the Windows network and firewall settings

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/31fcd3d5d4db88d5742905ad8c2717d6c107b246ff4423745c3bbaf8f66e1a7a/

Threat name:

Win32.Trojan.NSISInject

Status:

Malicious

First seen:

2022-02-25 05:45:25 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gh6nhvou3oenk5bjawwyyjyx23aqpmsg75ccg5c4ho5pr5todj5a._file

Verdict:

malicious

Label(s):

formbook

Formbook

2a4415721925c12ce8a80719697ffbda5daf88fe34804b0549bc5d5605790cdb

Formbook

5f8d69976e4d3c9b6508cd376dcab4971a605d8d1122952ad604f7b48d2ef1e1

Formbook

75e51d5e7662ad2c7ee23822ebf5246ce2d3257734ef87883f57bbcffe13c5d2

Formbook

8e2fa281cc72512de1fc53eb27a9c04a524ce87c3cdf5932931ea3dc463a459a

Formbook

9050768f69225078f05d535401510a5b361dd071430e40639e869c7247621908

Formbook

d6b928a4292c14dee552691c4955bdff07d038470ec1419c88a4018fb06bd399

Formbook

f80dd0bf7402bebd03d303c97c8dd3f921d3e923a2521f4a2af2e4bf3c288aa1

Formbook

+ 13'659 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:formbook family:xloader campaign:fsgg loader persistence rat spyware stealer suricata trojan

Link:

https://tria.ge/reports/220225-hvysdagehr/

Behaviour

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Loads dropped DLL

Executes dropped EXE

Xloader Payload

Formbook

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Unpacked files

SH256 hash:

377a4c7ca0ed8847ad4c04f54c209851da37cdec2193742c81384f0f06710b67

MD5 hash:

eb737bf2188a177d755af8d88bf9d5ee

SHA1 hash:

ca424bb58639a1639d3d9c005d465209b975ad65

Link:

https://www.unpac.me/results/d0a594be-d951-49d1-a6c2-c197ff25e0e4/

SH256 hash:

420982b978072e666bca3e82142117102949c8d3adb535d7de128745cc9b605a

MD5 hash:

95502cdda1ba2c804a55359695b70fa3

SHA1 hash:

b4afaed5bc6fccb8108698df9853ab8fb086a5c0

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/d0a594be-d951-49d1-a6c2-c197ff25e0e4/

Parent samples :

c770def66ece0d6100ca50a3b54898be0c177e7d0baddd8803785571f83c1c1a
5f8d69976e4d3c9b6508cd376dcab4971a605d8d1122952ad604f7b48d2ef1e1
31fcd3d5d4db88d5742905ad8c2717d6c107b246ff4423745c3bbaf8f66e1a7a

SH256 hash:

31fcd3d5d4db88d5742905ad8c2717d6c107b246ff4423745c3bbaf8f66e1a7a

MD5 hash:

a98cf71171ec02471d5c9ccbda5f823a

SHA1 hash:

9d68ba6b2d5cc05cdbabb844b5caf1e65e53599c

Link:

https://www.unpac.me/results/d0a594be-d951-49d1-a6c2-c197ff25e0e4/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/31fcd3d5d4db/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.18

Link:

https://yomi.yoroi.company/submissions/31fcd3d5d4db88d5742905ad8c2717d6c107b246ff4423745c3bbaf8f66e1a7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	malware_Formbook_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research