MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3407864368687cf310e2cc011b1446b7a2d1caf28cef7ed58d01fa71293f07bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3407864368687cf310e2cc011b1446b7a2d1caf28cef7ed58d01fa71293f07bd
SHA3-384 hash: d99839cf0d1e301b0087300bb485f1e954564fe961f56dfec7f95b3b250beeac24637ebd5bd5e55455a48a1b22fdd7ef
SHA1 hash: 95790058b2740dff39438bf2594bd128cb0d615f
MD5 hash: c431fedb18ff76ae67ac19f6792bf66e
humanhash: lima-september-march-papa
File name:Scan#0068-46c3365.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:237'729 bytes
First seen:2021-08-02 07:47:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 79bcb07d7acd978f9ca84095c744e3ba (3 x Formbook, 2 x SnakeKeylogger, 1 x Neshta)
ssdeep 6144:s8EedTUftJu6jf4Ugf4fg62JKl8h7aCdkW7mP:jbTUFJuuA4fg62e8day+
Threatray 7'246 similar samples on MalwareBazaar
TLSH T1E034123DC27A429FE077A4F2E33EA114705935D52D1CB4DB5422FC0EA659AC8BC31E8A
Reporter TeamDreier
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
575
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Scan#0068-46c3365.exe
Verdict:
Malicious activity
Analysis date:
2021-08-02 07:49:08 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/9943ff65-4b54-49c6-b046-3a9a4bf1b5b3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/175716/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
DNS request
Connection attempt
Sending an HTTP GET request
Sending a UDP request
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3ca3ffa9-ca47-40f1-94bd-02276a5dcfc3
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/825367
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 457782 Sample: Scan#0068-46c3365.exe Startdate: 02/08/2021 Architecture: WINDOWS Score: 100 34 www.boozateria.com 2->34 36 boozateria.com 2->36 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 4 other signatures 2->46 11 Scan#0068-46c3365.exe 2->11         started        signatures3 process4 signatures5 54 Detected unpacking (changes PE section rights) 11->54 56 Maps a DLL or memory area into another process 11->56 58 Tries to detect virtualization through RDTSC time measurements 11->58 14 Scan#0068-46c3365.exe 11->14         started        process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 14->60 62 Maps a DLL or memory area into another process 14->62 64 Sample uses process hollowing technique 14->64 66 Queues an APC in another process (thread injection) 14->66 17 explorer.exe 14->17 injected process8 dnsIp9 28 lakesview.estate 103.27.32.42, 49766, 80 SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU Australia 17->28 30 woodriverdelivers.com 170.39.76.138, 49767, 80 PETRONAS-BHD-AS-APPetroliamNasionalBerhadMY Reserved 17->30 32 17 other IPs or domains 17->32 38 System process connects to network (likely due to code injection or exploit) 17->38 21 raserver.exe 17->21         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3407864368687cf310e2cc011b1446b7a2d1caf28cef7ed58d01fa71293f07bd/
Threat name:
Win32.Spyware.OutBreak
Create hunting rule
Status:
Malicious
First seen:
2021-07-30 12:40:51 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1cd93c07c439d16266f2276b1f38c53b57cd0de59490b6857044eda8abe78c01
Formbook
1eaac3194b53e9523347d6d8392bb9ac437437217b530f2c61a270459c7da06e
Formbook
2fcedf25cd8c0df5db7864ff3663f6a923eb3cdf1a30619a2eeb69df58e1c4f1
Formbook
52208fdea02024ab93aebbc72f62d3b105644d5afcb4d8de494f001f87a03a9d
Formbook
a195d9091ef3b62929cd8637728a190bd54a80c1d4fa89680e9b452677dcb934
Formbook
b840f470d0cb4edaa85663b15f539593e3c31d81cec9e9ed1bb1c2539fc8d20c
Formbook
b9b1a3245f7aa2f9fadc4cff8343866030a63f297167df00ca0aa4284f453be1
Formbook
c58abe9cc2eda9f80841417a5e8dd7c75416cf0183a6fda6b616a2c312450ab5
Formbook
+ 7'236 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat suricata
Link:
https://tria.ge/reports/210802-sahx6x8cpa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Blocklisted process makes network request
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.northriverlawns.com/q3t0/
Unpacked files
SH256 hash:
d01f1b68cd4b87036d8ce4d307f76205b708cd0fcd0e757e6d2de206cd5ce4a0
MD5 hash:
a3a155e53969bb3c5b6e2c392d482f63
SHA1 hash:
42a5d86bc0dbffcb46435a34bafed0fe31332854
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/8a43d026-493f-46b5-afb0-2c9ce4e6399c/
Parent samples :
52208fdea02024ab93aebbc72f62d3b105644d5afcb4d8de494f001f87a03a9d
54f0db8ab08387aa0cee79b3ab7efeb0056d1aa9c46e36093db156ffa7fd29dc
a195d9091ef3b62929cd8637728a190bd54a80c1d4fa89680e9b452677dcb934
3407864368687cf310e2cc011b1446b7a2d1caf28cef7ed58d01fa71293f07bd
SH256 hash:
3407864368687cf310e2cc011b1446b7a2d1caf28cef7ed58d01fa71293f07bd
MD5 hash:
c431fedb18ff76ae67ac19f6792bf66e
SHA1 hash:
95790058b2740dff39438bf2594bd128cb0d615f
Link:
https://www.unpac.me/results/8a43d026-493f-46b5-afb0-2c9ce4e6399c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.13
Link:
https://yomi.yoroi.company/submissions/3407864368687cf310e2cc011b1446b7a2d1caf28cef7ed58d01fa71293f07bd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/175716/

Comments