MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b2d7c8bdedb901d80c89717c9889abf169c9059d8bb545af6ca1960660324ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs 2 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b2d7c8bdedb901d80c89717c9889abf169c9059d8bb545af6ca1960660324ad
SHA3-384 hash: e95c6ea58a9bbc363a0c496d5e78be4072dee93d0a797c9858cf64b675ef25cd04319c132ec7b6efe6b358b7a72031ac
SHA1 hash: 25a2190e389051017b0b512c0caa0e56d185d80a
MD5 hash: 0727f10acffae1a2fbad5bdee8606d77
humanhash: echo-paris-cup-oven
File name:6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:5'340'822 bytes
First seen:2022-09-05 23:30:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 98304:pAI+7WP8CGcEUNHnorSJwvvGBrHBHA8Fn6KhPpXjX2oPIn23U4jKuK5rQjKg0OFB:itM8C9EUN96viBHFn6Uhr/I23UEKuK58
TLSH T14A36333D679A593AD4231438198BAAF7B431B6048B2420DFB7EA4F451C331877EF52E9
TrID 82.1% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
5.3% (.EXE) InstallShield setup (43053/19/16)
5.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
1.7% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.6% (.SCR) Windows screen saver (13101/52/3)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Formbook C2:
45.66.249.241:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.66.249.241:80 https://threatfox.abuse.ch/ioc/848030/
49.12.190.6:40909 https://threatfox.abuse.ch/ioc/848031/

Intelligence

File Origin
# of uploads :
1
# of downloads :
345
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
McAfee+Total+Protection+2022+Crack+Full+Free+Here!.zip
Verdict:
Malicious activity
Analysis date:
2022-01-08 02:33:51 UTC
Tags:
evasion trojan loader rat redline opendir miner stealer vidar raccoon
Link:
https://app.any.run/tasks/b2854e12-e4cb-419e-be39-96554a57c762

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308001/
Detection(s):
SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a file in the Program Files subdirectories
Modifying a system file
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the Windows subdirectories
DNS request
Sending a custom TCP request
Creating a file
Reading critical registry keys
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Query of malicious DNS domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/36728/overview
Behaviour
MalwareBazaar
CPUID_Instruction
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
67%
Tags:
coinminer evasive fingerprint greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63168731c0ca34ef4c521369/reports/48659971-fd93-485c-afe6-d84f840f6f44/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Pioneer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/22c67375-2497-4bab-b402-21c595792f95
Result
Threat name:
PrivateLoader, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1065314
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Contain functionality to detect virtual machines
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Found C&C like URL pattern
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected MSILDownloaderGeneric
Yara detected PrivateLoader
Yara detected SmokeLoader
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 697840 Sample: 6B2D7C8BDEDB901D80C89717C98... Startdate: 06/09/2022 Architecture: WINDOWS Score: 100 90 Snort IDS alert for network traffic 2->90 92 Multi AV Scanner detection for domain / URL 2->92 94 Malicious sample detected (through community Yara rule) 2->94 96 25 other signatures 2->96 8 6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe 14 13 2->8         started        11 jwjhsus 2->11         started        process3 file4 46 C:\Program Files (x86)\...\toolspab2.exe, PE32 8->46 dropped 48 C:\Program Files (x86)\...\rtst1039.exe, PE32+ 8->48 dropped 50 C:\Program Files (x86)\...\jg1_1faf.exe, PE32 8->50 dropped 52 4 other files (3 malicious) 8->52 dropped 14 Cube_WW9.exe 4 44 8->14         started        19 toolspab2.exe 8->19         started        21 rtst1039.exe 1 2 8->21         started        25 2 other processes 8->25 98 Antivirus detection for dropped file 11->98 100 Multi AV Scanner detection for dropped file 11->100 102 Machine Learning detection for dropped file 11->102 104 Injects a PE file into a foreign processes 11->104 23 jwjhsus 11->23         started        signatures5 process6 dnsIp7 74 212.193.30.115, 49728, 49731, 80 SPD-NETTR Russian Federation 14->74 76 wfsdragon.ru 104.21.5.208, 49727, 80 CLOUDFLARENETUS United States 14->76 84 20 other IPs or domains 14->84 56 C:\Users\...\SEi90n3QDYKieEmIUnAa7eMm.exe, PE32 14->56 dropped 58 C:\Users\...\RweduPS2ZdEnDiw3DsVU_gT9.exe, PE32 14->58 dropped 60 C:\Users\...\IA2Eo7N4SGrgkJHNs3B__TBp.exe, PE32 14->60 dropped 66 14 other files (10 malicious) 14->66 dropped 86 Disable Windows Defender real time protection (registry) 14->86 27 conhost.exe 14->27         started        29 toolspab2.exe 19->29         started        78 www.hhiuew33.com 45.136.151.102, 49716, 49752, 49780 ENZUINC-US Latvia 21->78 80 ip-api.com 208.95.112.1, 49709, 80 TUT-ASUS United States 21->80 62 C:\Users\user\AppData\Local\Temp\11111.exe, PE32 21->62 dropped 32 11111.exe 1 21->32         started        34 11111.exe 21->34         started        36 11111.exe 21->36         started        38 5 other processes 21->38 82 186.2.171.17, 443, 49711, 49712 DDOS-GUARDCORPBZ Belize 25->82 64 C:\Users\user\Documents\...\jg1_1faf.exe, PE32 25->64 dropped 88 Hides threads from debuggers 25->88 file8 signatures9 process10 dnsIp11 112 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 29->112 114 Maps a DLL or memory area into another process 29->114 116 Checks if the current machine is a virtual machine (disk enumeration) 29->116 118 Creates a thread in another existing process (thread injection) 29->118 41 explorer.exe 1 29->41 injected 120 Multi AV Scanner detection for dropped file 32->120 122 Machine Learning detection for dropped file 32->122 124 Tries to harvest and steal browser information (history, passwords, etc) 34->124 68 192.168.2.1 unknown unknown 38->68 signatures12 process13 dnsIp14 70 host-data-coin-11.com 41->70 72 file-coin-host-12.com 41->72 54 C:\Users\user\AppData\Roaming\jwjhsus, PE32 41->54 dropped 106 System process connects to network (likely due to code injection or exploit) 41->106 108 Benign windows process drops PE files 41->108 110 Hides that the sample has been downloaded from the Internet (zone.identifier) 41->110 file15 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b2d7c8bdedb901d80c89717c9889abf169c9059d8bb545af6ca1960660324ad/
Threat name:
Win32.Downloader.SmallAgent
Create hunting rule
Status:
Malicious
First seen:
2022-01-08 12:54:05 UTC
File Type:
PE (Exe)
AV detection:
20 of 26 (76.92%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nmwxzc663oib3agis4l4tce2x4ljzecz3c5viwxwzimwazqdeswq._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:ffdroider family:privateloader family:smokeloader backdoor discovery evasion loader spyware stealer trojan
Link:
https://tria.ge/reports/220905-3hpn6aggcq/
Behaviour
Checks SCSI registry key(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
NirSoft WebBrowserPassView
Nirsoft
Detects Smokeloader packer
FFDroider
FFDroider payload
PrivateLoader
SmokeLoader
Malware Config
C2 Extraction:
http://212.193.30.45/proxies.txt
http://45.144.225.57/server.txt
http://wfsdragon.ru/api/setStats.php
2.56.59.42
Unpacked files
SH256 hash:
196c516ea546fb935ac669681a74a4dc80da79d9088f464f6cc6f126ae934f4e
MD5 hash:
c36de8bc9668ec4eaafca4c349dca0d5
SHA1 hash:
ea2cadfada69b93ca3abeb8b2462c5c18891fabf
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/f0823451-57b4-40eb-b97d-59e4ad47c7aa/
Parent samples :
6b2d7c8bdedb901d80c89717c9889abf169c9059d8bb545af6ca1960660324ad
8928eed86ea55a63e3646bf8ca403b4b1e57702f73c1ecc8fa403b5700a304ef
18ad362dcae8df5827846223c09ceba7766e09733b685d4067ee39037daec452
da39948d95cdbce6e1ca9e0fdbb77080164a379f593e530b5732d3fc38df7bf8
7c74a8c41e24f69015185f78b8fbc177edcbe9d27099e904497b2310999f74cb
92ebb6be19502fe2573a9eac183bcc657b88ac5b0344285d9db409b0a3d88dab
af6fa095b427a0e95dd826696c2b92b0123e688e3c95f6d27825cc2928085d1b
de8099732ee5b73f3fa6d032a74e8576d06663fc16b2c6da27a34444fdced1c8
SH256 hash:
3cc9f00748917e25208d9c79a527208f96732ca54e9b3e01e18b6cae7c0c6f53
MD5 hash:
a9f1c095a080df7a008fd2b04f57c73b
SHA1 hash:
c7096f65671d61d9ddd8c5ae39103fdef40c850e
Link:
https://www.unpac.me/results/f0823451-57b4-40eb-b97d-59e4ad47c7aa/
SH256 hash:
0b4413b71ece10227d076cecf6fc9e34570e02904dba79a4b57ed60b48541569
MD5 hash:
0d74e95598bded98db40310e67501ff7
SHA1 hash:
14c2e87f633eaca056adaf04f0c87c8edaf3bb2e
Link:
https://www.unpac.me/results/f0823451-57b4-40eb-b97d-59e4ad47c7aa/
SH256 hash:
608a1e5b218538e527b83eba01c5960060926d6dcefd6c36627149222e85f8b6
MD5 hash:
245710f78b253e126ed6e7adbbbc55ae
SHA1 hash:
6be8914c2f171647f0e7b0ddcc6556ab7dfeb10e
Detections:
win_privateloader_a0
Create hunting rule
Link:
https://www.unpac.me/results/f0823451-57b4-40eb-b97d-59e4ad47c7aa/
SH256 hash:
102b46f016bfe751294d1b3c7454ba895f7a9f615b7c6a656ac01e02be51da51
MD5 hash:
c61303a10eaf77d67d4b437f4beafb43
SHA1 hash:
b2ed97d9fe43e96b22e8fd6736084e26b33f10d7
Link:
https://www.unpac.me/results/f0823451-57b4-40eb-b97d-59e4ad47c7aa/
SH256 hash:
413785bbb102de3c2cff9542078128685c44cb527793973df0b6d6b5df2b3613
MD5 hash:
eb462348610870263b5b47d2b68c352c
SHA1 hash:
ca29dbb812b485932cfca3a4d24508302bd70a68
Link:
https://www.unpac.me/results/f0823451-57b4-40eb-b97d-59e4ad47c7aa/
SH256 hash:
6b2d7c8bdedb901d80c89717c9889abf169c9059d8bb545af6ca1960660324ad
MD5 hash:
0727f10acffae1a2fbad5bdee8606d77
SHA1 hash:
25a2190e389051017b0b512c0caa0e56d185d80a
Link:
https://www.unpac.me/results/f0823451-57b4-40eb-b97d-59e4ad47c7aa/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6b2d7c8bdedb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6b2d7c8bdedb901d80c89717c9889abf169c9059d8bb545af6ca1960660324ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:fbrobot_mem
Create hunting rule
Author:James_inthe_box
Description:fbrobot stealer
Reference:https://app.any.run/tasks/317642cd-924b-4fe4-ba97-0c648f89c7a0
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:win_ffdroider_w0
Create hunting rule
Author:Johannes Bader @viql
Description:detects FFDroider

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/308001/

Comments