MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3365f0fe697d468a8589961b708d9b05dd34a43f3c5d58356a83530c27d919f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3365f0fe697d468a8589961b708d9b05dd34a43f3c5d58356a83530c27d919f0
SHA3-384 hash: 79c785cb905a15aa69e8ce7f1e11009f1c7f61b508490033803dcceea3184467568148c38f39f0dbc4310f2d5edc2e26
SHA1 hash: bb42a2171b78a76dbe3d6d6f4222483f74eb3108
MD5 hash: a98fbd73262f445842542f1468307824
humanhash: magnesium-twelve-low-october
File name:BANK DEPOSIT #HR76.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:401'740 bytes
First seen:2023-10-03 07:03:03 UTC
Last seen:2023-10-03 13:18:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9dda1a1d1f8a1d13ae0297b47046b26e (64 x Formbook, 40 x GuLoader, 25 x RemcosRAT)
ssdeep 12288:BnPdwwFW+e3e57rCbP1fGVCGY1mZK+c7YkICBIKB2gDuC2:9PdwwFW+WIvm9b1mbCBIKDDu9
Threatray 146 similar samples on MalwareBazaar
TLSH T1C084125BD3A9C187D2720EB02C3856275BF8B6362AD8874FC380B70D7917543D92FA66
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter cocaman
Tags:exe FormBook


Avatar
cocaman
Malicious email (T1566.001)
From: "Sales Manager <office@sanres.ch>" (likely spoofed)
Received: "from [194.180.49.66] (unknown [194.180.49.66]) "
Date: "3 Oct 2023 04:30:42 +0200"
Subject: "Signed Purchase Order: PO/US/4509622207"
Attachment: "BANK DEPOSIT #HR76.exe"

Intelligence

File Origin
# of uploads :
3
# of downloads :
285
Origin country :
CH CH
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Loader.1550.3310.17921.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Launching a process
Unauthorized injection to a recently created process by context flags manipulation
Gathering data
Verdict:
Likely Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin overlay packed remcos shell32 threat virus
Link:
https://www.filescan.io/uploads/651bbcad426c8727d6e91905/reports/0273023a-d9d4-4633-9afc-0d9799f7e826/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/3365f0fe697d468a8589961b708d9b05dd34a43f3c5d58356a83530c27d919f0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ec053e33-cb52-4c66-a149-368d0b221319
Result
Threat name:
FormBook, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1318493
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3365f0fe697d468a8589961b708d9b05dd34a43f3c5d58356a83530c27d919f0/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2023-10-03 02:15:54 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
22 of 35 (62.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gns7b7tjpvdivbmjsynxbdm3axotjjb7hrovqnlkqnjqyj6zdhya._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1d9953bcc362548bbefbe63345d3b6058f26a875191a5e08fec4f106dc93c22c
Formbook
1f9a84f1b9a2d6e91efcf84470f260e867ac8c2a6c42109ceae024d9f370cd8f
Formbook
4c55b72d6382b77ef4ba16dbb46b590e0db7a4aa888ddb82e73936e0623f9102
Formbook
50f83575bd53ca54e6cccc82a0c6e2cf51947f2af2284701916e87500271e0e1
Formbook
53f8211db510203634da93d5f2616ead5784031d1fd9d1ad245e25719fa974a9
Formbook
5951cef80086bfb2ce1cbb16802612e3366525aa94f5ebccf352c3761bcf15d9
Formbook
6300d368d310eceb7f16705109c32e58f5f6c3bc6d43503c69e20388f86c73a2
Formbook
738716f118a29c164740d59ca19da16459eef1c2de1758d9ffed42434c0b364a
Formbook
88005c410d3a18867eefc7ce9d13242fb12d72f1ba53204363d552782ba6b5fa
Formbook
+ 136 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/231003-hvd3zaag32/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Unpacked files
SH256 hash:
63bccd66871ef4f860b928398cf7a62de46f91618dbf9574030338e42b1dc76e
MD5 hash:
9208f48d9a7847c2a5b5586f74ca181e
SHA1 hash:
18f73def2df99210f49086b4cc7fd2e4e40d3945
Link:
https://www.unpac.me/results/9a757e1d-4aa5-4ae7-9105-edaabd36c591/
SH256 hash:
3365f0fe697d468a8589961b708d9b05dd34a43f3c5d58356a83530c27d919f0
MD5 hash:
a98fbd73262f445842542f1468307824
SHA1 hash:
bb42a2171b78a76dbe3d6d6f4222483f74eb3108
Link:
https://www.unpac.me/results/9a757e1d-4aa5-4ae7-9105-edaabd36c591/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3365f0fe697d468a8589961b708d9b05dd34a43f3c5d58356a83530c27d919f0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 3365f0fe697d468a8589961b708d9b05dd34a43f3c5d58356a83530c27d919f0

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments