MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3354bfb1dd06bae0110dac4363b13fde838e8299af8d9acb67fe5a39ae4159bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3354bfb1dd06bae0110dac4363b13fde838e8299af8d9acb67fe5a39ae4159bf
SHA3-384 hash: 310daa1dcbaf6136a9e33eb059cba07151b7e40b987079dab71cc553f47e1b50304da062f0310d2f08f8c472706111a5
SHA1 hash: a20ffd4e6f186776ea7d3165067a4275cdd727b1
MD5 hash: c6a3f7f84ef747da790fb9fd87843a4e
humanhash: uranus-saturn-ink-whiskey
File name:c6a3f7f84ef747da790fb9fd87843a4e
Download: download sample
Signature Formbook
Create hunting rule
File size:520'704 bytes
First seen:2022-03-11 18:15:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:5lW9yOU5lDHoYdso8Q1gfuGLtqfNRUZF:q9NU5h188gJLosZF
Threatray 14'232 similar samples on MalwareBazaar
TLSH T11CB4CF16EF5B82A2CF352E765FB16BA01B84FE11E5B3C24320D42DE405AF7972C63499
File icon (PE):PE icon
dhash icon 69d4b26868b2cc71 (23 x Formbook, 6 x SnakeKeylogger, 2 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/249646/
Detection(s):
SecuriteInfo.com.EXE.Obfus-4.UNOFFICIAL
Create hunting rule

Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/622b91e90cd58dbd927ffdd7/reports/9eeda741-b95e-4996-befa-0c512493cec6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/134cbeca-c3a0-49f3-8829-7674d7ed4e96
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/955117
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected Costura Assembly Loader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 587596 Sample: 9eD8RYGg2r Startdate: 11/03/2022 Architecture: WINDOWS Score: 100 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus / Scanner detection for submitted sample 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 7 other signatures 2->62 10 9eD8RYGg2r.exe 1 5 2->10         started        14 huss.exe 3 2->14         started        process3 file4 42 C:\Users\user\AppData\Local\huss.exe, PE32 10->42 dropped 44 C:\Users\user\...\huss.exe:Zone.Identifier, ASCII 10->44 dropped 46 C:\Users\user\AppData\...\9eD8RYGg2r.exe.log, ASCII 10->46 dropped 64 Tries to detect virtualization through RDTSC time measurements 10->64 16 9eD8RYGg2r.exe 10->16         started        19 9eD8RYGg2r.exe 10->19         started        21 9eD8RYGg2r.exe 10->21         started        66 Antivirus detection for dropped file 14->66 68 Multi AV Scanner detection for dropped file 14->68 70 Machine Learning detection for dropped file 14->70 23 huss.exe 14->23         started        25 huss.exe 14->25         started        signatures5 process6 signatures7 48 Modifies the context of a thread in another process (thread injection) 16->48 50 Maps a DLL or memory area into another process 16->50 52 Sample uses process hollowing technique 16->52 54 Queues an APC in another process (thread injection) 16->54 27 explorer.exe 16->27 injected process8 process9 29 WWAHost.exe 27->29         started        32 huss.exe 2 27->32         started        34 svchost.exe 27->34         started        signatures10 72 Self deletion via cmd delete 29->72 74 Tries to detect virtualization through RDTSC time measurements 29->74 36 cmd.exe 1 29->36         started        38 huss.exe 32->38         started        process11 process12 40 conhost.exe 36->40         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3354bfb1dd06bae0110dac4363b13fde838e8299af8d9acb67fe5a39ae4159bf/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-11 18:16:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gnkl7mo5a25oaeinvrbwhmj732by5auzv6gzvs3h7zndtlsblg7q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0b7b92e40a75e7c96676e65733f2babfdf0c37529c130619510b2b0b7879a697
Formbook
38444024682d6ea391135d374ecd6f457bb01df512801e25fcbd2931afe58d92
Formbook
3b10fd5bae448476e22cca9c4b9b12263c089af68ebfeb7159ddaf2f4ec3e7bc
Formbook
4c6c6d26b853d44fc189e67eaa4f65e440d6ee75ac8a5bde95ccc73b0b611c2a
Formbook
58fb47124bf49f4190852baec863af03f73216cbba65c7eaa527f6ec6612e42b
Formbook
6f0508408689f77795e27f5320115355744c6b7d02cf59197dae8646bc73f267
Formbook
b81070ab1c53b68f110a8127a7b1bc7fc83d9726c50e787949cac94f809bd92d
Formbook
cee2290e27d378faacd5a9ab5fc579e912c1ecee9db29e4e79d8b9cd7ee10c94
Formbook
dae8588b604d0728a1a1ecc77096197a34ed1b22ae7de69a53f39b59e6574ffd
Formbook
e812adcd8f8470a1be64d92dafaebf717db1c45d58fe04a9160d88a468cf7e3c
Formbook
+ 14'222 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:vfm2 loader persistence rat
Link:
https://tria.ge/reports/220311-wwg3xadfer/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Xloader Payload
Xloader
Unpacked files
SH256 hash:
c67e1109105d84d3ca1d671a07268f7be10ebdf19129dc7e6f197ee579e915a4
MD5 hash:
68ec2936aaccbc9bddf307fface791a8
SHA1 hash:
90887bd1b4190808580dc0952767e0f61a9147c3
Link:
https://www.unpac.me/results/c26605d7-bc7c-4a8a-9a9f-288427c2a80d/
SH256 hash:
9f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026
MD5 hash:
9fbb8cec55b2115c00c0ba386c37ce62
SHA1 hash:
e2378a1c22c35e40fd1c3e19066de4e33b50f24a
Link:
https://www.unpac.me/results/c26605d7-bc7c-4a8a-9a9f-288427c2a80d/
SH256 hash:
aebfe918b516192a6ecdad451f90e8ae597b91d8c650be89363c45d20f5a41cb
MD5 hash:
4c3cfedf5d918c8277075db324ba11de
SHA1 hash:
eca39c0b3ec056a38e9c3a75902a40af9480cf2e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/c26605d7-bc7c-4a8a-9a9f-288427c2a80d/
Parent samples :
4ba1bb8220fe9f1c374cf2583459ac05af4ecf4a0ed023f42cac04da0dd0ea8b
94e8308989d63f75b02e89c5d30e01d9d7dedbf7bb446d3aa6fb83b6e20bcecc
3354bfb1dd06bae0110dac4363b13fde838e8299af8d9acb67fe5a39ae4159bf
6e164cb51ca6a0c1c9c27d4d4fece6d970bfe924be2f5766fd2d04bd59fe0d6e
c349c8a20c6576c397a5dff95fb121e7a16dfdd992e08694a4aacf387cf8c3e7
19d34ef30d521849caa19f1cf2adc2f4c8097483cfb436ff6066ad60387b630f
ca77df966e202e0eab6d3c2280f95fb59aee28b5e9e540be3dca1d66c46bf2af
SH256 hash:
3354bfb1dd06bae0110dac4363b13fde838e8299af8d9acb67fe5a39ae4159bf
MD5 hash:
c6a3f7f84ef747da790fb9fd87843a4e
SHA1 hash:
a20ffd4e6f186776ea7d3165067a4275cdd727b1
Link:
https://www.unpac.me/results/c26605d7-bc7c-4a8a-9a9f-288427c2a80d/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3354bfb1dd06/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/3354bfb1dd06bae0110dac4363b13fde838e8299af8d9acb67fe5a39ae4159bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 3354bfb1dd06bae0110dac4363b13fde838e8299af8d9acb67fe5a39ae4159bf

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2090573/
Cape
Cape
https://www.capesandbox.com/analysis/249646/

Comments


Avatar
zbet commented on 2022-03-11 18:15:54 UTC

url : hxxp://107.172.76.178/hrh/go.exe