MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3734b280fc097fb346c6399723b4a16a3362ca0bdd29faf573759b3d2795a046. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3734b280fc097fb346c6399723b4a16a3362ca0bdd29faf573759b3d2795a046
SHA3-384 hash: 97b2977cb3ff639898d99bec2e464b41837d5cd512fce1cd6d0cd9659943bc3c4ac43c5442745968bbf9a567a46a3b87
SHA1 hash: ffcbd9fc356a2078ae8c5f1c563b80a8118a44ee
MD5 hash: ec1993462e3072b4dd71f5e6e8d88424
humanhash: arizona-king-johnny-white
File name:SecuriteInfo.com.W32.AIDetect.malware2.23597.12734
Download: download sample
Signature Formbook
Create hunting rule
File size:744'960 bytes
First seen:2022-06-01 10:43:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7d1ae7301f899d475bee51a2be94917b (3 x Formbook, 2 x AveMariaRAT, 2 x ModiLoader)
ssdeep 12288:iuOVJ0xy2EhIlyuOQ4Yb5yTxKBLVWgrfbtVSX3x7FRS8HWAWMeM7jEOd/Q:ipIyhIfD5yWJWgntVSn52bD/MMOd/Q
TLSH T109F47E21F2E1C533C36256384D577AB96E75BD30FC24A80567ECDCC88E3AE81B626197
TrID 68.5% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
27.0% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.3% (.SCR) Windows screen saver (13101/52/3)
0.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 10808a8c8c8a8010 (77 x Formbook, 51 x AgentTesla, 44 x RemcosRAT)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
288
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.W32.AIDetect.malware2.23597.12734
Verdict:
Malicious activity
Analysis date:
2022-06-01 10:58:30 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/9092d58e-60e5-42d8-882e-70c312a37a2a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/276016/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.23597.12734.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Searching for synchronization primitives
Launching cmd.exe command interpreter
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f9e5e86d-7b7c-4b92-99e8-9da058f84e60
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1004954
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 637450 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 01/06/2022 Architecture: WINDOWS Score: 100 44 www.littlemonstersdao.com 2->44 46 parkingpage.namecheap.com 2->46 74 Found malware configuration 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 Antivirus detection for URL or domain 2->78 80 6 other signatures 2->80 11 SecuriteInfo.com.W32.AIDetect.malware2.23597.exe 1 19 2->11         started        signatures3 process4 dnsIp5 60 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49743, 49751 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 11->60 62 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49738, 49748 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 11->62 64 3 other IPs or domains 11->64 40 C:\Users\Public\Libraries\Kupylhevfh.exe, PE32 11->40 dropped 42 C:\Users\...\Kupylhevfh.exe:Zone.Identifier, ASCII 11->42 dropped 102 Writes to foreign memory regions 11->102 104 Allocates memory in foreign processes 11->104 106 Creates a thread in another existing process (thread injection) 11->106 108 2 other signatures 11->108 16 logagent.exe 11->16         started        file6 signatures7 process8 signatures9 66 Modifies the context of a thread in another process (thread injection) 16->66 68 Maps a DLL or memory area into another process 16->68 70 Sample uses process hollowing technique 16->70 72 2 other signatures 16->72 19 explorer.exe 2 16->19 injected process10 process11 21 Kupylhevfh.exe 16 19->21         started        25 Kupylhevfh.exe 16 19->25         started        27 help.exe 19->27         started        29 2 other processes 19->29 dnsIp12 48 vyqlew.bn.files.1drv.com 21->48 50 onedrive.live.com 21->50 56 2 other IPs or domains 21->56 82 Antivirus detection for dropped file 21->82 84 Multi AV Scanner detection for dropped file 21->84 86 Machine Learning detection for dropped file 21->86 88 Injects a PE file into a foreign processes 21->88 31 logagent.exe 21->31         started        52 vyqlew.bn.files.1drv.com 25->52 54 onedrive.live.com 25->54 58 3 other IPs or domains 25->58 90 Writes to foreign memory regions 25->90 92 Allocates memory in foreign processes 25->92 94 Creates a thread in another existing process (thread injection) 25->94 34 logagent.exe 25->34         started        96 Modifies the context of a thread in another process (thread injection) 27->96 98 Maps a DLL or memory area into another process 27->98 100 Tries to detect virtualization through RDTSC time measurements 27->100 36 cmd.exe 1 27->36         started        signatures13 process14 signatures15 110 Modifies the context of a thread in another process (thread injection) 31->110 112 Maps a DLL or memory area into another process 31->112 114 Sample uses process hollowing technique 31->114 38 conhost.exe 36->38         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3734b280fc097fb346c6399723b4a16a3362ca0bdd29faf573759b3d2795a046/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2022-06-01 07:06:45 UTC
File Type:
PE (Exe)
Extracted files:
97
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g42lfah4bf73grwghglshnfbnizwfsql3uu7v5ltownt2j4vubda._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader family:xloader campaign:apg5 loader persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220601-msapzsbfhp/
Behaviour
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Adds policy Run key to start application
Executes dropped EXE
ModiLoader Second Stage
Xloader Payload
Formbook
ModiLoader, DBatLoader
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Unpacked files
SH256 hash:
0b4b7d7628499c9d0c62562dc64f22baf5390cd32f71e0317c259511ae85b5b6
MD5 hash:
d6e8fb9c9383709a7475144fbc74cb44
SHA1 hash:
3dc32f98eb13d725511b64924730132883ad3591
Link:
https://www.unpac.me/results/3142cb13-1765-4833-8e00-56be79402f70/
SH256 hash:
3734b280fc097fb346c6399723b4a16a3362ca0bdd29faf573759b3d2795a046
MD5 hash:
ec1993462e3072b4dd71f5e6e8d88424
SHA1 hash:
ffcbd9fc356a2078ae8c5f1c563b80a8118a44ee
Link:
https://www.unpac.me/results/3142cb13-1765-4833-8e00-56be79402f70/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3734b280fc097fb346c6399723b4a16a3362ca0bdd29faf573759b3d2795a046

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/276016/

Comments