MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf3038247c7a2a5779f655fdf594bdad56b22d198b6edb1c3197b84d9c4f153a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf3038247c7a2a5779f655fdf594bdad56b22d198b6edb1c3197b84d9c4f153a
SHA3-384 hash: 7b1cae66f9d9be9f965fcf6493657a05a17ca3bcd7932265e5f4607084069940bd819a29d2c6215b57c18e9357b0a135
SHA1 hash: edb2e066091b33f278e45d77c2c5fa0d0f2f360d
MD5 hash: f2afb3a86d4b205705b0ec883e969f39
humanhash: neptune-green-west-pip
File name:f2afb3a86d4b205705b0ec883e969f39.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:262'297 bytes
First seen:2021-09-28 11:34:43 UTC
Last seen:2021-09-28 13:07:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:F8LxBsbeycDNeM0XjdJQqxInTEB7PH5hWtuJcnz7D:/KycDNe7LXxInTE9PZhMuJu7D
Threatray 9'788 similar samples on MalwareBazaar
TLSH T15844122623C580E7C8A283751FF5E77CF7BB81350220794F47609EAA16B39435A563B7
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f2afb3a86d4b205705b0ec883e969f39.exe
Verdict:
Malicious activity
Analysis date:
2021-09-28 11:54:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/50a6e6cd-6c5f-4a1c-aafe-10440037c819

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.29977.24237.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/751b9efd-ca01-4714-a5af-0277a461a806
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/859826
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 492257 Sample: 7ivFMbol8b.exe Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 36 www.motphimz.net 2->36 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 9 other signatures 2->60 11 7ivFMbol8b.exe 17 2->11         started        signatures3 process4 dnsIp5 44 192.168.2.1 unknown unknown 11->44 34 C:\Users\user\AppData\Local\...\scwtnv.dll, PE32 11->34 dropped 72 Detected unpacking (changes PE section rights) 11->72 74 Tries to detect virtualization through RDTSC time measurements 11->74 76 Injects a PE file into a foreign processes 11->76 16 7ivFMbol8b.exe 11->16         started        file6 signatures7 process8 signatures9 46 Modifies the context of a thread in another process (thread injection) 16->46 48 Maps a DLL or memory area into another process 16->48 50 Sample uses process hollowing technique 16->50 52 Queues an APC in another process (thread injection) 16->52 19 explorer.exe 16->19 injected process10 dnsIp11 38 thehomeinspo.com 66.235.200.146, 49849, 80 CLOUDFLARENETUS United States 19->38 40 www.keenflat.com 44.227.65.245, 49826, 80 AMAZON-02US United States 19->40 42 8 other IPs or domains 19->42 62 System process connects to network (likely due to code injection or exploit) 19->62 23 svchost.exe 19->23         started        26 autochk.exe 19->26         started        28 autofmt.exe 19->28         started        signatures12 process13 signatures14 64 Self deletion via cmd delete 23->64 66 Modifies the context of a thread in another process (thread injection) 23->66 68 Maps a DLL or memory area into another process 23->68 70 Tries to detect virtualization through RDTSC time measurements 23->70 30 cmd.exe 1 23->30         started        process15 process16 32 conhost.exe 30->32         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cf3038247c7a2a5779f655fdf594bdad56b22d198b6edb1c3197b84d9c4f153a/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-09-28 11:35:18 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
115716164b2092df207c750d11a2b4ce05bee204b7f21f1f62d93a5b7d78afa1
Formbook
2fc82f206abb0d6d6b4d7a916be93b408ab78f848531917b3968b066a5a31023
Formbook
31accabae2032a0fda8dd449182167521360e258df6ebd2316130399d910e990
Formbook
3ac2da7ec8b0c46550c9b85707c4743ea4cacbb5bb6ee0fd159792f3978e3ad3
Formbook
3dfa10d42004768b9da7da94dc0586a0b9d68b56dd6bf5b5057b6b896eec5336
Formbook
64c00be3d0bc5f000ee6d2d6d49e72c9e9f36090f19b7f9620ff0993a0e84025
Formbook
8a95ac711537aeb1c93c61e541077005f5226e4150c2669742d1b612cfc25788
Formbook
990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d
Formbook
b32448dbeec13e1eb23e55a57ffc06f9dfc8fd44687e19fc0be1c4fbabc10abb
Formbook
c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb
Formbook
+ 9'778 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:m0np loader rat
Link:
https://tria.ge/reports/210928-np26habhgq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.devmedicalcentre.com/m0np/
Unpacked files
SH256 hash:
f4e1ce66224132eb8173116f47d39380c06e0f5758251e7b35bad6f630b573d4
MD5 hash:
ef7eaf0da4de4d661b5d15c16dc09b45
SHA1 hash:
27bc4729f90be02fb496bcd4167f545ad9d0e892
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/8e6fb954-ebc6-4e50-9af0-8c5219edae5d/
Parent samples :
b32448dbeec13e1eb23e55a57ffc06f9dfc8fd44687e19fc0be1c4fbabc10abb
8a95ac711537aeb1c93c61e541077005f5226e4150c2669742d1b612cfc25788
64c00be3d0bc5f000ee6d2d6d49e72c9e9f36090f19b7f9620ff0993a0e84025
990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d
cf3038247c7a2a5779f655fdf594bdad56b22d198b6edb1c3197b84d9c4f153a
SH256 hash:
5bf2cb1e36454321595cf5a7304254e5968690b92a7e27e5b519db0c2dc04e5f
MD5 hash:
844abf1b6643336b6e55f1fc4f7fedf2
SHA1 hash:
e23d3aeab06c84bb9b4c7477bf52e92b6f9bd556
Link:
https://www.unpac.me/results/8e6fb954-ebc6-4e50-9af0-8c5219edae5d/
SH256 hash:
d6c52ba61020c0c759cbad64c4a773faedb2aab7f00b5981d763872dcfc8cd09
MD5 hash:
46f11640fd0591605be47aebe01cce42
SHA1 hash:
5e31684926efaaed39484c3a88af9d6adda14099
Link:
https://www.unpac.me/results/8e6fb954-ebc6-4e50-9af0-8c5219edae5d/
SH256 hash:
cf3038247c7a2a5779f655fdf594bdad56b22d198b6edb1c3197b84d9c4f153a
MD5 hash:
f2afb3a86d4b205705b0ec883e969f39
SHA1 hash:
edb2e066091b33f278e45d77c2c5fa0d0f2f360d
Link:
https://www.unpac.me/results/8e6fb954-ebc6-4e50-9af0-8c5219edae5d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.47
Link:
https://yomi.yoroi.company/submissions/cf3038247c7a2a5779f655fdf594bdad56b22d198b6edb1c3197b84d9c4f153a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe cf3038247c7a2a5779f655fdf594bdad56b22d198b6edb1c3197b84d9c4f153a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1562681/
  
Delivery method
Distributed via web download

Comments