MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38fbf4ef63938c61701107b226bef84d19a357b215830ce660101cfe6f59e75c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 3 File information Comments

SHA256 hash:	38fbf4ef63938c61701107b226bef84d19a357b215830ce660101cfe6f59e75c
SHA3-384 hash:	beedf3c0aeb32e4ff35b7a271f727a48836fe4c472bf349113fe1c4c0a184b2a85c2b3da47edd659959ca0954bc73793
SHA1 hash:	5030c312545901872262a6c8602fef73f6e413c9
MD5 hash:	ac1429ffb0da2f0566c6d962f3726722
humanhash:	sierra-wolfram-cat-carbon
File name:	SecuriteInfo.com.Trojan.GenericKD.49372806.12532.25705
Download:	download sample
Signature	Formbook Create hunting rule
File size:	241'336 bytes
First seen:	2022-07-15 21:33:00 UTC
Last seen:	2024-07-24 13:07:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'603 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	6144:uDR+EoI/diWXmZbcziFyD4hxYE9PoMqjKuTRhEEeL6vCXJ71Hq:/EoIIZMLsyEOMq2uTDEEeL6ybK
Threatray	69 similar samples on MalwareBazaar
TLSH	T10134E19C72D074CECC17D9725AB80C28FE21B5A6A757D607B063226DDA4C68BEF150F2
TrID	69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.9% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	64f4d4d4ecf4d4d4 (82 x SnakeKeylogger, 34 x AgentTesla, 24 x Formbook)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

268

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

https://cdn.discordapp.com/attachments/997451214755201104/997451433530105918/Zamowienie_zakupu_PO-Eu598303.7z

Verdict:

Malicious activity

Analysis date:

2022-07-15 12:44:08 UTC

Tags:

formbook trojan stealer

Link:

https://app.any.run/tasks/79c157b7-81c3-4407-b0e0-d22b931a19d5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/290764/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.49372806.12532.25705.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Searching for synchronization primitives

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated overlay packed

Link:

https://www.filescan.io/uploads/62d1dd680b00dfa734f3303d/reports/3e5e02c5-4399-4743-a30a-2c4ad7022a19/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/68648b5f-e1a8-484e-a2e0-1466781a6c35

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1033047

Behaviour

Behavior Graph:

n/a

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/38fbf4ef63938c61701107b226bef84d19a357b215830ce660101cfe6f59e75c/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-07-15 12:15:12 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hd57j33dsoggc4ara6zcnpxyjum2gv5scwbqzztacaop432z45oa._file

Verdict:

malicious

Formbook

46c9851a885a5107ee0e777e5603c2dee3444616eb6a9ec23c63434c7236c7ca

Formbook

59b646e15716cec57916f75006361b3e369b243918fcd5cc3fffb9be230acda7

Formbook

9cdf3733470f8fe5ab1cf50b6fe74f3aaa810996f3539ac969680aa55b4da383

Formbook

a4f2c25ec87ce23bc806750cbd27dc3eb051066ba0a8de8b80914257624cf498

Formbook

be395c09e64da3651f1a0380af0e4e495c6e4a412bc8e0b7e89de2cd53f8abbc

Formbook

c187aa087dc7554493f7dca9c772d3b5e06def3281e7408b7c93309fff0ae3d6

Formbook

d50d36d60b72642c6470efa03def6f91d7fef78790ac1215416659dd5bbca94e

Formbook

ea39ef726a260646969f23058b85b56d46bec1625b0be4c7e6ca4fe1ef067c05

Formbook

+ 59 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:vweq loader rat spyware stealer suricata

Link:

https://tria.ge/reports/220715-1d7ytseef9/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads user/profile data of web browsers

Blocklisted process makes network request

Xloader payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata: ET MALWARE FormBook CnC Checkin (POST) M2

Unpacked files

SH256 hash:

f93e9981a81b0f7db18b7dc39f25f29c02f639d5a6223d4a0593950a6c657cdd

MD5 hash:

3324ff03f3e3fa0f045e0ecde513eb5e

SHA1 hash:

c23458d1aab751b011a7ff20e9a8df4c8f06b1d2

Detections:

win_formbook_g0

win_formbook_auto

XLoader

Link:

https://www.unpac.me/results/db58359a-8ef9-415b-ac2f-9f6a76b6d50d/

Parent samples :

276c6876c250e5ebfd761d05937f5a48f7e4c9a6851293a77ab9bf683c8bbf80
e640ade723ba4aa48f63db4293d15b61c07c05bfdd93a3a0f83f4a177306b87d
b9420d9aebcbac4b5e7410b11383972bc328409d01d3ac2b7188ec7176f28cce
cae9a0644fd5cc322d7507cb395211a8af890df841bcd028f56e77399ada378b
be5b336a3ad03b3b70a286e38ba35c631f7d98f3c54e996c2e787f225b449879
38fbf4ef63938c61701107b226bef84d19a357b215830ce660101cfe6f59e75c

SH256 hash:

38fbf4ef63938c61701107b226bef84d19a357b215830ce660101cfe6f59e75c

MD5 hash:

ac1429ffb0da2f0566c6d962f3726722

SHA1 hash:

5030c312545901872262a6c8602fef73f6e413c9

Link:

https://www.unpac.me/results/db58359a-8ef9-415b-ac2f-9f6a76b6d50d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/38fbf4ef63938c61701107b226bef84d19a357b215830ce660101cfe6f59e75c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/290764/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample