MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03610e21a01afd8dc19c986d69a4c13eeda93fbec0e6eae7828065781ca028bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	03610e21a01afd8dc19c986d69a4c13eeda93fbec0e6eae7828065781ca028bf
SHA3-384 hash:	6b6c8f5e47aba0cebf9b3e95544971a44496ef1b09a507bdadb2e1430e820b3cc85dcc3bd10ae87a76d5d6245797c21a
SHA1 hash:	9caef11be00b7abb90728a4ec2c7b443cb4f150b
MD5 hash:	92a74ea70be95859d974cff284cb163c
humanhash:	may-nevada-video-don
File name:	Se ataseaza factura, extras de cont.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	905'216 bytes
First seen:	2022-03-01 11:56:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	33b94ee3884a0cf9c5e98b333fb633ae (3 x Formbook, 1 x RemcosRAT)
ssdeep	24576:/2x8NS5kItun5zIJjhBmaZce1aZME0W19d0:/QhB/CMEz19u
Threatray	12'111 similar samples on MalwareBazaar
TLSH	T16915AFE2FE905533C0271575DC0B93949826BDB03D2CDC4A2BE8FE4C3E355963A26A97
File icon (PE):
dhash icon	eef2f3969292d42a (18 x Formbook, 4 x Loki, 2 x DBatLoader)
Reporter	adrian__luca
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

173

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Se ataseaza factura, extras de cont.zip

Verdict:

No threats detected

Analysis date:

2022-02-25 08:14:27 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e360c98a-52fa-4880-aaa8-c29456233143

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/245755/

Detection(s):

SecuriteInfo.com.Artemis1084DA49A3BD.25700.4860.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

DNS request

Sending a custom TCP request

Creating a file

Launching a process

Searching for synchronization primitives

Launching cmd.exe command interpreter

Setting browser functions hooks

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Unauthorized injection to a browser process

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/7734/overview

Behaviour

MalwareBazaar

CheckScreenResolution

CheckCmdLine

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control.exe keylogger packed remote.exe

Link:

https://www.filescan.io/uploads/621e0a28b94fb38cb42e0e28/reports/03b13e31-31f2-41d6-89a3-22835c470e17/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d3f6ca62-b755-49aa-b86f-bc19fe898752

Result

Threat name:

DBatLoader FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/948114

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Drops PE files to the user root directory

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Suspicious Program Location with Network Connections

Tries to detect virtualization through RDTSC time measurements

Uses netstat to query active network connections and open ports

Writes to foreign memory regions

Yara detected DBatLoader

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/03610e21a01afd8dc19c986d69a4c13eeda93fbec0e6eae7828065781ca028bf/

Threat name:

Win32.Spyware.AveMaria

Status:

Malicious

First seen:

2022-02-25 09:25:30 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 43 (65.12%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=anqq4inadl6y3qm4tbwwtjgbh3w2sp56ydtovz4cqbsxqhfafc7q._file

Verdict:

malicious

Label(s):

formbook

Formbook

3bada4f5bcaee92a5979aecaa24326988226e9886815ccba28904d30735fe506

Formbook

641726e045898d15c39c11559c01e297aff22924a4cd3543e0ce2e3cdc3c2277

Formbook

9e3aeccf79c4c92f97410817a161701c59affa07403748695e61fef0d1d082e7

Formbook

c1c5eecc6b6b1138ad43a1b2793d3872dca1c6ab4ec53d34e354e49e35d045d0

Formbook

d8842d4c311c9e35f77ef0ee038f34061be70a55b38f949e0624d32e5a6a4212

Formbook

f80a58564f070acf295b2a76ce6331402b3e9e71eed07cf3e017376e1bdb0f36

Formbook

+ 12'101 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:3nop persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/220301-n4lgasaaa8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Formbook Payload

Formbook

Unpacked files

SH256 hash:

e0f0812898ccc9c325dc08dc1377365ec34bf8b6da18aa90e6b7f7aa2a13c548

MD5 hash:

289caf1027c7b756ce8da53d02485cea

SHA1 hash:

2f583c1c335fd45d56929dcf54c85ec37251edf7

Detections:

win_dbatloader_w0

Link:

https://www.unpac.me/results/5f5c7855-47a3-4440-a847-2fd105fcb142/

Parent samples :

6a7dd66c29530f7ed8f03ebd4b5f843639b34581d2e9ecd85c9fbdfb60450607
8051703485faca901060ae5b39054e5efee88909d2e1d4bb0f65126cda3230c1
1977d11ffc5195546fb8d5d8c660d7553c3961bf87ad4b972ee0cb1794d2168d
d4a859db98f9fd7473592c49c36ac926a2a29b27d7db8fc311f468bf82e64588
f35eab27c7c3c148fc5aec8351e7e5bd612214c91937d9867c8683ea7cde130d
974c776e5c3d20d4e254a4a493757f482931a2c48cdde33c76a0097eafbfdc85
83650c9dbbc1f4c607efa7934674da5f6237b234a81116744288be02cf2ead54
ee2440922354d6be2dce4ab27274ae2cc2108d8dde37837a739a7e2a36e317d5
f80a58564f070acf295b2a76ce6331402b3e9e71eed07cf3e017376e1bdb0f36
fb98f0f50c30ffdacfa3ea67a2990fa5ec2ee2646dc2226179f8589aec41f5d1
5289d529e7d53da3449ddf8400d12ae7622ede25284c2823ed46d0800fd94736
46c2da007a993c4b1ecfa3ff91364bc98341c9c228517eac38b50c4567fb78dc
ea43c71d7ec447e2483c7f0c8488972648209f2b487f2e6e64227d3d729c1d88
23ebe8ce49e895139f26f190d36a37ec52e924db63a995901948f30111efe6fc
526f4e19614eb20343647b92758df4c1f9227e77bec90af22256af4b3b091596
02466f10b00992a56b5fbfd4f8117e8572c2f64b27fd7bed8b51acc159004fd5
d8842d4c311c9e35f77ef0ee038f34061be70a55b38f949e0624d32e5a6a4212
d3c632c33688b9d7ae817a7932ddb1a48dbaad0410a681304c6c88211a020fdb
641726e045898d15c39c11559c01e297aff22924a4cd3543e0ce2e3cdc3c2277
9e3aeccf79c4c92f97410817a161701c59affa07403748695e61fef0d1d082e7
564d91f37b294e7a10fe79495dc9da5ae6733b20f2d7c732ff0c692110b0e01a
ac59a96a7600ffeacec6db910d9ff04e5ddfaf5f325ca41a0c06028a739509da
7391303e2231d2f0143f8b0e86df253054e461a52279139fb800180d32271dbb
03c24fbe7c863e8337b0c944f96847b5166297283727edccca056c4f6f688d4e
c1c5eecc6b6b1138ad43a1b2793d3872dca1c6ab4ec53d34e354e49e35d045d0
82c24935270870bb35719f35c29075f8bf02894bf81ba28e66983aa2247472a8
7146b418cdd99ac478a67e603bffb10c10f1c32745da1fd60c931f54f1f114a6
a7f53b92008e8a3678035fc366bc1b88d152efc8466e9e82c754752d000a5ad5
d423d7edf718ca00f8410a93834a6f9c99216c3a60860700f1fc6e493fedcc43
53685ac5f275b61fc580f2203e7d7e431d2b03b8e4320015b428745d68d5e333
3bada4f5bcaee92a5979aecaa24326988226e9886815ccba28904d30735fe506
50365c827bd768ec7fdf1a5b688d19ec0645042e92f04dad712a1955e9bb4c8b
e0cee79b01870e15ca64195ba9d953f91173b189b9fb8c45a2bae916dd8f95a5
3fbc9c55133b3d51ba2221836cffc08e727826e9514233706781f897ca0988f3
15bff226310e77a5ff67a9e131c8e5d7ec0686e967e0863dca784f20fd8d0268
3d256cfde83a4560df279fbe2b4ef03ccd52fa13b31bc1daebcb3bed353c215b
03610e21a01afd8dc19c986d69a4c13eeda93fbec0e6eae7828065781ca028bf
6d3ef9ddf5f1d57d353e5d8b9bedbca6ab42765de06abf381534126d24142948
bd54feaedda33ef8e611cd540e84b8c44d989f2417ddca33472cea3b7892afaf
3f8e7640849ec23964af23d6e70ccc62510a3cec9bd775b30d18d5db7215a22b
b65b5c308318e1e0fc2228dd022300099273dc340aa8faba81abc1d3868707ea
4195e6b7bfb7263798034048a5a2d34780ecdddae25576e23e9c6b0df9316ccd
5ab614491453ac799f4944620f8d433d42427aaea0ad0f1d55f240bc1ba6a057
b3b8ceafdfc6bde8a73c68005414b709ca2b08f5eecfd9a49d769460d6c17c98
67708b9f3764b349b6cdb3d8cef073edc22303181f0a1c6f129ac1dae18feb1d
714e06d12bf6f481cfd3dfa64a13d37c614a759543d87b38ca2c6a03ee936f7a
fa6d0f34d7c69bc4e525cf1830beffa3aec08c9b69aae24f55a6232d89680421
4a59190e199b69f65aa69f2f5f1f6b568d49a052868e2c853b7ea1d70c04a953
5a288a8a3fd0158f2d9e11713cc4eaf951e12e4f196fcea95d74a14fc37d16d1
6c18b064240861b42aa8fadbea5472fdce174a4d2b1510d53cba2b28779602d7
988d086b6ca75da2fca905b090c6f20b21749335f7e2ee99d8dab2001d4667e3
aeb38f72dfa11e848a65cf0814a530e24df08dc818348d9e80978cb330f24af3
90b5404ae697363f350f8c78220428a79ce57b743e5f0eac06137b27fea25400
c1b7572079230fd99c0ca004448f526420c124efbd0e1f6027fb950fbac5e05e
952d3a3e3d19204bf7bb614623aa0d78e0be4ee05b0313c5c68e0e10f6e390e0
f1d8f8c8bb9871fabbd6a001c48bc001c5181b512d2989e87f08280b74ada33b
42dfb1aeb19afac4595bc0146dd42ee251896ea1bf3ea8ab05d4bd28a7edbed1
8dffb14c55c2880b40767aadf5615a6652403d59f357b0b77da3e00b875a0e32
a02d52f23eb9e8a857c9ed01d81e6220e787a1e2838d42c2734e99bc73cff250
2fa540a1679ecd37874e53b50eb4c756223420d5f970c935ce053345f1f231f4
8f9f3e0d7eebe0304aeb35eb75be87c7bfe13859e00851df037f54d14765cbb9
44d963269f8d6e5ec5c15354be28c9078f58eea78943d39eb78c6485dea5065d
55d580190c976f23c945cb65feac487555e1b919079d930fe6201e22b5538905
d7d7882cc702fc76252e2b4fe7cdc7fbffa038e2329e579142e64acf81a26304
c7c0d3e8cd6fb36ceb4b5c2e32b019dd209fdd38fdf1bcb215f973da80437dd8
b0842f8285062f38c030bdd15264ec38fb23624888d135121f1cc11084c765ba
a85b95364a9cfc74c4219a544a20deca3f2a30b666aa1f84073fc1f56e1330b2
42cbad41d36d2c0f5ae498e89024822907894f02e173802d6e96dc57f0bff2ef

SH256 hash:

03610e21a01afd8dc19c986d69a4c13eeda93fbec0e6eae7828065781ca028bf

MD5 hash:

92a74ea70be95859d974cff284cb163c

SHA1 hash:

9caef11be00b7abb90728a4ec2c7b443cb4f150b

Link:

https://www.unpac.me/results/5f5c7855-47a3-4440-a847-2fd105fcb142/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/03610e21a01afd8dc19c986d69a4c13eeda93fbec0e6eae7828065781ca028bf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 03610e21a01afd8dc19c986d69a4c13eeda93fbec0e6eae7828065781ca028bf

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/245755/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample