MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39310b37cd28d9a559c63637c4f5e9649cdaef2ccae1269193e141ed50023ae4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 39310b37cd28d9a559c63637c4f5e9649cdaef2ccae1269193e141ed50023ae4
SHA3-384 hash: 31464429b0e02cc2681c8dd7d2ad1f943909be4a46d747be2d27aad7f513193a60bf6f7f9c657cddc4774da1d8de555f
SHA1 hash: 0d7ef9122a9bca045607f8397c476a24fc2c0553
MD5 hash: 0ff53c4fcc6b65dea0d1883564e08808
humanhash: pasta-carpet-bluebird-gee
File name:Nowe zamówienie zakupu pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:2'126'432 bytes
First seen:2024-09-12 08:00:19 UTC
Last seen:2024-09-12 08:24:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0191d85a19a8b2677fb8f9c2248f4479 (5 x Formbook)
ssdeep 49152:ufDe+fmH7RRZ1UW84VCyH+4FAGqnx+lg3jszv8u1mlSCg3:ufDQQsKbq
Threatray 55 similar samples on MalwareBazaar
TLSH T10DA5BE14E3A801A8E467D738CA659333D6B079524730E58F0A9DD6452F73EA2AF7F312
TrID 47.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
35.2% (.EXE) InstallShield setup (43053/19/16)
8.6% (.EXE) Win64 Executable (generic) (10523/12/4)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.6% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Anonymous
Tags:exe FormBook signed

Code Signing Certificate

Organisation:Microsoft Code Signing PCA 2011
Issuer:Microsoft Code Signing PCA 2011
Algorithm:sha256WithRSAEncryption
Valid from:2024-09-12T04:46:30Z
Valid to:2025-09-12T04:46:30Z
Serial number: 3d1cd3d22ad9c104b8466d05ebc21791
Thumbprint Algorithm:SHA256
Thumbprint: ade7a5a87baa29fa331a553fdec856791a2c067b5b0fd9568433092dc3deeaa7
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
390
Origin country :
PL PL
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Nowe zamówienie zakupu pdf.exe
Verdict:
Malicious activity
Analysis date:
2024-09-12 08:03:22 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/66dd287f-5378-4670-a251-f36b80fb115e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.28767.29175.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66e29fc0751db35a8b9f7dcf
Tags:
Encryption Execution Static Stealth Swotter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Malicious
Labled as:
Fugrafa.Generic
Link:
https://www.hybrid-analysis.com/sample/39310b37cd28d9a559c63637c4f5e9649cdaef2ccae1269193e141ed50023ae4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f85bacbc-991d-4630-8b51-298b8c13f602
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1509911
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Drops PE files to the user root directory
Found malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Reads the DNS cache
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1509911 Sample: Nowe zam#U00f3wienie zakupu... Startdate: 12/09/2024 Architecture: WINDOWS Score: 100 62 www.rrivalgetaways.info 2->62 64 www.rey.app 2->64 66 11 other IPs or domains 2->66 70 Suricata IDS alerts for network traffic 2->70 72 Found malware configuration 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 9 other signatures 2->76 11 Nowe zam#U00f3wienie zakupu pdf.exe 1 3 2->11         started        signatures3 process4 file5 60 C:\...60owe zam#U00f3wienie zakupu pdf.exe, PE32+ 11->60 dropped 90 Creates autostart registry keys with suspicious names 11->90 92 Writes to foreign memory regions 11->92 94 Allocates memory in foreign processes 11->94 96 3 other signatures 11->96 15 vbc.exe 11->15         started        18 powershell.exe 23 11->18         started        20 conhost.exe 11->20         started        signatures6 process7 signatures8 118 Modifies the context of a thread in another process (thread injection) 15->118 120 Maps a DLL or memory area into another process 15->120 122 Sample uses process hollowing technique 15->122 126 3 other signatures 15->126 22 explorer.exe 64 8 15->22 injected 124 Loading BitLocker PowerShell Module 18->124 26 conhost.exe 18->26         started        process9 dnsIp10 68 www.olocal.app 84.16.66.164, 62474, 80 INFOMANIAK-ASCH Switzerland 22->68 88 Uses ipconfig to lookup or modify the Windows network settings 22->88 28 Nowe zam#U00f3wienie zakupu pdf.exe 2 22->28         started        31 Nowe zam#U00f3wienie zakupu pdf.exe 22->31         started        33 ipconfig.exe 22->33         started        35 2 other processes 22->35 signatures11 process12 signatures13 98 Writes to foreign memory regions 28->98 100 Allocates memory in foreign processes 28->100 102 Adds a directory exclusion to Windows Defender 28->102 37 ilasm.exe 28->37         started        40 powershell.exe 23 28->40         started        42 conhost.exe 28->42         started        52 2 other processes 28->52 104 Sample uses process hollowing technique 31->104 106 Injects a PE file into a foreign processes 31->106 44 iexplore.exe 31->44         started        46 powershell.exe 31->46         started        48 conhost.exe 31->48         started        108 Modifies the context of a thread in another process (thread injection) 33->108 110 Reads the DNS cache 33->110 112 Maps a DLL or memory area into another process 33->112 114 Switches to a custom stack to bypass stack traces 33->114 50 cmd.exe 1 33->50         started        116 Tries to detect virtualization through RDTSC time measurements 35->116 process14 signatures15 78 Modifies the context of a thread in another process (thread injection) 37->78 80 Maps a DLL or memory area into another process 37->80 82 Sample uses process hollowing technique 37->82 86 2 other signatures 37->86 84 Loading BitLocker PowerShell Module 40->84 54 conhost.exe 40->54         started        56 conhost.exe 46->56         started        58 conhost.exe 50->58         started        process16
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/39310b37cd28d9a559c63637c4f5e9649cdaef2ccae1269193e141ed50023ae4
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/39310b37cd28d9a559c63637c4f5e9649cdaef2ccae1269193e141ed50023ae4/
Threat name:
Win64.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2024-09-12 08:01:12 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=heyqwn6nfdm2kwoggy34j5pjmsonv3zmzlqsnemt4fa62uachlsa._file
Verdict:
malicious
Similar samples:
3ca79e899fc4afb051d79323ae71ec356bd8a8cff6cebbfba6c8ce80f41db2a3
Formbook
442e64297fefa272744b3e6ed8cc9eb460e182d58bc256964fa73e6c3694a926
Formbook
7f8b4ff72b5a59f4c7bc7ce3d38bb959fe5773e98a9996b92bdc901e56a49ce3
Formbook
8d278608d1d1c4c5b6c048020c23351e75203066af1ae1e63c5c5ac0170cd3de
Formbook
e3982b1cbd3445eb68e177c578113fb2d35b4ed924fbdd7486841846c7a5beb5
Formbook
+ 45 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:gy15 credential_access discovery execution persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/240912-jwjkhsyfqc/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Adds policy Run key to start application
Command and Scripting Interpreter: PowerShell
Credentials from Password Stores: Credentials from Web Browsers
Formbook payload
Formbook
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4ca5ea40-3ed5-4bde-83fd-cd23eeb08cd0
Unpacked files
SH256 hash:
39310b37cd28d9a559c63637c4f5e9649cdaef2ccae1269193e141ed50023ae4
MD5 hash:
0ff53c4fcc6b65dea0d1883564e08808
SHA1 hash:
0d7ef9122a9bca045607f8397c476a24fc2c0553
Link:
https://www.unpac.me/results/abdd256a-8931-4819-be65-327fac12718b/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/39310b37cd28/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/39310b37cd28d9a559c63637c4f5e9649cdaef2ccae1269193e141ed50023ae4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:Detect_APT29_WINELOADER_Backdoor
Create hunting rule
Author:daniyyell
Description:Detects APT29's WINELOADER backdoor variant used in phishing campaigns, this rule also detect bad pdf,shtml,htm and vbs or maybe more depends
Reference:https://cloud.google.com/blog/topics/threat-intelligence/apt29-wineloader-german-political-parties
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:Jupyter_infostealer
Create hunting rule
Author:CD_R0M_
Description:Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::OpenProcessToken
KERNEL32.dll::OpenProcess
KERNEL32.dll::VirtualAllocExNuma
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThreadpoolIo
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::FreeConsole
KERNEL32.dll::GetConsoleWindow
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_BCRYPT_APICan Encrypt Filesbcrypt.dll::BCryptDestroyKey
bcrypt.dll::BCryptGenerateSymmetricKey
bcrypt.dll::BCryptGenRandom
bcrypt.dll::BCryptOpenAlgorithmProvider
bcrypt.dll::BCryptCloseAlgorithmProvider
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW

Comments