MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38e090d8747dd1332c68563c5f8204876d297ecfeb0a25da3282c57579cef3fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 38e090d8747dd1332c68563c5f8204876d297ecfeb0a25da3282c57579cef3fa
SHA3-384 hash: 8a4fcdfe688cf9764636534c43027b18327df5835652540546f8dfd1b906fae844bc621170a640b7a367295f59f51d9b
SHA1 hash: b026e15f84df130c5b61c152c709e9ec3de577c7
MD5 hash: 4a83869bc55310ad396531a68282b9fd
humanhash: lithium-kentucky-venus-sad
File name:M.R NO. 1212-00-RE-REQ-649-0.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:259'453 bytes
First seen:2023-05-25 07:20:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 431 x GuLoader)
ssdeep 6144:JYa6sl3x93+f1onecjFaHDpBg7gvjvOwXVyWI9o:JYaln+ynec8zx73lyWI9o
Threatray 2'907 similar samples on MalwareBazaar
TLSH T13244125D3FD0D86BD4A51A705EF993667FF0BD2298A09B0F57C07A9CB971722820E720
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e4dcd8c4d4d4c4d4 (95 x AgentTesla, 51 x Formbook, 12 x RemcosRAT)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
M.R NO. 1212-00-RE-REQ-649-0.exe
Verdict:
Malicious activity
Analysis date:
2023-05-25 07:23:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dad3969e-a144-4b2a-8190-e56e24898897

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/391408/
Detection(s):
SecuriteInfo.com.Gen.Variant.Nemesis.22779.26291.6790.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Unauthorized injection to a recently created process
Сreating synchronization primitives
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/87804/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/646f0c5ecf634b8f311b239b/reports/2005f298-3eff-4049-95fc-6efd711198da/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/38e090d8747dd1332c68563c5f8204876d297ecfeb0a25da3282c57579cef3fa
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9f6e77b2-15ee-424a-bc29-45419c4f725e
Result
Threat name:
FormBook, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1242886
Signature
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/38e090d8747dd1332c68563c5f8204876d297ecfeb0a25da3282c57579cef3fa/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-05-24 22:38:03 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
24 of 36 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hdqjbwdupxitgldiky6f7aqeq5wss7wp5mfclwrsqlcxk6oo6p5a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
123e747239c973af2c8b7dc8a33b26fdc3cb05f2be8af864290f823daae7d764
Formbook
43e743e060255d4a878a5fd14de21a97ae1fe045cd55dece4a9f1cd1857ee559
Formbook
8a1818f6e89fe3a6a0cae314467eb120d9e3f95ad6e17099c4f3f5e18d039929
Formbook
94a833628759b13c4fa9edb3b0612ffbb4e49da640bbbc9a587a126dc06efca1
Formbook
94dab2dcd48fb66d3a0836a2711083a5ee738603de0b47fecfed4e23711def16
Formbook
a865fc0e3e991a049cd158bf25d5ece089037075bacc38130a6dc8c165e5f803
Formbook
ad8fd0b0690db382dc13e6e8a7365581877af214c39ca5dd673b8cea760e8891
Formbook
b9fb6cc26328ecd1dfcd7f7296d3a5da0bbf305bbe86484aebc0a03c7162e876
Formbook
e14890d40be2216c014475cac45debe0d23a1e6eb333908c814034b1df73b73d
Formbook
f3197cca74f60c552d9d3b4d04d99996ceca8c8dc6ad845a468c10c65062a0fc
Formbook
+ 2'897 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230525-h6m51sgf54/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
50d375d039b81b3f2abc9da7d866ada6d600ffc58274413ec1a4573439eb2e3a
MD5 hash:
9dd289bc345e6e01c6f0e69bcdd1ef3e
SHA1 hash:
11d7773861e887c09961f9e9632200ccc73baf28
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/065bf60a-d6ab-407f-88c2-6c0b4c9ae93c/
Parent samples :
d02ef9df3bc1af2c02ad5a9904ea604a55a6a93b5e08ca518232b96fec13882f
c9a39c36b0fb495bd816ac4b750f8078b6ecd3d2d96c651b82dc92f3d2689ac5
38e090d8747dd1332c68563c5f8204876d297ecfeb0a25da3282c57579cef3fa
c6a8a26cba06649f599b82e98ff2af4e2b9a034f52f8c1c1a9efdbba9becee12
SH256 hash:
cc05c5a52e169abc5033c80c5c5c9b4bb3ceb451ee3afe816e17c8fe00e28d24
MD5 hash:
ea74c2e435710fe5727e02b97d578468
SHA1 hash:
d635ea803de96e5ea4d4d9e70427e2c4e9ff3a14
Link:
https://www.unpac.me/results/065bf60a-d6ab-407f-88c2-6c0b4c9ae93c/
SH256 hash:
95c3592b4e87109fa06be6a67378a68dcf31a157208a31a31b10e75252c8c5cd
MD5 hash:
2c4248b850bf9b850d870b35b3aa6c35
SHA1 hash:
04ba1633d586b290bf1fbb95e858ecbcfa532222
Link:
https://www.unpac.me/results/065bf60a-d6ab-407f-88c2-6c0b4c9ae93c/
SH256 hash:
38e090d8747dd1332c68563c5f8204876d297ecfeb0a25da3282c57579cef3fa
MD5 hash:
4a83869bc55310ad396531a68282b9fd
SHA1 hash:
b026e15f84df130c5b61c152c709e9ec3de577c7
Link:
https://www.unpac.me/results/065bf60a-d6ab-407f-88c2-6c0b4c9ae93c/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/38e090d8747d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 38e090d8747dd1332c68563c5f8204876d297ecfeb0a25da3282c57579cef3fa

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/391408/

Comments