MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df344fc259f24af81530c6233e884b92803d190095a6809ab7db0a7609df4f08. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df344fc259f24af81530c6233e884b92803d190095a6809ab7db0a7609df4f08
SHA3-384 hash: 07f8be9631165ef0c071548d4a68af5f5f9e6572d6d9786418a9b4edb8f013692b89b9f9b39e0b0601c6658440b351f0
SHA1 hash: 048e2e490e4346891f81e46743e224fceef05af0
MD5 hash: 2c0b0eefba55c2f87d69a6bf911393ee
humanhash: magazine-pip-mississippi-maine
File name:2c0b0eefba55c2f87d69a6bf911393ee
Download: download sample
Signature Formbook
Create hunting rule
File size:849'408 bytes
First seen:2021-09-13 18:47:23 UTC
Last seen:2021-09-13 20:11:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:DO/gecNU2zqX6lUB2Ake0DGOAXlbAjJA/R3vwEWb:fDNgWUB2Akeo3A1bANGvL
Threatray 8'082 similar samples on MalwareBazaar
TLSH T1DE059D2077E88715E6EE2730E03066A516F6FE06A57DD38D5985ADAE3DE3B448D003B3
dhash icon 1082888c8c888010 (2 x a310Logger, 1 x Formbook)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2c0b0eefba55c2f87d69a6bf911393ee
Verdict:
Malicious activity
Analysis date:
2021-09-13 18:50:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f50acde3-4aa8-46c2-afc3-71f99b4932aa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/187556/
Detection(s):
SecuriteInfo.com.Variant.Bulz.712068.30115.10154.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
monero obfuscated packed
Link:
https://www.filescan.io/uploads/6175050a9a5a1e91c5d1fdb4/reports/b79d3d98-baa0-4748-b6c8-97cdf91dbaa3/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a7df6eac-471a-4711-a1ae-cc48cfaa38aa
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/850095
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 482522 Sample: kfis19tnQq Startdate: 13/09/2021 Architecture: WINDOWS Score: 100 38 youtube-ui.l.google.com 2->38 40 www.youtube.com 2->40 42 www.google.com 2->42 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 4 other signatures 2->56 11 kfis19tnQq.exe 6 2->11         started        signatures3 process4 file5 32 C:\Users\user\AppData\...\kfis19tnQq.exe, PE32 11->32 dropped 34 C:\Users\...\kfis19tnQq.exe:Zone.Identifier, ASCII 11->34 dropped 36 C:\Users\user\AppData\...\kfis19tnQq.exe.log, ASCII 11->36 dropped 62 Writes to foreign memory regions 11->62 64 Injects a PE file into a foreign processes 11->64 15 kfis19tnQq.exe 11->15         started        18 powershell.exe 20 11->18         started        signatures6 process7 dnsIp8 66 Multi AV Scanner detection for dropped file 15->66 68 Machine Learning detection for dropped file 15->68 70 Modifies the context of a thread in another process (thread injection) 15->70 72 4 other signatures 15->72 21 explorer.exe 15->21 injected 44 192.168.2.1 unknown unknown 18->44 46 youtube-ui.l.google.com 18->46 48 2 other IPs or domains 18->48 23 conhost.exe 18->23         started        signatures9 process10 process11 25 chkdsk.exe 21->25         started        signatures12 58 Self deletion via cmd delete 25->58 60 Tries to detect virtualization through RDTSC time measurements 25->60 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/df344fc259f24af81530c6233e884b92803d190095a6809ab7db0a7609df4f08/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-09-13 08:22:21 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
32ea10b6bd6642663614f79f2332c45d76772db89bc7efb5d4df3bb21d9c3562
Formbook
4c687f5a0d352eb6e530e2939ec33098787e626ccd60026ff692ae8c368a5eeb
Formbook
5488e3789bf0a5a2650644198c4dab19884ead5d51b7aee45e4e4f54772e1c86
Formbook
5955bf6676d1f4d7e9e12f2201674381535d24bd88bd480feda425839841ecaf
Formbook
7e99dc28bcc8be32fb1477bc6b67da52d67195e1e9ebc9612118a9e180675af7
Formbook
a728204cf53dff3c0f93facfa43a189166caf917e31e85c3ff3b773ecf0cb9b6
Formbook
ab4795f656b54e9388c89d6a4df52747510fa418bdb50aa3bafd7b332ef1ff81
Formbook
c4527be43e6ad0e3eb7e8ca1bf26c120c0c5eef996716178a87bbe2b807efa57
Formbook
e1fee7ee20f6d3bd6e913baeae737c558014454223d552c125c3f963e7c1a843
Formbook
+ 8'072 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:wdhc loader rat
Link:
https://tria.ge/reports/210913-xfs1xaece2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.orbitaladd.com/wdhc/
Unpacked files
SH256 hash:
6828f1163385703cecf0f4161c5c76d894d9c4df76c39d27aff68021145556bc
MD5 hash:
3d8635d73798a2ff6c486bbe71ae2e2f
SHA1 hash:
cecce56ec5bd010d6face3939a0a756b783c565d
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/86abdcb8-0a24-4c2e-892f-00b2324de821/
SH256 hash:
91b9d307f8bcd26f40377e93cf976c6cff3453e8035a937ec9ad13777b089247
MD5 hash:
17bbb246b053b107a24d53b5a131e1ca
SHA1 hash:
b28a21d7129bec68267bdfb75bf749ec3a479c46
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/86abdcb8-0a24-4c2e-892f-00b2324de821/
SH256 hash:
95deceebf993485d66d92869b4ed3bc96737c249d7c1cf801a63f6a1143727f3
MD5 hash:
e2a630610df28349fa6bfe2501bf9440
SHA1 hash:
8ac5a35a40634112fb3e33866fa83aa34c48e6d4
Link:
https://www.unpac.me/results/86abdcb8-0a24-4c2e-892f-00b2324de821/
SH256 hash:
69fb4cf7f4e1292339e003ab6f4992202b8dce6b709a8e88b5cf081a21ea5174
MD5 hash:
60051302709f7e5182e79db033bd27fb
SHA1 hash:
450a96d248839584eb2e0f3e053ef0dd6a74da29
Link:
https://www.unpac.me/results/86abdcb8-0a24-4c2e-892f-00b2324de821/
SH256 hash:
df344fc259f24af81530c6233e884b92803d190095a6809ab7db0a7609df4f08
MD5 hash:
2c0b0eefba55c2f87d69a6bf911393ee
SHA1 hash:
048e2e490e4346891f81e46743e224fceef05af0
Detections:
win_karkoff_auto
Create hunting rule
Link:
https://www.unpac.me/results/86abdcb8-0a24-4c2e-892f-00b2324de821/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/df344fc259f24af81530c6233e884b92803d190095a6809ab7db0a7609df4f08

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_karkoff_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe df344fc259f24af81530c6233e884b92803d190095a6809ab7db0a7609df4f08

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1616925/
Cape
Cape
https://www.capesandbox.com/analysis/187556/

Comments


Avatar
zbet commented on 2021-09-13 18:47:24 UTC

url : hxxp://52.47.201.149/s2/b/re_85412000040631.exe