MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3442fd19b9e1ee720034c0849d905f81d4211e289a5a758c9239f1422874c9c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3442fd19b9e1ee720034c0849d905f81d4211e289a5a758c9239f1422874c9c5
SHA3-384 hash: 3c4da7b263e9ed6417b94378d044fd41bfca40d57eb379d55fe9cb36ccd075ca81c1a60daa57297c3bddf92de3cc29fe
SHA1 hash: a79e64e217a3f65f33e654dcd2ea81a73fe596c5
MD5 hash: 2f5c67adb1934539e23d76ca80db30db
humanhash: green-oklahoma-wyoming-fix
File name:2f5c67adb1934539e23d76ca80db30db
Download: download sample
Signature Formbook
Create hunting rule
File size:472'117 bytes
First seen:2021-12-16 09:35:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 12288:+LYv3ZSuMtQNHBktoH4/scdIceoOdwPSt20OGWWf/p:+upwtQNut4FcCcePw6t20OGf/p
Threatray 12'436 similar samples on MalwareBazaar
TLSH T130A4231E16D0B943FA85877053B1A951FBF4D3D912263A07CB705F3CADA28DB039A19E
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/214552/
Detection(s):
SecuriteInfo.com.Trojan.Siggen16.5719.1241.23253.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61bb08888541392eb4ea4b49/reports/c1c58d9e-339b-40c1-9c23-ba32236888f9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c99fcae8-112e-4054-aadf-5966eb68d7a1
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/908393
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 540869 Sample: HU1rz9Czoh Startdate: 16/12/2021 Architecture: WINDOWS Score: 100 32 www.alibabasdeli.com 2->32 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 8 other signatures 2->48 11 HU1rz9Czoh.exe 17 2->11         started        signatures3 process4 file5 30 C:\Users\user\AppData\...\mshidihifdk.dll, PE32 11->30 dropped 62 Tries to detect virtualization through RDTSC time measurements 11->62 64 Injects a PE file into a foreign processes 11->64 15 HU1rz9Czoh.exe 11->15         started        signatures6 process7 signatures8 66 Modifies the context of a thread in another process (thread injection) 15->66 68 Maps a DLL or memory area into another process 15->68 70 Sample uses process hollowing technique 15->70 72 Queues an APC in another process (thread injection) 15->72 18 explorer.exe 15->18 injected process9 dnsIp10 34 www.lrcrepresentacoes.net 162.215.226.4, 49857, 80 PUBLIC-DOMAIN-REGISTRYUS United States 18->34 36 www.vaginette.site 98.124.204.16, 49859, 80 ENOMAS1US United States 18->36 38 7 other IPs or domains 18->38 50 System process connects to network (likely due to code injection or exploit) 18->50 52 Performs DNS queries to domains with low reputation 18->52 22 rundll32.exe 12 18->22         started        signatures11 process12 dnsIp13 40 www.eajui136.xyz 22->40 54 System process connects to network (likely due to code injection or exploit) 22->54 56 Performs DNS queries to domains with low reputation 22->56 58 Self deletion via cmd delete 22->58 60 3 other signatures 22->60 26 cmd.exe 1 22->26         started        signatures14 process15 process16 28 conhost.exe 26->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3442fd19b9e1ee720034c0849d905f81d4211e289a5a758c9239f1422874c9c5/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2021-12-13 20:43:00 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
24 of 45 (53.33%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
045c15ef3a76b61d487b30e3e554c77afbc4f3fc17078d3818b5392de608a92e
Formbook
3ff28d4f5a5b236c660c2714bf1b5a515cf72cd738afea35b916938024644538
Formbook
5fd22c8bf1e7e06ccaa6ebc23410086fe0e3bc30b1613cd6ee734f280c0d6979
Formbook
7c0ab1d837684e8d37e75578f4821e25d7729cb9d3739f397cabbb9c95f2ddae
Formbook
7c7e7d1ad3f8afd0ffcba163bac7c1df9ceb8202a96a61b30b697569e00051b0
Formbook
90f9e8094fe8847f4b4521afafd5c5e59d4368ddc26a4f589730cd998520fd50
Formbook
+ 12'426 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:nk6l rat spyware stealer trojan
Link:
https://tria.ge/reports/211216-lkxn4scebk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Formbook Payload
Formbook
Unpacked files
SH256 hash:
3442fd19b9e1ee720034c0849d905f81d4211e289a5a758c9239f1422874c9c5
MD5 hash:
2f5c67adb1934539e23d76ca80db30db
SHA1 hash:
a79e64e217a3f65f33e654dcd2ea81a73fe596c5
Link:
https://www.unpac.me/results/b98cf036-95ea-454f-9867-8e31e9dd675d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.33
Link:
https://yomi.yoroi.company/submissions/3442fd19b9e1ee720034c0849d905f81d4211e289a5a758c9239f1422874c9c5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 3442fd19b9e1ee720034c0849d905f81d4211e289a5a758c9239f1422874c9c5

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1890107/
Cape
Cape
https://www.capesandbox.com/analysis/214552/

Comments