MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3520a2f15f83131cca651f7b9b5756ace308bbb18f697e47dd259803067b294a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3520a2f15f83131cca651f7b9b5756ace308bbb18f697e47dd259803067b294a
SHA3-384 hash: 21f6e7202faf0759e934e660f096796ef09e510bda5c47f5cfa14b477af43795d6f7f8ee4bece6e5f87adbafa3764b96
SHA1 hash: 95df4da1763ed9ceee3b426aa3107569aea33ab9
MD5 hash: 268099395e7bfa6fbfc3e0365dadfda9
humanhash: muppet-yellow-emma-louisiana
File name:Ordine_2723.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:476'672 bytes
First seen:2023-02-27 09:57:08 UTC
Last seen:2023-02-28 08:08:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:anvvZxNmAc4xCS9qEcBihIrKr/f43N0PBzqTjfm8:4NJv9db2Kb43GPBeW
Threatray 1'143 similar samples on MalwareBazaar
TLSH T1A2A41203DCCA8FC2ED8348F4F5147271CE35666981AAE94D36CACD89E8F615109717EB
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
193
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Ordine_2723.exe
Verdict:
Malicious activity
Analysis date:
2023-02-27 11:30:58 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/c9421b27-4940-438a-a263-f17231c27b29

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/370143/
Detection(s):
SecuriteInfo.com.Win64.TrojanX-gen.3443.22338.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Sending a custom TCP request
Сreating synchronization primitives
Searching for synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Launching the default Windows debugger (dwwin.exe)
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63fc7eae885563d6c8bc1701/reports/e4562ddc-dcfa-414f-be6e-d9cfcfd9edb4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/3520a2f15f83131cca651f7b9b5756ace308bbb18f697e47dd259803067b294a
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9c65cfe8-f429-49b1-a512-53b340776016
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1183025
Signature
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 815854 Sample: Ordine_2723.exe Startdate: 27/02/2023 Architecture: WINDOWS Score: 100 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus detection for URL or domain 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 5 other signatures 2->42 8 Ordine_2723.exe 3 2->8         started        process3 file4 28 C:\Users\user\AppData\...\Ordine_2723.exe.log, CSV 8->28 dropped 46 Writes to foreign memory regions 8->46 48 Injects a PE file into a foreign processes 8->48 12 jsc.exe 8->12         started        15 vbc.exe 8->15         started        17 mscorsvw.exe 8->17         started        19 8 other processes 8->19 signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 12->58 60 Maps a DLL or memory area into another process 12->60 62 Sample uses process hollowing technique 12->62 64 Queues an APC in another process (thread injection) 12->64 21 explorer.exe 3 6 12->21 injected process8 dnsIp9 30 www.glbinwene.com 156.236.69.171, 49714, 80 YISUCLOUDLTD-AS-APYISUCLOUDLTDHK Seychelles 21->30 32 www.bestmarket.website 199.192.31.98, 49723, 49724, 49725 NAMECHEAP-NETUS United States 21->32 34 7 other IPs or domains 21->34 44 System process connects to network (likely due to code injection or exploit) 21->44 25 chkdsk.exe 13 21->25         started        signatures10 process11 signatures12 50 Tries to steal Mail credentials (via file / registry access) 25->50 52 Tries to harvest and steal browser information (history, passwords, etc) 25->52 54 Modifies the context of a thread in another process (thread injection) 25->54 56 Maps a DLL or memory area into another process 25->56
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3520a2f15f83131cca651f7b9b5756ace308bbb18f697e47dd259803067b294a/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-02-27 09:28:37 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
19 of 25 (76.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=guqkf4k7qmjrzstfd55zwv2wvtrqro5rr5ux4r65ewmagbt3fffa._file
Verdict:
malicious
Similar samples:
2c18cc487d7d1078460dce7e68108cb99eab6cb9ee1955ca4df3b2376f0a0e8b
Formbook
47441e1d63c39f1ef422b3b073c68e8ad740070404c9a2f0c5e9e3910440092e
Formbook
66bdde9f427859cc6b7cc1ff67bdf9d93ff8b0d7bc226185cb2195c746e28a0a
Formbook
67ffb10d7ef8cc9b49ef3ad7affcd7f865391cac2cdbad7ae1d259ec6a4a0cb8
Formbook
97d0ae0beec904150a930b48417c81ad44b8ff83c978138a591e16a13364caeb
Formbook
98b086595cf2d76a5aa7677c6e66fa49972630ad9adc81eb73079744d550e175
Formbook
aa0e0b9735614a120e1d49cd292470953e32f8d7b3fd299c0f7561400c4da72f
Formbook
bbea7541f726c2ecb8eebbc87f6f52b50db57a836571ae9b0f1fd91dfb653b48
Formbook
e2dbdd45e11e2b7e32caef9e2f4365d05e63eaf13724bea2ed842a503adb802f
Formbook
+ 1'133 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230227-lzhhqscg8z/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Uses the VBS compiler for execution
Unpacked files
SH256 hash:
3520a2f15f83131cca651f7b9b5756ace308bbb18f697e47dd259803067b294a
MD5 hash:
268099395e7bfa6fbfc3e0365dadfda9
SHA1 hash:
95df4da1763ed9ceee3b426aa3107569aea33ab9
Link:
https://www.unpac.me/results/ecaccc35-54f1-4fec-ad71-04245ccb67fa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/3520a2f15f83131cca651f7b9b5756ace308bbb18f697e47dd259803067b294a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 3520a2f15f83131cca651f7b9b5756ace308bbb18f697e47dd259803067b294a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/370143/

Comments