MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3952885137990ca32792a03dafe9420b4b2b1a103171239dcae3c69968800ae0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 11 File information Comments

SHA256 hash:	3952885137990ca32792a03dafe9420b4b2b1a103171239dcae3c69968800ae0
SHA3-384 hash:	1d493b6f37b9b73e3aed5235ae9251f1de2216c642dc2f8cb02bb8036c994f30ccfd56932cd8556ee8486986524bbc4a
SHA1 hash:	bbfad9f7e697c608ccce8c5c4dfbb829cf80674a
MD5 hash:	b3d1e1f0f7706e614de7942cd50a0432
humanhash:	princess-coffee-mountain-lactose
File name:	3952885137990ca32792a03dafe9420b4b2b1a103171239dcae3c69968800ae0
Download:	download sample
Signature	Formbook Create hunting rule
File size:	702'984 bytes
First seen:	2024-04-04 14:20:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:xqs3/5dHLHY3U3rDyr/FQKHB9oJtjj4yJxtcQAm+3Fk1y1kxPvJxeekR:8wBR5wcJtP4yrt5KFk1y1CvJxeF
Threatray	290 similar samples on MalwareBazaar
TLSH	T134E423423358B653EF7F2EB660F540067F3B64AA1D55D16C3DAA31460DE3A28AB1C21F
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	c496baa4ecbaa6c4 (14 x AgentTesla, 3 x Loki, 3 x Formbook)
Reporter	adrian__luca
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

330

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

3952885137990ca32792a03dafe9420b4b2b1a103171239dcae3c69968800ae0

Verdict:

No threats detected

Analysis date:

2024-04-04 14:19:55 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/eb144250-f3d4-4b24-bec6-f5d0c5803c6f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Launching a process

Moving a file to the Program Files subdirectory

Replacing files

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/660eb750d463a7b0477faebb/reports/0fc7ece9-aa89-4854-9988-ef169b055256/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/3952885137990ca32792a03dafe9420b4b2b1a103171239dcae3c69968800ae0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

MSIL Injector

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f8b67e92-3102-4622-9719-406fa995cebd

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1420240

Signature

.NET source code contains potential unpacker

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/3952885137990ca32792a03dafe9420b4b2b1a103171239dcae3c69968800ae0

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3952885137990ca32792a03dafe9420b4b2b1a103171239dcae3c69968800ae0/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2024-03-22 06:23:19 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 38 (60.53%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hfjiqujxtegkgj4sua6272kcbnfswgqqgfyshhok4pdjs2eablqa._file

Verdict:

malicious

Label(s):

formbook

Formbook

25ddae2daf0f3117cfed10da3447d26c5291a324b44534ed692a873934bac628

Formbook

27aca3b944c0bbd1b6d020de7a9ef916ba170e017ba63304adfef012822cf20f

Formbook

614ae605266b9829b5577ebd8562f5fadb2ef82337597d32e54c8ace9f1ea25c

Formbook

99450e636243dad54861d58c1e62fae329b69b4c9af6ed1f53fba851d20b2fa7

Formbook

ad048fa92eef59c07432e25c1afa2af4853be0a301e3ea64910352373fdea51c

Formbook

bf1f882e2a1d0e35207cd7cab867bffe933e134e43ff317acf2db538bd4d7210

Formbook

cb348e8dbd6c518a9ad671a9fb235cea3eeba8b7036fc5498f6b118d4bc3060b

Formbook

d24bd0ebc242b94f043fe80e7f6a48d20566689f31c55aa1ec910a2877ae9e28

Formbook

+ 280 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/240404-rnzkrsag33/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

00c1d9b4cb70d7412e4521566a428e48022b4c485c66d01a563f241e52886632

MD5 hash:

1141828010849f7af98d619ffb6b28b2

SHA1 hash:

bc470a002d842d2d0e692d986b8ff1bf33d3ba89

Link:

https://www.unpac.me/results/8e395869-31c0-48f7-994d-50ed69b557f9/

SH256 hash:

e2572bea802134bf82fed6a77c49f907f3c9cfaca991c8ab6a3b6fd51e311ef4

MD5 hash:

20ddbcc0c03b35d80536e1e858b1c917

SHA1 hash:

a71d08d1f6a2795005b8dc16feaf8ae5f6d42aa8

Link:

https://www.unpac.me/results/8e395869-31c0-48f7-994d-50ed69b557f9/

SH256 hash:

8c5bf9d0fe06f444cd02582ba9242eb9320e2e8e99834520ae137b4f71be1744

MD5 hash:

1f9ac6f5e912d4edc4bba311d962d643

SHA1 hash:

ea049456bf08008ec0c7446e95a39b8a5c99b943

Link:

https://www.unpac.me/results/8e395869-31c0-48f7-994d-50ed69b557f9/

SH256 hash:

8a42144bfaed7278d478bb226c64cfad8abd909f2f4ce18ed17018eebbd590dd

MD5 hash:

10f2dcb1aa3ec0d37027968d347b257a

SHA1 hash:

b2d1181f17169f535a8bfa614c21aab23260155b

Link:

https://www.unpac.me/results/8e395869-31c0-48f7-994d-50ed69b557f9/

SH256 hash:

7cfce9d4374f24d233171eaff3aa995d700542bf0a9fd54f183745647f450c4a

MD5 hash:

aacd3a7a18721a1a5e2aac83bfedc3c9

SHA1 hash:

2743a9077e031d648c206c00bc0fa38f9e0dab38

Link:

https://www.unpac.me/results/8e395869-31c0-48f7-994d-50ed69b557f9/

SH256 hash:

3952885137990ca32792a03dafe9420b4b2b1a103171239dcae3c69968800ae0

MD5 hash:

b3d1e1f0f7706e614de7942cd50a0432

SHA1 hash:

bbfad9f7e697c608ccce8c5c4dfbb829cf80674a

Detections:

INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438

Link:

https://www.unpac.me/results/8e395869-31c0-48f7-994d-50ed69b557f9/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/395288513799/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3952885137990ca32792a03dafe9420b4b2b1a103171239dcae3c69968800ae0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample