MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3490cb5fd9a372722f95ed69c41e23d5cd274ce6b3c024ec1731962a380409d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments 1

SHA256 hash:	3490cb5fd9a372722f95ed69c41e23d5cd274ce6b3c024ec1731962a380409d6
SHA3-384 hash:	61379781ac54ad483eb43e28b64ab7e43ef6379dc5f3586e363edba5c51d6d4da8dd3c91de65912fd3ebb7327499a3de
SHA1 hash:	eaed674ac16bfedaf34c8ef1005cbb236ee647f0
MD5 hash:	f11ebc7e0b269ee17f61f7a4ab4ce9ec
humanhash:	florida-batman-xray-lima
File name:	f11ebc7e0b269ee17f61f7a4ab4ce9ec
Download:	download sample
Signature	Formbook Create hunting rule
File size:	813'568 bytes
First seen:	2021-10-14 11:17:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	978fa6788aee75614efce16a9b593468 (3 x RemcosRAT, 2 x Formbook, 1 x RedLineStealer)
ssdeep	12288:ZV17shYPLAsHSU8Qrn47tremr8bP/xz4Hr6+MBtI+BfZ8fQO:ZfwYxHSyMreg0P94HOtBZ8I
Threatray	10'640 similar samples on MalwareBazaar
TLSH	T12B059E165EFD907DD0E619B42D5B6A68DA2A7C0135322E092FE94CC8CB3536434BE27F
File icon (PE):
dhash icon	acacacb6a2968eaa (13 x RemcosRAT, 4 x Formbook, 4 x AveMariaRAT)
Reporter	zbetcheckin
Tags:	32 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

197

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

f11ebc7e0b269ee17f61f7a4ab4ce9ec

Verdict:

Malicious activity

Analysis date:

2021-10-14 21:27:19 UTC

Tags:

trojan formbook stealer

Link:

https://app.any.run/tasks/a701f591-2ab6-4aba-8975-8a804dd0b193

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/197515/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader43.44051.6890.31365.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

keylogger

Link:

https://www.filescan.io/uploads/616811f41c2d58ba7406494a/reports/1fc3213e-7b9f-4350-a480-18a817788922/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Dbatloader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9ad372c5-df01-47f8-b864-f5478704e678

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/870488

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Execution from Suspicious Folder

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3490cb5fd9a372722f95ed69c41e23d5cd274ce6b3c024ec1731962a380409d6/

Threat name:

Win32.Trojan.Delf

Status:

Malicious

First seen:

2021-10-14 11:13:28 UTC

AV detection:

18 of 28 (64.29%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gsimwx6zunzhel4v5vu4ihrd2xgsothgwpacj3axgglcuoaebhla._file

Verdict:

malicious

Label(s):

formbook

Formbook

700c8d2a1ebc0994ccd09f93acadb4806ed3554cdef24c8e9ef0b3801646bbde

Formbook

8fb0895d475560584335f48db057beb1840bbf685f180f46c53eb8aa8d8ec676

Formbook

99cdf3421923232c160c5075af3bf8620df65bd59cf99cc341f17a58e1eeb4f2

Formbook

9e433f562c623ddfcc0248f72a1c721916fc93ad56d18c4eb7ef6e60f8d7c1f2

Formbook

ae55ee08f18b57a38a47ed9bc161b7833e35c31b014e8579ae904a2d4d7c63e3

Formbook

b8dc1db94b5752524bd51980516ac00c095ef291ca89d8096db6cb4b4dab91b6

Formbook

f5447c22561c0692e385ef3c0ef0ed84d4ce35042f0839bddd7de9aeaa1f777a

Formbook

fbaf103427e20432a3dcf19733b5f447bb6f0b2e5c700c76df55c2d977d080ae

Formbook

ff577215d4aaa29ae63860167282ceeb0a703daadfdaef2155102500c269caa2

Formbook

+ 10'630 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:ht08 loader persistence rat suricata

Link:

https://tria.ge/reports/211014-neb7bsghdn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Xloader Payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Malware Config

C2 Extraction:

http://www.septemberstockevent200.com/ht08/

Unpacked files

SH256 hash:

18d5f2bb4c00c8e6fb62f43bc3878c615b600ec26bc25b98204cc2e945cd175a

MD5 hash:

b0d9d156b07f2199b3334fc6564c133d

SHA1 hash:

0c39614273b857121740e0142d1d9809de8bc41b

Detections:

win_unidentified_086_w0

Link:

https://www.unpac.me/results/7df6013e-314c-4920-b319-88892e4e7e21/

Parent samples :

b400601e35e72a20ca4a0fb19af7a93ddeddcd568674232cabb6c1e05ce4fd07
a643235802bd118331000b4a251952815382078dd0aaaded76e4a8890bbac5f6
33b01cf0eb422d872201670e34b732f76c980ae7ccb016068438272ed426a50b
fe6bd626fd98e3c0e4a2c350e5d927398e22e7731e7c2e1f31bc02181735c4e0
a97b00620e1e8ef9ef5c5f922f5b40ecf698504402d3e14979701c330bef7b56
90e1eac40edda005fffadbb1d16c652d16e685f8f4cf7375eb6ac928222c3a1c
1e54beecbd654f17bab2c6f883ea089943d68ae3e49aaea079182173dc203297
a0703367806de16bac9c75c016780c0bf3b1d8c21cf7f51b6a47b6a1aba74999
1ed62fd139d5efe1cb2650f52cf405d615dc19dae62744df9fb364cd1970a4bc
ffb6236e6dd03ba2599326f3d83d2ffabf8ab18902f1865aa0a68f1881e31978
99cdf3421923232c160c5075af3bf8620df65bd59cf99cc341f17a58e1eeb4f2
8f1eefd14608fae865576d9f7a24be116eb9d8dcebf89c954e2e645b06174c4e
f86258665b68d70e83397ac4ef17598c552b994dd13f26b8208c4d40b8e94816
ed78db064dfb4ae791498b2d08410a69bdad684ff709319d179c2383dd8e2f1c
3490cb5fd9a372722f95ed69c41e23d5cd274ce6b3c024ec1731962a380409d6
d86532a631143032da8dd4e4fd86cbaed87777ef2ede4a60377d534cb9ea7271
298d542746dfa4922dd5fbc8fab572be58447c9dbd1481c55bd2254bb275684f
ffb0bd5cf5a1716fa50f01a4b4fd98d396842c7c263d3ce03623748430b30a93
a2067e35b12b83ddae55145931870302de477b5ccce82a5e86ea7bf8e057d8d7
a2539269c2b9200d7baed9f0dfc25b59fd4713a641d79fd9bd13272c7e1296ca
0aff281c192e919ce8a4e2091a058aa3c8fab2379dd50d7dd7ac7217af4dc838
cc8b096d71a4734e17e6f1bcf10d9730e5a2b3ab15b7e89852a4cdd204563d29
1e24e03e9ffdbe39ca8d357d0130aff5c50f2ddd7b2f613ab9dc01f02d0527d3
f60b6dfcaf466a9cf6b7831fcd74abc70efc16aec11d3b38fdbc7562003ba61b
67c445ff181fcaa6b46a1d1af78a9df1ac413593f29561e4fa43059c7ed85ace

SH256 hash:

3490cb5fd9a372722f95ed69c41e23d5cd274ce6b3c024ec1731962a380409d6

MD5 hash:

f11ebc7e0b269ee17f61f7a4ab4ce9ec

SHA1 hash:

eaed674ac16bfedaf34c8ef1005cbb236ee647f0

Link:

https://www.unpac.me/results/7df6013e-314c-4920-b319-88892e4e7e21/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/3490cb5fd9a3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.74

Link:

https://yomi.yoroi.company/submissions/3490cb5fd9a372722f95ed69c41e23d5cd274ce6b3c024ec1731962a380409d6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 3490cb5fd9a372722f95ed69c41e23d5cd274ce6b3c024ec1731962a380409d6

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1677123/

Cape

https://www.capesandbox.com/analysis/197515/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2021-10-14 11:17:47 UTC

url : hxxp://192.3.222.155/0050000/vbc.exe