MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38332124b868eaf5142c44b3c6e997de25b13415a8b7b83f708026429c9ffd7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 1 File information Comments

SHA256 hash:	38332124b868eaf5142c44b3c6e997de25b13415a8b7b83f708026429c9ffd7a
SHA3-384 hash:	0137fa5f68c4ef9a1299816a80c807e3d530e151029ec143dab99f216f32d521bcbe5237b694f83c61ce632c192d558f
SHA1 hash:	f3b2302c1c8e5518fa04bd5de476ee99692d3d82
MD5 hash:	369af4a519fde4fb79d515eb2530d790
humanhash:	september-oven-crazy-bacon
File name:	HSBC Payment Advice.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	733'406 bytes
First seen:	2022-02-10 18:49:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep	6144:VwD5XhiPDrhntzmOba24iOzBRSLdhy9szhJrB3VMBF5FFTYYGq/4mPyGFVhHTvaU:JJrB3w9YbvGPhHTaQRd0S+t8gE
TLSH	T1C2F47D83D14484DAEC6A17B2A83B9C7A14637EBD99F0981D219FBA360773393015BD1F
File icon (PE):
dhash icon	0703151921210929 (1 x Formbook)
Reporter	abuse_ch
Tags:	exe FormBook HSBC

Intelligence

File Origin

# of uploads :

# of downloads :

246

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

f3b2302c1c8e5518fa04bd5de476ee99692d3d82

Verdict:

Malicious activity

Analysis date:

2022-02-10 11:27:01 UTC

Tags:

installer trojan formbook stealer

Link:

https://app.any.run/tasks/3fa2a99b-82ab-4737-9644-a7bc0dcd4ad6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/240727/

Detection(s):

SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Creating a window

Creating a process from a recently created file

Launching a process

Сreating synchronization primitives

Launching cmd.exe command interpreter

Searching for synchronization primitives

DNS request

Setting browser functions hooks

Unauthorized injection to a recently created process by context flags manipulation

Unauthorized injection to a system process

Unauthorized injection to a browser process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/62055e6c54047500bb3c60bf/reports/ae5bd504-063e-466c-a99c-d8df2a3d979a/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8f1ecf55-aa12-43ab-960d-55f58a70582c

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/937870

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect virtualization through RDTSC time measurements

Uses ipconfig to lookup or modify the Windows network settings

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/38332124b868eaf5142c44b3c6e997de25b13415a8b7b83f708026429c9ffd7a/

Threat name:

Win32.Trojan.SpyNoon

Status:

Malicious

First seen:

2022-02-10 14:18:49 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 42 (50.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hazscjfyndvpkfbmisz4n2mx3ys3cnavvc33qp3qqatefhe77v5a._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:r3hg rat spyware stealer suricata trojan

Link:

https://tria.ge/reports/220210-xgyb1safhp/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

Formbook Payload

Formbook

suricata: ET MALWARE FormBook CnC Checkin (GET)

Unpacked files

SH256 hash:

fb4082a719f22428b864ac82848e600214d36a37127a82b48c4c38effb20b668

MD5 hash:

d0116f73efdc719982834985c1c18728

SHA1 hash:

721be97f5c4eccfba557f12b493dfe4ce3c381d8

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/acfe675f-1ce7-4458-b3be-de5d4b057581/

Parent samples :

8e7173102d77a6ed527fc3e783be4aa446e757f4417d3fa1f60f3e9cd0cff4f9
4d67b72f0172aa0aea973269146344863ba0f662a7a06eb399d0dfbbeccd66f8
d2d2107ce64f31669e2c8dbe31da2cc683087050492fa4e8e31940e30f33ff04
38332124b868eaf5142c44b3c6e997de25b13415a8b7b83f708026429c9ffd7a
e149c419c1e3da9f42da46d4ba594ec7b97fc9a333bea11d1693b6750edf603b
14f417212aefc7dabfcb9585ffcf24081ae68584c68732c69e4bf6ebc1a9aeff

SH256 hash:

ecafe832546d9690cffd3a28b9b1eb18d2308932bfe37ad9da77678b6be75831

MD5 hash:

3147d5ab588c1364b8d0f8a9c16694de

SHA1 hash:

065a1c112105a6651f5ab92d241c62f4beb97b88

Link:

https://www.unpac.me/results/acfe675f-1ce7-4458-b3be-de5d4b057581/

SH256 hash:

38332124b868eaf5142c44b3c6e997de25b13415a8b7b83f708026429c9ffd7a

MD5 hash:

369af4a519fde4fb79d515eb2530d790

SHA1 hash:

f3b2302c1c8e5518fa04bd5de476ee99692d3d82

Link:

https://www.unpac.me/results/acfe675f-1ce7-4458-b3be-de5d4b057581/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/38332124b868/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	exec_macros Create hunting rule
Author:	ddvvmmzz
Description:	exec macros

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 38332124b868eaf5142c44b3c6e997de25b13415a8b7b83f708026429c9ffd7a

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/240727/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample