MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3130fe0040aca5135a6c22251a313fcaca05c404082727d8191545fccfcd3a02. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3130fe0040aca5135a6c22251a313fcaca05c404082727d8191545fccfcd3a02
SHA3-384 hash: 24795c602d697c65aed9539f96c19758997aabc8dad82e819197355ea5e8407685c35ddb19e1c840eb908f30fce1753a
SHA1 hash: f52f8fc2ac3a3c49748fc9fc8facaa5417b7f1d9
MD5 hash: 172c7514c4653bfb66200b4bbe6a35de
humanhash: orange-violet-three-mobile
File name:Notificación de transferencia de pago 1005680458220223.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:915'456 bytes
First seen:2023-02-23 09:06:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 24576:ka174dajhYHKRfu/FuKcfGdZcPhsbCjrlpCtcu:ka6alYH4guF+Aysl
Threatray 3'252 similar samples on MalwareBazaar
TLSH T18E158B8BBBF09077F99E419C063916CF5E31A252764CE2265F3B39488D8ADFBB1D8111
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Notificación de transferencia de pago 1005680458220223.exe
Verdict:
Malicious activity
Analysis date:
2023-02-23 09:20:54 UTC
Tags:
formbook xloader trojan stealer
Link:
https://app.any.run/tasks/8a987fcc-0eb6-4672-b886-a9b19fc982e3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/369228/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Creating a process with a hidden window
Creating a process from a recently created file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63f72cbb42bf85850e43a500/reports/767fbe41-5ac0-43cd-8bb5-5cc66fc801cf/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/3130fe0040aca5135a6c22251a313fcaca05c404082727d8191545fccfcd3a02
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f8b52ba8-295e-4278-bfdb-f30d899ad19d
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1181182
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 814014 Sample: Notificaci#U00f3n de transf... Startdate: 23/02/2023 Architecture: WINDOWS Score: 100 37 www.8ug4as.icu 2->37 45 Multi AV Scanner detection for domain / URL 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for URL or domain 2->49 51 7 other signatures 2->51 11 Notificaci#U00f3n de transferencia de pago 1005680458220223.exe 4 2->11         started        signatures3 process4 file5 35 Notificaci#U00f3n ...80458220223.exe.log, ASCII 11->35 dropped 55 Adds a directory exclusion to Windows Defender 11->55 57 Injects a PE file into a foreign processes 11->57 15 Notificaci#U00f3n de transferencia de pago 1005680458220223.exe 11->15         started        18 powershell.exe 21 11->18         started        20 Notificaci#U00f3n de transferencia de pago 1005680458220223.exe 11->20         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 Queues an APC in another process (thread injection) 15->71 22 explorer.exe 1 1 15->22 injected 26 conhost.exe 18->26         started        process9 dnsIp10 39 bluebirdbuyers.com 151.101.2.159, 49698, 80 FASTLYUS United States 22->39 41 www.samsonm.com 45.196.98.110, 49699, 80 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 22->41 43 www.bluebirdbuyers.com 22->43 53 System process connects to network (likely due to code injection or exploit) 22->53 28 wscript.exe 22->28         started        signatures11 process12 signatures13 59 Modifies the context of a thread in another process (thread injection) 28->59 61 Maps a DLL or memory area into another process 28->61 63 Tries to detect virtualization through RDTSC time measurements 28->63 31 cmd.exe 1 28->31         started        process14 process15 33 conhost.exe 31->33         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3130fe0040aca5135a6c22251a313fcaca05c404082727d8191545fccfcd3a02/
Threat name:
Win32.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2023-02-22 20:19:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
17 of 25 (68.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=geyp4acavssrgwtmeisrumj7zlfalraebatspwazcvc7zt6nhiba._file
Verdict:
malicious
Similar samples:
1c120ac2bc08fbd5455f3d5a47dd87ce73e40fa4b0f7a3cdb2d41a85c800e603
Formbook
4422661ccc0d1ca90ea0427fbe9eacc398d819ef1f557c163a686fa127444c3a
Formbook
4cdfd3ac195a3194d4a4ad72a3d3aeab0009f8b8bcdd73f7664ebeafd0023bae
Formbook
59d3d0d82273ee3a78483d3508a8247593a06826f8531de8ca072718e6609598
Formbook
68561f9a18130d1f0e2a8ca14b9e9344a7f624bb599a766a5b41e16fd728e192
Formbook
78fff929b8912e1b4d90a3be2e07fde0c1f08d45f3682bb009eabca909183f44
Formbook
8a5eebc7b8520bde5c361db7249fe0d5286e9074dc7e0bfc555f3f2a1166bb2a
Formbook
b2c983f76b02245e87e5b264f1a89fae3f3fba72772f11615de582d1804acce9
Formbook
c104d364eec79cad7a9c9040ff30d46e6b2bf694b3c8f80130bb599345fc3d76
Formbook
f90cae8d2f230d52a461faf67dd818065329eb8cac4c241734a3f224eee1c531
Formbook
+ 3'242 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:jr22 rat spyware stealer trojan
Link:
https://tria.ge/reports/230223-k3bnxshb8s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Blocklisted process makes network request
Formbook payload
Formbook
Unpacked files
SH256 hash:
a3eba40fbfb3681e240ed1dda348e16880a4e06a9990cbb6248a3be71bad4650
MD5 hash:
da2d6df235ec9fbc62e4787b0a0d2864
SHA1 hash:
846014461b5efddb0bf58dc62a5a2791aec58dbd
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/2b6e6a12-4831-4bf2-aa4f-5c7818121763/
Parent samples :
53cc734dfa4d7b0bfa0cd0e14af42363792980b96bf42ef0581a8cbc05f5bb82
759145621f94949b40fccce63ea37d4d797d9a8548e0e2243bc53cd8b38d5ed8
14b54b7a4da97a23f3087f1b7641136dbd2d54930722dbf44afbc582e8aeb93a
fb153302b37f24aa962a21dfd2412a8066db5a7440f90ecd9611992c265af5b7
227b1adbf8ac110359ca5f0b02f8c371e8305efd24dc6864d3fce51f703ba76f
676416e2c1407bc9019df6f3228e3fad314beb2c7407a537cdeeaddb85fd1360
d129440d60999cafe3d6b5dd963f432a9dbcf984ecbaf6a8e804fa83774aa27d
4a8431b326b81b6a7511866390b22fad55234b730d7b1f02ff49664651d23b05
884a00ed9586fb90dacafb862e1109e3bf77181e0da9753f8d1d14447b3ca377
babfc42e0af2245a67e8b245bdd1f5e11c840cae6e06ecbc6593ed62f4dd2175
457abec90e7a3b7dfbe608a34190a08b1a8ef3b16afe476abb39678da853a7da
a4a1a724d5b3303e41f303298a3506cdbfa9913a43381c374968b3b5e015aad4
d51e64e598f57356d2e7f0ab76723cc0d1efef0c6ed396d29efa50a229a82a4d
95ff1b2ac39df0ad2ea1949b63257b6312caadc9da7fbe292f71e6a3d4c8c624
49790af2d4dbcb19d9467b8c3fffc208ec92eb4368bb2e98102699ec28501667
709fadc9b117a1a600f71c727e8c2c879434d118f79e033f7a2aca969068c9cc
49bee43f1928c8c6cf9c0d2d692df4581235784d51ded3051685fd18a51d5599
c2a2e935606e9b8d5ffc48c3fe91812e29f8abf0de31abfd6eb4d014fe781e5a
00f7a2f6f6aa920955b8102fbb0df70ed31a8e063f0da8b31297049236313590
22445431e206fbef66234fe0e6bea47e01e1119157048059c918500027f016fe
1edc58836efa9d62f0257732fd5729bb5b36df6312aca2f29d12dce0731a0c2b
4abe84412ba863045280e803595082ce90ce2684640da996c6f2987a9c4cba32
e8db90d8d2528f0767e5b82262223e07578e29f8e4166df3cf495318006ebbd6
32a657e250df4fd725a82f39075a8b2286d4e5a0d305df66deba979488c22312
48b6f902f4f54d1b87cac19db77d780623796062a1be32c858c8cf1881b1acbd
a14a7402e2a08d44585f37122f323cfbfd13f2e5d36377242e60dba60a348610
e63c3b11d92150b40ea8e1a34314be6055aee5214b3558473c539e9aa33ec150
35511df3a80e96c275e6d63f58921358bf51dbef3f981a316d2212242112ba9f
3130fe0040aca5135a6c22251a313fcaca05c404082727d8191545fccfcd3a02
d81949804bc29604ac2de2ac9f2d360deae54a39d28edfbc9b323868b619b059
b3d799fc625b259d9572ca933476c856f5cd821cde94e5360f1ea1921a6427ec
c1b6263682ff4c894af9df16a4f6c63bcd49248f2a580b3a3c86012d44388437
e8bc95bd3989e65c252e733adab5c16d51b18c19bccdab299d914cf6df922826
8987e10cdb8602039c7980d8a3d3736dbc9c65da17ffbc1a5844ae1da1d2ea9f
2016dcdb738fdd4dbcc09bad9e63604259b3b43ff2df2c9a5fc8d26d0cf6ca4c
ae1f2c8fd75695601dbe0f3b3fd00922495add9f623a81c0989c0fd17f10776b
5fc72e527c95078de299e57ba9a01084691efbc8cd9d4a5d5999db4506c6f46a
da09c2de0b3ff15f2a68fcb18c12bd974a1b67d282f09f0941a64d08d9af83a7
4f878a5470b9cd89d1db651b83471d169e825150b4063a1cce12ea0e747b187f
c3a388437fe334c0af827aaba2b9bbc4bd622b93faa6f8ecf39660e110a4affa
1c38daf9f1fd8cf3cc954ac18893d3d7cd9ebee75b49ce29fb885910d83740fd
ae5b981a55ba0eaa4cb03700d54e3a78799590691315b2973ef1e4e16b2e8c9d
bbce59cd09b98759f1e8de287441906c11a8698581e9a84e302626e48abc7c38
35e4bbcb475db082d2dda25b1e2acc001567abe7bbb4c0975827c800a529b2f4
2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732
fcc1683097894f7f965dcbb2abcd28e98f4ab15e925ceaa75ae35bcf0c88f372
b3811fa28d3e22cf5029476f6870c54e7fcd4d68da1342bb199ca6d41ed9ff56
a6821b8dbe19bb7e7b1b43e26f7a48c4b3ded583ff774e7a754b303af70ffe10
d2da367f408927aed9dc92251cc05f67a7032b9f59eafc1db59c1cc4aa71646a
4665c6ecef9d50ede04cfe2946684aead2040e9e1321d6324801e18673f67271
033533baa2ac7c6e43f18048aa02f5b150ab86384fd95fb4d49e58660f2c5d2f
3adaefb94e006670d66c9675ecf47b65a27bc39325bf96432c79ce47d473edcc
c4333322e47f6528c43a77936dea4bcf9230a3ec68c527d931d3c1c8f6232baf
1a166a2469e8634ab832469a47076affd97eec7d5b4855f33879960e559a235d
679e687ae1611a7eb7d00d06c9f8ae37b9168838c9ff9b822174f6b0de6304d0
b289fe67b0185e1ba0177f583675ce399772bf03fd813d47835c45427f71fbf0
b6209f2e0f32d7b0b3bc43b87bd3b44349ea80587db13d6d02ca6398d4459f6f
3e07d75e18bdabe5880fe8e4dbd5fad1b9d2c111ee6f43b35ddb5ff8286fd2e7
2484791ea3c160c3de266ebd831f707da64d5e5f31ed81270bf18947128d0933
ae53e378d16d207d5bf419aba715a89f84a0db8e7de1fb4ff0545d54cac1eb50
SH256 hash:
bf0a818559a9e0911b61e59f23bd596cb5fd2c575632051052e654cb9b4f4a1c
MD5 hash:
10a070eddb7ef7d52e1f1f381480b063
SHA1 hash:
ecb27d20444bb500012a09f8884a0e9de26b92f2
Link:
https://www.unpac.me/results/2b6e6a12-4831-4bf2-aa4f-5c7818121763/
SH256 hash:
b2dd5bcf9138720f9ffeca3b8aefa001e40b2dd879c1db3bb8e47281c3575f8e
MD5 hash:
301d49f143b4559eebb04d6604c9c806
SHA1 hash:
8e1065918d606bf77bf8d0fd3375de5c1e4ec0b3
Link:
https://www.unpac.me/results/2b6e6a12-4831-4bf2-aa4f-5c7818121763/
SH256 hash:
8617cea503c2a3961120a9c503d853bc21d38d1fca7143d6b1ef4f388bc5cec7
MD5 hash:
7f225c69df031bf0560aed3847a1221a
SHA1 hash:
4d5f3ccdb2c6015d2b2a73326c0f32b173af2819
Link:
https://www.unpac.me/results/2b6e6a12-4831-4bf2-aa4f-5c7818121763/
SH256 hash:
ef44711caf18e456d18252390da3f3840e610ac8b63d913817f520d9120a6cc4
MD5 hash:
6aae10a3f50e6ccaef7e90ac756eca36
SHA1 hash:
1195a90520ffb47b2532c2a67016d445a127d472
Link:
https://www.unpac.me/results/2b6e6a12-4831-4bf2-aa4f-5c7818121763/
SH256 hash:
3130fe0040aca5135a6c22251a313fcaca05c404082727d8191545fccfcd3a02
MD5 hash:
172c7514c4653bfb66200b4bbe6a35de
SHA1 hash:
f52f8fc2ac3a3c49748fc9fc8facaa5417b7f1d9
Link:
https://www.unpac.me/results/2b6e6a12-4831-4bf2-aa4f-5c7818121763/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3130fe0040ac/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3130fe0040aca5135a6c22251a313fcaca05c404082727d8191545fccfcd3a02

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/369228/

Comments