MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 331ca91b3a643aab796547bdd69ecd624ab13ac224ea80f88ca4a8987c0625e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 331ca91b3a643aab796547bdd69ecd624ab13ac224ea80f88ca4a8987c0625e3
SHA3-384 hash: b3934165cd3a225ed9e1484b1d318605baeb3980093c46fe9ac3e822b85a94f2c02b78d38a6f621dc9b2860fb93c1a50
SHA1 hash: 1ddc6b218dd520915ba8933e8214f307387b0e13
MD5 hash: 2417cdb09f72141abfa45cb64e699d91
humanhash: gee-alabama-quebec-one
File name:SOA.pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:613'376 bytes
First seen:2024-04-23 13:02:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:Hiu6oMr21DjiSdBaLMl7kKxYBQWHm6ayJNMH00qLsPBUr4wtJ:Hi/KDjJdPbyvm6DrMHPsLr/L
TLSH T11CD42345B6ACAF27D76596B41AD3938C4AF851A1FCA0E3CE08D105DA069D784EF40FB3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon a062d0cc4cf21020 (1 x AgentTesla, 1 x Formbook)
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
353
Origin country :
US US
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
Launching cmd.exe command interpreter
DNS request
Connection attempt
Setting browser functions hooks
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/331ca91b3a643aab796547bdd69ecd624ab13ac224ea80f88ca4a8987c0625e3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
KeyBase
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/94d26756-c750-4bad-a305-c05431f1091d
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1430339
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: CMSTP Execution Process Creation
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Double Extension File Execution
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430339 Sample: SOA.pdf.exe Startdate: 23/04/2024 Architecture: WINDOWS Score: 100 34 www.9831bsej.xyz 2->34 36 www.wszy.site 2->36 38 12 other IPs or domains 2->38 46 Snort IDS alert for network traffic 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 54 13 other signatures 2->54 11 SOA.pdf.exe 4 2->11         started        signatures3 52 Performs DNS queries to domains with low reputation 34->52 process4 signatures5 58 Writes to foreign memory regions 11->58 60 Allocates memory in foreign processes 11->60 62 Adds a directory exclusion to Windows Defender 11->62 64 Injects a PE file into a foreign processes 11->64 14 RegSvcs.exe 11->14         started        17 powershell.exe 23 11->17         started        process6 signatures7 72 Modifies the context of a thread in another process (thread injection) 14->72 74 Maps a DLL or memory area into another process 14->74 76 Sample uses process hollowing technique 14->76 80 2 other signatures 14->80 19 explorer.exe 56 1 14->19 injected 78 Loading BitLocker PowerShell Module 17->78 23 WmiPrvSE.exe 17->23         started        25 conhost.exe 17->25         started        process8 dnsIp9 40 www.memejseventhall.com 66.96.162.129, 49742, 80 BIZLAND-SDUS United States 19->40 42 sos-soutien.com 3.33.130.190, 49746, 80 AMAZONEXPANSIONGB United States 19->42 44 www.us-sumatrraslimbellytonic.com 44.219.53.183, 49745, 80 AMAZON-AESUS United States 19->44 56 System process connects to network (likely due to code injection or exploit) 19->56 27 cmstp.exe 19->27         started        signatures10 process11 signatures12 66 Modifies the context of a thread in another process (thread injection) 27->66 68 Maps a DLL or memory area into another process 27->68 70 Tries to detect virtualization through RDTSC time measurements 27->70 30 cmd.exe 1 27->30         started        process13 process14 32 conhost.exe 30->32         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/331ca91b3a643aab796547bdd69ecd624ab13ac224ea80f88ca4a8987c0625e3
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/331ca91b3a643aab796547bdd69ecd624ab13ac224ea80f88ca4a8987c0625e3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-04-23 01:04:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gmoksgz2mq5kw6lfi665nhwnmjflcowcetvib6emusujq7agexrq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:fs83 rat spyware stealer trojan
Link:
https://tria.ge/reports/240423-qacneagd61/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook payload
Formbook
Unpacked files
SH256 hash:
139f75b55ff904e5ccbc51d61c61de935274c66cfa38d9cb859461ea2216bd81
MD5 hash:
cdf453020c11d01891a06da4b1ec17d3
SHA1 hash:
27f91c5c7afdc57847d17f8274ce3b3ba96bbf8b
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/6eddf1b5-1b28-4bfe-b000-bbda401a9595/
Parent samples :
8ab205dc4d6f7c232cf9e2047a6abf4b2bb6425258cefeaf9b05e922c8229c6a
37fd7b8035bd49b8dfad405a793428dda8cbf623de0133818756d05a1191d8b7
e1fd783c3c5c3a686b2ae04b64ecce2b3c5e00d2bed04cdbf8f420a57d82208e
3fce144519b73bde4b30740ced6678a0aebcfcf00c7ff2ed6f78034cd5900f56
331ca91b3a643aab796547bdd69ecd624ab13ac224ea80f88ca4a8987c0625e3
eec2040b640e5b1806119e1a428d54c4dab8fe87e2afe89570d158968122e4bb
SH256 hash:
0f29fd7eabed08be913a617772df5746c29f1200b38b7055f9855e57f42d55ee
MD5 hash:
a9084bd72b3f2f9be9cd4372f8e94376
SHA1 hash:
dbfda75a70560cc848d218c1ff6117e4f61a72fa
Link:
https://www.unpac.me/results/6eddf1b5-1b28-4bfe-b000-bbda401a9595/
SH256 hash:
2d1815e7be305bebccc379537e237960b6a59b433f0d07fb8cdde141eee81ea1
MD5 hash:
ac3b6f7eca1933e3be0edc9c809d3fb3
SHA1 hash:
6e2b054cd581a6e16cfc10d4ff2f308eb5e6e23d
Link:
https://www.unpac.me/results/6eddf1b5-1b28-4bfe-b000-bbda401a9595/
SH256 hash:
0b8ce50168530bf0cb343b44f73db26252353b48843ad163b5c4d40f750b57d0
MD5 hash:
c1ec0dcd8de33cb2d41c7473e00a291a
SHA1 hash:
6c85c33563b9d3f4731b73ec9109b0832096739c
Link:
https://www.unpac.me/results/6eddf1b5-1b28-4bfe-b000-bbda401a9595/
SH256 hash:
331ca91b3a643aab796547bdd69ecd624ab13ac224ea80f88ca4a8987c0625e3
MD5 hash:
2417cdb09f72141abfa45cb64e699d91
SHA1 hash:
1ddc6b218dd520915ba8933e8214f307387b0e13
Link:
https://www.unpac.me/results/6eddf1b5-1b28-4bfe-b000-bbda401a9595/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/331ca91b3a64/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments