MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c31b17eb7e69da771f0ee2230922622a94e1d27cfea1ff556615e4f27104340a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments 1

SHA256 hash:	c31b17eb7e69da771f0ee2230922622a94e1d27cfea1ff556615e4f27104340a
SHA3-384 hash:	ff6c78f22e30c59a7c100689d56e49f7634c9173454e97ef8ba9d40f60df7fc5c53fe6ce474d982eb86b2815a96c13b2
SHA1 hash:	46c8494ace630c88e7a2d46eab1bbf3bd3616ab5
MD5 hash:	1edccbf866457d61624c6520c4940182
humanhash:	north-princess-cup-cup
File name:	1edccbf866457d61624c6520c4940182
Download:	download sample
Signature	Formbook Create hunting rule
File size:	707'584 bytes
First seen:	2022-08-04 13:03:53 UTC
Last seen:	2022-08-05 06:47:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:XJg6SKlpxB3SaqthgJ7KxlNgTYA+ie7NGOT3xUfzAep/LLgeh26c3l:XnLlpxFbohgJ+gTjrm3x2J/LLgei3l
Threatray	14'953 similar samples on MalwareBazaar
TLSH	T1D5E4015132AA5F03D27B5FF5B62210241BF2693B7172E6884DC66CFB19B7B030A25E17
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	zbetcheckin
Tags:	32 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

439

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1edccbf866457d61624c6520c4940182

Verdict:

Malicious activity

Analysis date:

2022-08-04 13:04:55 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/dae86fd9-e9a3-435f-b283-0d85ce4b702d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/296465/

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.14595.8448.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Launching a process

Creating a process with a hidden window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62ebc43bb6d6be9f01ca0362/reports/9a6ee6c3-4ef9-424f-ae6c-9d0722a79782/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7fbbb88b-ef56-46cd-bb21-be0b10e9ae02

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1046243

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/c31b17eb7e69da771f0ee2230922622a94e1d27cfea1ff556615e4f27104340a/

Threat name:

ByteCode-MSIL.Trojan.LokiBot

Status:

Malicious

First seen:

2022-08-04 13:04:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 39 (58.97%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ymnrp236nhnhohyo4irqsitcfkkodut472q76vlgcxspe4iegqfa._file

Verdict:

malicious

Label(s):

formbook

Formbook

0ab6083c712635593c1f3229fc3ea45bde80031f5cb43042c250b3a4b99ffee4

Formbook

31f21e3ba94e074d03b416decbbb5a69994ccd8137b3e361acf21e298c00befa

Formbook

5d927a8b4eec0763e7cfd23a430982e548ab929af69cfa6db97e9ac527d86ebd

Formbook

6ddd3d427d8a1e5f9d462ed00402fde6603d7ed71a2eceb3f1fa804b7ed7aa10

Formbook

857ba872cec7026dda75065dfbcb2c865fb68138ef1b337db8f464c429adc744

Formbook

9696d3ec13f85ada39b140ae0096e765db0ff630f351ffa1e96484f6a4f2f030

Formbook

9998ff1d42d8af0fcc166bea36887eebf182e91d1816853d9f80e6cbbbaf9145

Formbook

a69ee77f4eb102a3528594435748d3a1e2925022a6d986eac8d32feb068c1f36

Formbook

daf1d21f570270cea93b1f7238636e31aa2a5f328917e30b125f677c723bd46e

Formbook

+ 14'943 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/220804-qaxzcagbbk/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Unpacked files

SH256 hash:

ac60c7fd8363b2189ca63e75c54932d726d4d16794dbd645fdc23f2b8003203f

MD5 hash:

2a105f3926cec84e6b8431b15816d7e0

SHA1 hash:

c1d45b4bef146ae05ae4798e96002a71c1936213

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/29a39c8b-a103-4124-9e3d-2ba04ef8859b/

Parent samples :

758a693619b82e4c0188bddba10021226d25697b0bc1b397f911bcaf2a44222a
0ab6083c712635593c1f3229fc3ea45bde80031f5cb43042c250b3a4b99ffee4
c31b17eb7e69da771f0ee2230922622a94e1d27cfea1ff556615e4f27104340a

SH256 hash:

aa9f746b2e33bad9b48b93f8b316f8d92f64c75afca58b76d17b1519fac2147a

MD5 hash:

492e503e238660c76fab45b75af2ea64

SHA1 hash:

f1eb69f36575ac339fbb3807d2b35e8221d323e2

Link:

https://www.unpac.me/results/29a39c8b-a103-4124-9e3d-2ba04ef8859b/

SH256 hash:

39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807

MD5 hash:

db51fe170a9e5d6ec5429a2fbd9d0353

SHA1 hash:

e30a58125fc41322db6cf2ccb6a6d414ed379016

Link:

https://www.unpac.me/results/29a39c8b-a103-4124-9e3d-2ba04ef8859b/

SH256 hash:

a9c5b2c628a47247402ff05d399855caf6f6a22146d44cd0fd9d7fc05a65ba66

MD5 hash:

228ff1006be83039e4de2b5e0475a5b0

SHA1 hash:

3adef5cc343067fa6b9d5e712114dc619c867a72

Link:

https://www.unpac.me/results/29a39c8b-a103-4124-9e3d-2ba04ef8859b/

SH256 hash:

4127e10ae08abd44837e2d6136ba894494c36dd46a389de392bb4e8af2e5c6a6

MD5 hash:

e5bfe482acca9a00d4879ca40622c6d7

SHA1 hash:

2173f2cf090a441bd78f03b3a264fa68880db765

Link:

https://www.unpac.me/results/29a39c8b-a103-4124-9e3d-2ba04ef8859b/

SH256 hash:

c31b17eb7e69da771f0ee2230922622a94e1d27cfea1ff556615e4f27104340a

MD5 hash:

1edccbf866457d61624c6520c4940182

SHA1 hash:

46c8494ace630c88e7a2d46eab1bbf3bd3616ab5

Link:

https://www.unpac.me/results/29a39c8b-a103-4124-9e3d-2ba04ef8859b/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c31b17eb7e69/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c31b17eb7e69da771f0ee2230922622a94e1d27cfea1ff556615e4f27104340a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.