MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 035c64adedb7e567711f5a793c587b5886bea69e725a5f038f2b7f01a1eebd5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 035c64adedb7e567711f5a793c587b5886bea69e725a5f038f2b7f01a1eebd5d
SHA3-384 hash: 16e54e55eed0ddc0f50670b8165cc3522fdad0cc3a55cb81b226ce312a6b62c9529554f3dfc22b98a22e8b16172e0ae3
SHA1 hash: 51406ad0646c199764a7b2a26e2d31fed91ad77f
MD5 hash: 4f91d6f43a69717ff16f3c09dcd0e7e8
humanhash: foxtrot-artist-lactose-lake
File name:4f91d6f43a69717ff16f3c09dcd0e7e8
Download: download sample
Signature Formbook
Create hunting rule
File size:995'840 bytes
First seen:2023-09-07 06:26:09 UTC
Last seen:2023-09-07 08:33:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:GPGFbjnlnvSYq7VFFKtanTtcDPHNtr0P18UEbotQ:GajlnqntLTtcLHNtrK8HJ
Threatray 1'518 similar samples on MalwareBazaar
TLSH T15F2553FC5CFC1136D9A0EE908ED9851BB1C0A57FF289AC1D97E20B650252A49F88753F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
270
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
9aea02086daf94dfa68afe47732bb5c2
Verdict:
Malicious activity
Analysis date:
2023-09-07 04:55:25 UTC
Tags:
exploit cve-2017-11882 loader formbook xloader
Link:
https://app.any.run/tasks/b3837e39-3c21-494c-a39b-3004621ee468

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/446856/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed replace
Link:
https://www.filescan.io/uploads/64f96d376048ca92831620c5/reports/316fe7dc-a754-42d7-8f30-c63c578d1f9c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/035c64adedb7e567711f5a793c587b5886bea69e725a5f038f2b7f01a1eebd5d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/965e65dd-f9fe-462e-87a2-4ba3b445b0a4
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1304954
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1304954 Sample: 2FcJgghyXg.exe Startdate: 07/09/2023 Architecture: WINDOWS Score: 100 34 www.soccercitycupsc.com 2->34 36 www.nazadypro.shop 2->36 38 3 other IPs or domains 2->38 42 Snort IDS alert for network traffic 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 9 other signatures 2->48 11 2FcJgghyXg.exe 3 2->11         started        signatures3 process4 signatures5 56 Tries to detect virtualization through RDTSC time measurements 11->56 58 Injects a PE file into a foreign processes 11->58 14 2FcJgghyXg.exe 11->14         started        process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 14->60 62 Maps a DLL or memory area into another process 14->62 64 Sample uses process hollowing technique 14->64 66 Queues an APC in another process (thread injection) 14->66 17 explorer.exe 2 1 14->17 injected process8 dnsIp9 28 www.emdefencetech.com 91.195.240.123, 49771, 80 SEDO-ASDE Germany 17->28 30 www.nazadypro.shop 104.21.48.68, 49772, 80 CLOUDFLARENETUS United States 17->30 32 4 other IPs or domains 17->32 40 System process connects to network (likely due to code injection or exploit) 17->40 21 msdt.exe 17->21         started        signatures10 process11 signatures12 50 Modifies the context of a thread in another process (thread injection) 21->50 52 Maps a DLL or memory area into another process 21->52 54 Tries to detect virtualization through RDTSC time measurements 21->54 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/035c64adedb7e567711f5a793c587b5886bea69e725a5f038f2b7f01a1eebd5d/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-09-06 23:49:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=anogjlpnw7swo4i7lj4tywd3lcdl5ju6ojnf6a4pfn7qdipoxvoq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
3017b026d0925919ad8085d523f83235fa84ead58d1399576e60e6183003820e
Formbook
380cb4de7ecddc054955c5e7838e25fcd20dfe6455ff15c689474385f8c82ff0
Formbook
3dca60e7a32bc81165f399bab2162271332156e05c490ed4af3972713a1cb0f4
Formbook
7cdbc9e74ca8d6119202864a709809712505bac9f32b6d60c552f01a1ac090c3
Formbook
9a6f5a458aa652a41435afc6e89cf46302b02a5bb5fbfa049362b317f446fa54
Formbook
b9bdf17b0783f5b073ba007091604c0407e825b17ae8ae90bf53d2a2140341ba
Formbook
bee949c5192f46467c2fb76490dd2407f4206639c2e5e824c74e879c02fcc342
Formbook
f72a8d106b976bd572e54e14f09ac3faed9c776395680f5689e412e62239409f
Formbook
+ 1'508 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:us94 rat spyware stealer trojan
Link:
https://tria.ge/reports/230907-g7rn6afa5s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook payload
Formbook
Unpacked files
SH256 hash:
56063abf60a17cf6ffe2d26eb6333d282ecddb9c090f3b4d5dadffe40e4f2885
MD5 hash:
80c5686cba03cb3e4d29ffc4edfc2c90
SHA1 hash:
9e5d4ab3f675a19c06200b182d4a7439539bbdb5
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/1da77302-1e78-45b9-823f-6d9454913d1c/
SH256 hash:
d4ff9192418cab8dc90b32cd354a39bd7e7b3eebb74f9471b3c92a77cb3657ea
MD5 hash:
92871d1a3bccb2544e383c9940c534c6
SHA1 hash:
a8c988fe08240ff8a0bb6f7a5a3a1a557dc5c89a
Link:
https://www.unpac.me/results/1da77302-1e78-45b9-823f-6d9454913d1c/
SH256 hash:
55ea20faf9b0c8c00f3d3ea16ff5bfd836fa99f1941946885d45240d2f681f4c
MD5 hash:
eec54763c3b2e33ba860048ffe88f910
SHA1 hash:
8034038ca99a91c8fdf69b1bc745e9dcdaac02e4
Link:
https://www.unpac.me/results/1da77302-1e78-45b9-823f-6d9454913d1c/
SH256 hash:
0630b864e828fff2d66f33ab7d00fad231df4c00fc0bbad313ee0d12ca503198
MD5 hash:
f559a9abbd849eb977d262d597d6e4fd
SHA1 hash:
0a8769b40b026852690c89b913c2812817ef43c8
Link:
https://www.unpac.me/results/1da77302-1e78-45b9-823f-6d9454913d1c/
SH256 hash:
035c64adedb7e567711f5a793c587b5886bea69e725a5f038f2b7f01a1eebd5d
MD5 hash:
4f91d6f43a69717ff16f3c09dcd0e7e8
SHA1 hash:
51406ad0646c199764a7b2a26e2d31fed91ad77f
Link:
https://www.unpac.me/results/1da77302-1e78-45b9-823f-6d9454913d1c/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/035c64adedb7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/035c64adedb7e567711f5a793c587b5886bea69e725a5f038f2b7f01a1eebd5d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 035c64adedb7e567711f5a793c587b5886bea69e725a5f038f2b7f01a1eebd5d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2710155/
Cape
Cape
https://www.capesandbox.com/analysis/446856/

Comments


Avatar
zbet commented on 2023-09-07 06:26:10 UTC

url : hxxp://185.28.39.17:7777/185.28.39.18/undergroundzx.exe