MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3674a39f9ada533ddff15f070a08cb1b9761877d5193e86b215811214250a394. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3674a39f9ada533ddff15f070a08cb1b9761877d5193e86b215811214250a394
SHA3-384 hash: 99bd832860418d39e5b667c1436e291f9c56032421f1b793b771e8946f3139d31c1f7f3e0773ed2f64d11ccce1d52837
SHA1 hash: aa6a3f7e0ce56efacd9fb0006da53a0a7d799039
MD5 hash: 1678634b1391c4aa723c10ea870528db
humanhash: friend-one-fourteen-juliet
File name:1678634b1391c4aa723c10ea870528db.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:585'728 bytes
First seen:2023-04-25 06:25:40 UTC
Last seen:2023-05-13 22:40:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:mJVaD6ljPQTxuReDrDUuUe02bwU/0pXSfDNmh/p7k:mJVyAPQTxuOlC2rQirwt
Threatray 3'264 similar samples on MalwareBazaar
TLSH T139C41260412BB7F9CC8D67BE4A54289443727487602AEB3C87E85DC9CD02F97FE4526B
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e4e22964caece4e8 (8 x AgentTesla, 3 x Formbook, 2 x Loki)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
242
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1678634b1391c4aa723c10ea870528db.exe
Verdict:
No threats detected
Analysis date:
2023-04-25 06:31:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bf31debf-7968-4227-b8c5-1af4544e1d49

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/384711/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6447727c809528e43aab49ae/reports/9576dc4d-2b8e-43f3-be58-89aac2433730/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/3674a39f9ada533ddff15f070a08cb1b9761877d5193e86b215811214250a394
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/785f8d84-abab-432d-b4eb-88649d85787e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1220440
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 853386 Sample: Z2bXN35cB9.exe Startdate: 25/04/2023 Architecture: WINDOWS Score: 100 31 www.286vip.com 2->31 33 www.6pt7d8-6kjwds.com 2->33 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 45 6 other signatures 2->45 11 Z2bXN35cB9.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\Z2bXN35cB9.exe.log, ASCII 11->29 dropped 55 Tries to detect virtualization through RDTSC time measurements 11->55 15 Z2bXN35cB9.exe 11->15         started        signatures6 process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 15->57 59 Maps a DLL or memory area into another process 15->59 61 Sample uses process hollowing technique 15->61 63 Queues an APC in another process (thread injection) 15->63 18 explorer.exe 2 6 15->18 injected process9 dnsIp10 35 www.286vip.com 137.175.10.9, 49699, 80 PEGTECHINCUS United States 18->35 37 www.luminouskin.net 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 help.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3674a39f9ada533ddff15f070a08cb1b9761877d5193e86b215811214250a394/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-04-24 09:00:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gz2khh423jjt3x7rl4dqucgldolwdb35kgj6q2zblaiscqsquoka._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
02ea9a838872751f53f53611015ee23062c2cbc9b71a962caf500e54a145e87e
Formbook
31d4fa7c04a77660000eeecf8f66e38d6108f460ea7b539744d7bf9216266a50
Formbook
3343ba4097fe8b6b91af0ca46abb0baf6052acf1806571432cc7e9e0ba59fa2a
Formbook
3af2c0904f3729e0408f6479f4222d5fbcf695f2b5cd32e8737e8690661bb18b
Formbook
4f3beb04e0d4713530c2f9c369c300186ab01d902f060a904e5648490e8ba708
Formbook
539d920211675f7cc535698b9223aae7d732e46d747bae86c00234e8b6dcb3ff
Formbook
5dc52da7b97835654bab2a3a39e93d412a50608bfd7dfccb87ff716c9aba6a37
Formbook
e044ecf0f485711cc6e4e8bbd56819838787b2365893783b3794a969ce2b5aeb
Formbook
e8120ddaa86fc56ab083a38b22ca366809e5d1196f3c10175bc745e3dfd15750
Formbook
f14965866d8a9a8c9a12cb2bef6c0cf53e72cbf7f8f61477b42f7aa4f9b417be
Formbook
+ 3'254 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ie59 rat spyware stealer trojan
Link:
https://tria.ge/reports/230425-g67nzsgh29/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook payload
Formbook
Unpacked files
SH256 hash:
1b9ddfe66cb6c18b47eed140f8a108e27d7ab426ca88631c81376ca128d79fde
MD5 hash:
0ac3ff2e7644fe915aff384a91d7ca4b
SHA1 hash:
c70091fa0eceb31d46bf5436cc7066719c9dc50b
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/3c5aabfb-90ad-4f5e-850b-8c9a19c0983b/
Parent samples :
3674a39f9ada533ddff15f070a08cb1b9761877d5193e86b215811214250a394
c2720f6ee1602fecf28ce957b38accc0ebd54a27a466872b4863bb3edf063670
81fa240a670be8c74e02896fea0dcfed18383b2246a3ad53f7afd71487de1798
SH256 hash:
b4b23b7e636bba49bbf0c16d32feedc93ce14ae0a04c273178ea8ca1282643d0
MD5 hash:
8d2a5e4abdf3b819dca3c443e0ead53a
SHA1 hash:
eadbf628c4347df6135a1004b5dbc8cc6fe6ffa1
Link:
https://www.unpac.me/results/3c5aabfb-90ad-4f5e-850b-8c9a19c0983b/
SH256 hash:
2440455505b389df27602110227d8542c9dbf531c94846cf07c52b34a99e2a3a
MD5 hash:
db7587e3687e04fd4903afc1d803da6e
SHA1 hash:
4f3347827c71ce2bdfaacb8e3bdabba4ca3eb04c
Link:
https://www.unpac.me/results/3c5aabfb-90ad-4f5e-850b-8c9a19c0983b/
SH256 hash:
1330d6eb9066602f161a071a63be780e14413cc420e70c495921b29ea421f4da
MD5 hash:
876795cc6acb8857c8abe33e07cd1912
SHA1 hash:
3865b9ec2f7e61a45e59583beff17bdd50ec0978
Link:
https://www.unpac.me/results/3c5aabfb-90ad-4f5e-850b-8c9a19c0983b/
SH256 hash:
e5518e76f14e87bcc58a705c6f8f3a686cbffefc0e55985d17a067adfddf3688
MD5 hash:
920a2854e9c183ad2ef7d5543c296d38
SHA1 hash:
2c20da753bdf6f1a46261e2c132dd42f75c94229
Link:
https://www.unpac.me/results/3c5aabfb-90ad-4f5e-850b-8c9a19c0983b/
SH256 hash:
3674a39f9ada533ddff15f070a08cb1b9761877d5193e86b215811214250a394
MD5 hash:
1678634b1391c4aa723c10ea870528db
SHA1 hash:
aa6a3f7e0ce56efacd9fb0006da53a0a7d799039
Link:
https://www.unpac.me/results/3c5aabfb-90ad-4f5e-850b-8c9a19c0983b/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3674a39f9ada/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3674a39f9ada533ddff15f070a08cb1b9761877d5193e86b215811214250a394

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 3674a39f9ada533ddff15f070a08cb1b9761877d5193e86b215811214250a394

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2615632/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/384711/

Comments