MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2afb3f2fc399a22f91d7697807904a9890f2bfa18c8c78a3dfc623e7c23815d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 24 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2afb3f2fc399a22f91d7697807904a9890f2bfa18c8c78a3dfc623e7c23815d
SHA3-384 hash: f595beae0e51cee3bb6350728217d978727247c13c8f94b212125e879be84308229c359b700d832ca43633bd6742e00f
SHA1 hash: aff3c7a90bdc9eafee5f1b33eb25e653908234a5
MD5 hash: 5a359fe001dbe5d3273b0eaf98958aee
humanhash: idaho-fruit-skylark-california
File name:oZF2kXw4ZRc8NjL.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:612'360 bytes
First seen:2024-03-11 07:00:27 UTC
Last seen:2024-03-11 14:30:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:L2OeWehkQs6cWERl6bOO9BZUYdK2d/ii5FLZ8Sg/BPj+UYyMqvkR:6kQs6cWELqBZPK2dDK0f
Threatray 1'435 similar samples on MalwareBazaar
TLSH T1FAD4238955AC5370F3F6DBB2689782118BF335C2F611D7F8184182C91AE9B111EDAF4B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter cocaman
Tags:exe FormBook Shipping

Intelligence

File Origin
# of uploads :
3
# of downloads :
337
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
DHL Shipment Notification_ 324569840.eml
Verdict:
Malicious activity
Analysis date:
2024-03-06 19:01:47 UTC
Tags:
spam formbook xloader
Link:
https://app.any.run/tasks/0e4f4eb1-091c-4222-9052-0e43a1486262

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/478476/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2730.8815.9341.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Moving a file to the Program Files subdirectory
Replacing files
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook overlay packed
Link:
https://www.filescan.io/uploads/65eeac30757c624818aa23d6/reports/146024ca-28bb-4ead-9333-f01374750294/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/f2afb3f2fc399a22f91d7697807904a9890f2bfa18c8c78a3dfc623e7c23815d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fc1bc94e-3707-4f1d-8177-a3e3febd2cdf
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1406350
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1406350 Sample: oZF2kXw4ZRc8NjL.exe Startdate: 11/03/2024 Architecture: WINDOWS Score: 100 34 www.tapeworm.xyz 2->34 36 www.tcindustrie.net 2->36 38 12 other IPs or domains 2->38 44 Snort IDS alert for network traffic 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 52 9 other signatures 2->52 11 oZF2kXw4ZRc8NjL.exe 3 2->11         started        signatures3 50 Performs DNS queries to domains with low reputation 34->50 process4 signatures5 60 Tries to detect virtualization through RDTSC time measurements 11->60 14 oZF2kXw4ZRc8NjL.exe 11->14         started        process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 14->62 64 Maps a DLL or memory area into another process 14->64 66 Sample uses process hollowing technique 14->66 68 Queues an APC in another process (thread injection) 14->68 17 explorer.exe 87 1 14->17 injected process8 dnsIp9 28 rcpbooks.site 195.110.124.133, 49719, 80 REGISTER-ASIT Italy 17->28 30 taifengtechnologyservice.com 84.32.84.32, 49721, 80 NTT-LT-ASLT Lithuania 17->30 32 4 other IPs or domains 17->32 40 System process connects to network (likely due to code injection or exploit) 17->40 42 Uses netstat to query active network connections and open ports 17->42 21 NETSTAT.EXE 17->21         started        signatures10 process11 signatures12 54 Modifies the context of a thread in another process (thread injection) 21->54 56 Maps a DLL or memory area into another process 21->56 58 Tries to detect virtualization through RDTSC time measurements 21->58 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f2afb3f2fc399a22f91d7697807904a9890f2bfa18c8c78a3dfc623e7c23815d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f2afb3f2fc399a22f91d7697807904a9890f2bfa18c8c78a3dfc623e7c23815d/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2024-03-05 07:41:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6kx3h4x4hgncf6i5o2lya6ievgeq6k72ddempcr57rrd47bdqfoq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0b97c43d0eb22c21c8c4be37b6b45a1fd2acc9aa8c2a30012a06c2a0fb23a1f2
Formbook
32290d3a44ccd56a41469cda2bd09d79dde405d398b76705c0de70faede87bc1
Formbook
4a5be9ff6a2401e1d1d08a56acf3664ccddbae314a1d26e6debc90adb401d414
Formbook
806cf23f666655a5bd33cde42e7192532492c13521db8157f0f564a46ce0a6cc
Formbook
9669bb3304a589cfcbd3faca14cfa67aaf2b1bdb5bf61c285292e872c03ba5bf
Formbook
982a9a52e532bbfe52941c4ab95c2899c1af75e9a3eee2b1977e3f49e8a3e71e
Formbook
c1aa65f7c2cc6beb7052c8ada46a3139fc01da66890f4153a7c5761292b71d61
Formbook
ccbdd15e650bb5d3bb0e22c96cfb7d03b38b1fcbd7f7c161c87726fa04df6570
Formbook
d05f9af8ab2a4f8d284f8c55ff0d6bd49148f110d19dee193fafdd8a132b5c6b
Formbook
+ 1'425 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ns03 rat spyware stealer trojan
Link:
https://tria.ge/reports/240311-hs782aed79/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
9518217b208cfca11a2b068cbfb18552033199e5765482b3b083e2a31398bb39
MD5 hash:
aa289b0ba123b74f54e850e6cf597075
SHA1 hash:
60d6cfcab59aed57d9e983d2af885ddc6b767241
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/33873b09-b0ba-4ab4-b0b4-06628a7648ab/
Parent samples :
96d90626c35f88cc3632053cb3e3996b4a25a172c140b0917061f1fac691db3f
f2afb3f2fc399a22f91d7697807904a9890f2bfa18c8c78a3dfc623e7c23815d
da8d21fe808c01783c737202d4c6f233d70db99b7c1180c5883963adda3e3d45
998364f5e0b54676d1d45747717b5adfe4b92ee5a6046d93f7f92e77d95866bc
b3dd3ec805692dca3ce544068053b8d4e85521265dd4a1392ecf0d47b2814c66
e54350487bda76835619ccc44ff79db38db5183f544efbf33159cfd707bcdb75
d68a5d440931df383de62e3436f5f485ecd75b552e8b78065706a8c880828378
4c60c35f29e69092f5e26e18d43f332f00f33be5006dfb0f9e8cc7327ec6db92
2eab6a48a08726441514655a1d84a3921af8139cd2e7b61f23a30c11785f28f2
12c7ec6f047ebf12cb9f142bb71fb0de5a61de79286776440b5814c94d93e2e4
SH256 hash:
dbf4d0de65781ce953240fba3c3dfb7a1a00541f8879a78db19a7cb8d586fc5c
MD5 hash:
9e4dae62c69fe3cf829ff4bc0f788235
SHA1 hash:
bf64e7ebd5cbed51a7c3985315dccddd199bc722
Link:
https://www.unpac.me/results/33873b09-b0ba-4ab4-b0b4-06628a7648ab/
SH256 hash:
41085bff86fbcd42418b7823567813b4fce5b0cd2d8d46c90c8f7c26f83187a0
MD5 hash:
72b414550abce28b465f30c87bd9d898
SHA1 hash:
ae3acbbee250b1ef47bc8e8c749e97dc12df318c
Link:
https://www.unpac.me/results/33873b09-b0ba-4ab4-b0b4-06628a7648ab/
SH256 hash:
0824f83dec27b5f227a72ec2044079f72a85f8807d4e9585b88e39f7151e3c44
MD5 hash:
50030c1c01a172bfb7bd931edbd76ea6
SHA1 hash:
1f1e5566aa920e258ef0e7f88ed57e83f2aa6dd5
Link:
https://www.unpac.me/results/33873b09-b0ba-4ab4-b0b4-06628a7648ab/
SH256 hash:
f2afb3f2fc399a22f91d7697807904a9890f2bfa18c8c78a3dfc623e7c23815d
MD5 hash:
5a359fe001dbe5d3273b0eaf98958aee
SHA1 hash:
aff3c7a90bdc9eafee5f1b33eb25e653908234a5
Detections:
INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Link:
https://www.unpac.me/results/33873b09-b0ba-4ab4-b0b4-06628a7648ab/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f2afb3f2fc399a22f91d7697807904a9890f2bfa18c8c78a3dfc623e7c23815d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Formbook
Create hunting rule
Author:kevoreilly
Description:Formbook Payload
Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/formbook-adopts-cab-less-approach
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

r01 fcb7fec639066bc7dc5eb343e0fdb94102900f4859075e4639a69b40a2c482e5

Formbook

Executable exe f2afb3f2fc399a22f91d7697807904a9890f2bfa18c8c78a3dfc623e7c23815d

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 fcb7fec639066bc7dc5eb343e0fdb94102900f4859075e4639a69b40a2c482e5
Cape
Cape
https://www.capesandbox.com/analysis/478476/
  
Dropped by
MD5 e51ea0e5fa8fb41f55bab3d7bb674144

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments