MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2c7dcc32790d18dbc53c496d2fc1fc26ba7ed11cd018ab9baa0b58108077b72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 17

Intelligence 17 IOCs YARA 2 File information Comments 1

SHA256 hash:	d2c7dcc32790d18dbc53c496d2fc1fc26ba7ed11cd018ab9baa0b58108077b72
SHA3-384 hash:	a30ffd3ca69cdec6ed71965eb01c824236c80b56a25562561c3a40be664ae848369b39e079c18e33d2bbcf7fdbcfc409
SHA1 hash:	61ab09b372aca112ffb4e7c91ee114f0800ef97b
MD5 hash:	22bde89a8afcad7436370bcbc8a6b1ea
humanhash:	triple-foxtrot-south-cola
File name:	22bde89a8afcad7436370bcbc8a6b1ea
Download:	download sample
Signature	Formbook Create hunting rule
File size:	203'349 bytes
First seen:	2022-05-18 16:42:13 UTC
Last seen:	2022-05-18 17:47:01 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep	6144:ZYa6VWVy9U9kxdLqj6qrc1fd5NZfQQRE32bZA:ZYDWVCUSLqj6qrch5eQR7ZA
TLSH	T1321412CC73D1D5F7DDB26A38183A0B476BF18A1518AA850B1B701F9F39A70A1DA0FB51
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	zbetcheckin
Tags:	32 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

256

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

22bde89a8afcad7436370bcbc8a6b1ea

Verdict:

Malicious activity

Analysis date:

2022-05-18 16:47:50 UTC

Tags:

formbook trojan stealer

Link:

https://app.any.run/tasks/0589a3a5-e0af-425c-9a6d-48b4c20d582f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/272184/

Detection(s):

SecuriteInfo.com.Trojan.Siggen17.52383.28900.8835.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a process from a recently created file

Searching for the window

Сreating synchronization primitives

Launching a process

Searching for synchronization primitives

DNS request

Sending an HTTP GET request

Reading critical registry keys

Launching cmd.exe command interpreter

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/18782/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control.exe formbook overlay packed shell32.dll winlock

Link:

https://www.filescan.io/uploads/628521f870e563c3836bee0a/reports/d7f1b427-66c5-4c49-947c-b3ac1ee6a40b/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/eb42393e-1e20-47a9-bb15-cb683e28da6f

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/996995

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/d2c7dcc32790d18dbc53c496d2fc1fc26ba7ed11cd018ab9baa0b58108077b72/

Threat name:

Win32.Trojan.LokiBot

Status:

Malicious

First seen:

2022-05-17 11:38:53 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 26 (92.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2ld5zqzhsdiy3pctyslnf7a7yjv2p3irzuayvon2uc2yccahpnza._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

xloader

Score:

10/10

Tags:

family:formbook family:xloader campaign:tgdh loader rat spyware stealer suricata trojan

Link:

https://tria.ge/reports/220518-t78nwsbgg7/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in System32 directory

Suspicious use of SetThreadContext

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

Executes dropped EXE

Xloader Payload

Formbook

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata: ET MALWARE FormBook CnC Checkin (POST) M2

Unpacked files

SH256 hash:

d8a34bd88ab11f8edf3ec181ba844eaaa9cb1f57924d7a190e0efc4f80aa36e0

MD5 hash:

d5884d22f97e74d3b9ceef6dfb1ddcd5

SHA1 hash:

2933ba3495e068ef07410705d405567a6d8c157f

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/e79c70d2-7e8e-462a-b08b-a531f931b916/

Parent samples :

5bd972667024edef60c1f0f0bdb7c1602e7d9da7c736bc373e100c7521bb53f2
9f296a8fdf6e2d93248719c87156bb0410a3171d24ffce0382a0eda207deafe6
d2c7dcc32790d18dbc53c496d2fc1fc26ba7ed11cd018ab9baa0b58108077b72
534116bf1a9bf94bd353ef08a736864b542269a03a039d2c54431cfd9894d729
e2661ac8c8a8e5db896935d7214c96181dff15dbf12f2051d86ce1a3a201c2dc
53012a3cec450e3c92749900993dfb081cd1dd86660063b8b1bebdf6400aebf6

SH256 hash:

062998381ba21c26e9f4e866a5cf32ade93d4251e039ff3c3a2cec7f21c5fc95

MD5 hash:

5058211ba19c0aec7d778b8a5d1b07cf

SHA1 hash:

9c6ba564b618b5b7590e15e697056637dad65489

Link:

https://www.unpac.me/results/e79c70d2-7e8e-462a-b08b-a531f931b916/

SH256 hash:

d2c7dcc32790d18dbc53c496d2fc1fc26ba7ed11cd018ab9baa0b58108077b72

MD5 hash:

22bde89a8afcad7436370bcbc8a6b1ea

SHA1 hash:

61ab09b372aca112ffb4e7c91ee114f0800ef97b

Link:

https://www.unpac.me/results/e79c70d2-7e8e-462a-b08b-a531f931b916/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d2c7dcc32790d18dbc53c496d2fc1fc26ba7ed11cd018ab9baa0b58108077b72

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	malware_Formbook_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research