MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3090eb9593159bb7832f0d55b935396e585d8095b4c7c5f07922848a41a20d70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3090eb9593159bb7832f0d55b935396e585d8095b4c7c5f07922848a41a20d70
SHA3-384 hash: 124172224b65127c13e05d14135fc44e3edf2da0c48a56d9c65814c2a220be4941f586c2a0b05261ad616e2d68253dc0
SHA1 hash: 271781ac1b7af0ef538fc37510add12cbef3253d
MD5 hash: 663761b54a50098040c6a882fca010f0
humanhash: lactose-dakota-green-snake
File name:663761b54a50098040c6a882fca010f0.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:522'752 bytes
First seen:2022-01-31 12:19:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:7VO7Jy3pFwa9wM9S4Ct5L8gEFn4AJADtGG:7VOVkFN93U5L87Fn48SGG
Threatray 13'032 similar samples on MalwareBazaar
TLSH T111B4AE74A1A78591F10BC974257CFE6102B230E3A9CA0E3967793644DFEDF593E84A0E
File icon (PE):PE icon
dhash icon b3b3333969693b3b (69 x Formbook, 63 x AgentTesla, 26 x Loki)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
663761b54a50098040c6a882fca010f0.exe
Verdict:
Suspicious activity
Analysis date:
2022-01-31 12:37:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1ba52a67-536d-47c6-beac-71862c9de08b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/228429/
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61f7d3fcfc92af0d80a822aa/reports/ce76f26a-08c1-4451-b039-42918f6703ce/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4a8b3840-6b90-4206-8a24-35debf1f2ac1
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/930807
Behaviour
Behavior Graph:
n/a
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3090eb9593159bb7832f0d55b935396e585d8095b4c7c5f07922848a41a20d70/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-01-31 12:20:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
11 of 43 (25.58%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3d4e25f876b2007b8b03a1d79109a52fcb5602644fb4554eb065f97853daa5de
Formbook
5f3980e6686fe4d2dc41f24e42287d082cc894a57078e69e4a9554bec20ff5cc
Formbook
b45a38f7012d02b12d3613d25450847d87c14c9b3207380594fc5e1f1b1728d9
Formbook
bcba0056c80d1a5c320dd74fea9caba51cc2f41c4d05215df1ab825a5ca10de4
Formbook
c63cb761da677849b8382eb1d926569f00a04d57f2c789b63e7f2eb2e368a00c
Formbook
d8b05baee601302f22a561d0686689994296a4fa6ce256bcedb9bfa899553c07
Formbook
da00ad76bb648365108fb03a95cf69a56608e4605cfe02fcaf933af239ce7ac2
Formbook
db4d5bd36f923fdd47daf48ace971f47e9764d27a2f88241f09c754c042efc28
Formbook
ecc6439ff97e4b77f3af320e4c224f712478610fd28a1b6e6a03573c4b90f405
Formbook
f136f4f9c59c4ff2582063222c6df106a3d1e3d7d9220ff73e3cb2ec487fe1db
Formbook
+ 13'022 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:qugo rat spyware stealer trojan
Link:
https://tria.ge/reports/220131-phstxshga4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Unpacked files
SH256 hash:
fd1cb547ff1500174018e7ab3eea419a830d951b2d43ae31d3828d2a2da6a63d
MD5 hash:
4bf2f0d3497ff405174d0c95e000f829
SHA1 hash:
d7e7f210d1f854b3e99ced28e977bc0cb4e49b33
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/321632c2-20c0-474a-b85d-0bccef5a7e5f/
Parent samples :
9b0e4c0a6259aa239b6c344b705dea5fbb487b680bd754453f07b9b016ec581e
00a78edf157a3c87ad4b115c94882b77e110d51bd2bd4f59c41781b83620ed7e
fccb02b0403cae9441c58753519e4c216735cf2bdce838c8ad2b26b35fd59493
3090eb9593159bb7832f0d55b935396e585d8095b4c7c5f07922848a41a20d70
96de11fc0f948fc3039f297475ba8abfcedaa7a9718634359286fe49156cd216
8c16cbf4df8137db774d2cb97cc386b052ca7a0b77ee1572fe7a5fc9a5a22ae0
6420ceb34588ec91292aa6fcaa2b77b99a4b492a009f51a409fd240d138c7856
db4fa159359fbe0ba9857ae0e971dd206f23a7522b14073151b27bb030db8f5f
3ae87042d27ff3dc60afa754c3aaeef419a19a4a7d67a090ad8991b5892c62d6
SH256 hash:
3882383a56ea1a533d9762020cfce1e7fcebd58af493de9c6affb74f0cd3b63d
MD5 hash:
a82a4025ba606a39f021685009d7f240
SHA1 hash:
d0d1ca694b8f7c64b5bbb62f661af8fcee84a00e
Link:
https://www.unpac.me/results/321632c2-20c0-474a-b85d-0bccef5a7e5f/
SH256 hash:
6f1b89bc3013177c101fe4448340c48c0dd08d19017a798bd11c2d0f76be1fbc
MD5 hash:
60a604887b3616e3ed86d81fab0a9ebb
SHA1 hash:
8db84f5f4c569c86c69aff464b2ffc4ce3dafa20
Link:
https://www.unpac.me/results/321632c2-20c0-474a-b85d-0bccef5a7e5f/
SH256 hash:
3090eb9593159bb7832f0d55b935396e585d8095b4c7c5f07922848a41a20d70
MD5 hash:
663761b54a50098040c6a882fca010f0
SHA1 hash:
271781ac1b7af0ef538fc37510add12cbef3253d
Link:
https://www.unpac.me/results/321632c2-20c0-474a-b85d-0bccef5a7e5f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/3090eb9593159bb7832f0d55b935396e585d8095b4c7c5f07922848a41a20d70

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 3090eb9593159bb7832f0d55b935396e585d8095b4c7c5f07922848a41a20d70

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/228429/
  
URLhaus
https://urlhaus.abuse.ch/url/1986800/
  
Delivery method
Distributed via web download

Comments