MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3460a486654f0a647fb3528d462e35b7cb9e79be6779790cf5723e5cd0f9fde0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 4 File information Comments

SHA256 hash:	3460a486654f0a647fb3528d462e35b7cb9e79be6779790cf5723e5cd0f9fde0
SHA3-384 hash:	22866042c4a1ee07821a7136c905b024bab90d010493c141c61936c516843c4414e163869351313d9bf1e1fdc9789c5c
SHA1 hash:	ab442c5b27a0d0bcf0a91d05dd46506b49248b9e
MD5 hash:	e133f241974100d83ac20081cb50b10a
humanhash:	delta-wolfram-wolfram-speaker
File name:	HSBC Payment Advice.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	818'688 bytes
First seen:	2024-09-05 15:46:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'604 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:OzjLf30WH0TuGEUlje2vHrLlKSXDiFMJqIBv3OUphTU2jCqys7DTjaogbaFWOyzi:ojj0y7UXPrLlKS7JDp+UpeMDPakkB
TLSH	T19F051291B257EE94E84B07F50836822012777E1D58EAE60C34DA7E5FB57330358A2F6B
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
File icon (PE):
dhash icon	68d8d8c8d9a9c1d9 (96 x SnakeKeylogger, 67 x RemcosRAT, 66 x Formbook)
Reporter	abuse_ch
Tags:	exe FormBook HSBC

Intelligence

File Origin

# of uploads :

# of downloads :

388

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

HSBC Payment Advice.exe

Verdict:

Malicious activity

Analysis date:

2024-09-05 15:58:56 UTC

Tags:

formbook xloader

Link:

https://app.any.run/tasks/03920e44-c4e0-42c2-9ef1-1db422612aa5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Packed.Msilheracles-10020638-0

Win.Packed.Agensla-10021078-0

Win.Packed.Formbook-10021419-0

Win.Dropper.Nanocore-10024150-0

Win.Packed.LokiBot-10026312-0

Win.Packed.LokiBot-10027126-0

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66d9d2798e12b8124ac952ee

Tags:

Generic Static Msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

masquerade overlay packed vbnet

Link:

https://www.filescan.io/uploads/66d9d279d5ff32eb15e55415/reports/90f0a75f-686e-411f-910c-164c7f480348/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/3460a486654f0a647fb3528d462e35b7cb9e79be6779790cf5723e5cd0f9fde0

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c68a9de1-159a-4631-b0bf-1246d683bace

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1505050

Signature

.NET source code contains potential unpacker

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/3460a486654f0a647fb3528d462e35b7cb9e79be6779790cf5723e5cd0f9fde0

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3460a486654f0a647fb3528d462e35b7cb9e79be6779790cf5723e5cd0f9fde0/

Threat name:

Win32.Backdoor.FormBook

Status:

Malicious

First seen:

2024-09-03 05:53:39 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

30 of 38 (78.95%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=grqkjbtfj4fgi75tkkgumlrvw7fz46n6m54xsdhvoi7fzuhz7xqa._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery

Link:

https://tria.ge/reports/240905-s77wxsvbrc/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/2a6ab479-cd2b-499b-ad40-826faaad3006

Unpacked files

SH256 hash:

9bb8dec6de431eeaf8ce25c1cff727b463f2a4d4e9a2ae51051e730fe21e5388

MD5 hash:

1d5696638ee380f26b22821372c55737

SHA1 hash:

1de935fd04945ed0a1b2648f2d26a127020049dc

Detections:

win_formbook_g0

win_formbook_w0

Link:

https://www.unpac.me/results/aa53990a-c4e9-48c4-81e0-ee180dcd4461/

Parent samples :

3460a486654f0a647fb3528d462e35b7cb9e79be6779790cf5723e5cd0f9fde0
07374ff867cc60e550cbae355fbb87e46eb76fc7cd74ba4005125d1ac3329e52

SH256 hash:

432a253d18b28bd79bbd6b83d06186702b39af61efb5e0a99428c4797825831e

MD5 hash:

855813fac0680b766722f43fd1950709

SHA1 hash:

660cd0fd1920b15e44077fe672011f7298248504

Link:

https://www.unpac.me/results/aa53990a-c4e9-48c4-81e0-ee180dcd4461/

SH256 hash:

73e921fc681058866d9b8eb72ef7a3a4b066f4ad9b4ff23eab2dcded3667049d

MD5 hash:

1ea5a50614abd8bbaa64d0c887930862

SHA1 hash:

faa5f4b7ca655f1db8f35a81e1f42b4449499426

Link:

https://www.unpac.me/results/aa53990a-c4e9-48c4-81e0-ee180dcd4461/

SH256 hash:

7a4b1c2b3a236bc7cac25c9aa07163d9eb19233065e88b7304ce6e46c6a36e0f

MD5 hash:

7fa95c2554a74e0805581e20305069d8

SHA1 hash:

aa77eebba993f3e79b4971f5c135286e40b066a1

Link:

https://www.unpac.me/results/aa53990a-c4e9-48c4-81e0-ee180dcd4461/

SH256 hash:

5f45edef436c6fc3c162247e0c0c3658635db893fa07896f1be59596530aa241

MD5 hash:

03bf4c0dd988c8733c19078df49de732

SHA1 hash:

66e22dc2671f4c0bd9a1078047e689e7f89f9ef6

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/aa53990a-c4e9-48c4-81e0-ee180dcd4461/

SH256 hash:

3460a486654f0a647fb3528d462e35b7cb9e79be6779790cf5723e5cd0f9fde0

MD5 hash:

e133f241974100d83ac20081cb50b10a

SHA1 hash:

ab442c5b27a0d0bcf0a91d05dd46506b49248b9e

Link:

https://www.unpac.me/results/aa53990a-c4e9-48c4-81e0-ee180dcd4461/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3460a486654f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3460a486654f0a647fb3528d462e35b7cb9e79be6779790cf5723e5cd0f9fde0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample