MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 398d4c9bea813210e56da3547fc784f0ffee56f99bb8f95216d05c7d06a14d63. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 398d4c9bea813210e56da3547fc784f0ffee56f99bb8f95216d05c7d06a14d63
SHA3-384 hash: 1fe9396c43177a48b3fa36a3c361ba3b247a16a2b8799bca842d6ea32386db91f13fca6b9ad82e21efaa82016b133442
SHA1 hash: 575caf4c6c4d85ed76b60abddbc6dc335ff11177
MD5 hash: 61e99b74b2905cb627430ffcff42dda1
humanhash: colorado-princess-early-jupiter
File name:61e99b74b2905cb627430ffcff42dda1.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:576'512 bytes
First seen:2023-11-01 06:51:42 UTC
Last seen:2023-11-01 08:16:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:m8G69yqLKWqieizNNf4OVMY0Wb0W3jUcTSK2OtzYHJ0/Bgw:66XW3PizHNMY0WtUcTCOIJ0/B
Threatray 168 similar samples on MalwareBazaar
TLSH T124C422407BBD4B64C77CA3B54BE35148A3B7721B1160EB2D2CC866CE50B7B8A4765B83
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c4c6a2202e223684 (12 x AgentTesla, 8 x Formbook, 2 x Loki)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
293
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/457549/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.59820.25185.14071.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Inject4.59820.17741.14938.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
barys packed
Link:
https://www.filescan.io/uploads/6541f59ca6fa5eab936c7a7f/reports/82a31719-f8c4-4081-95b6-43bfd07338af/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/398d4c9bea813210e56da3547fc784f0ffee56f99bb8f95216d05c7d06a14d63
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5d80d384-c050-4402-b01b-663383d02a99
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1335283
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1335283 Sample: MpUHru3rxY.exe Startdate: 01/11/2023 Architecture: WINDOWS Score: 100 34 www.whatpowerplug.com 2->34 36 www.titocart.com 2->36 38 12 other IPs or domains 2->38 44 Snort IDS alert for network traffic 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 8 other signatures 2->50 11 MpUHru3rxY.exe 3 2->11         started        signatures3 process4 signatures5 58 Tries to detect virtualization through RDTSC time measurements 11->58 14 MpUHru3rxY.exe 11->14         started        process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 14->60 62 Maps a DLL or memory area into another process 14->62 64 Sample uses process hollowing technique 14->64 66 Queues an APC in another process (thread injection) 14->66 17 explorer.exe 13 7 14->17 injected process8 dnsIp9 28 www.titocart.com 104.21.4.204, 49744, 80 CLOUDFLARENETUS United States 17->28 30 www.mp3juices.work 104.21.65.225, 49735, 80 CLOUDFLARENETUS United States 17->30 32 4 other IPs or domains 17->32 40 System process connects to network (likely due to code injection or exploit) 17->40 42 Uses netstat to query active network connections and open ports 17->42 21 NETSTAT.EXE 17->21         started        signatures10 process11 signatures12 52 Modifies the context of a thread in another process (thread injection) 21->52 54 Maps a DLL or memory area into another process 21->54 56 Tries to detect virtualization through RDTSC time measurements 21->56 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/398d4c9bea813210e56da3547fc784f0ffee56f99bb8f95216d05c7d06a14d63
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/398d4c9bea813210e56da3547fc784f0ffee56f99bb8f95216d05c7d06a14d63/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-10-30 13:59:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hgguzg7kqezbbzlnunkh7r4e6d764vxzto4psuqw2boh2bvbjvrq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
247c8156cf06c5d9dec7d5fa0b158339110b556d41b0750bff34d36086554746
Formbook
3106ab616dc892b43c8d9c28a9fc9f83b3e4676b5e4e61dc0dd97bab8d6072e1
Formbook
3ac037f29c08bafccd3cf6c0e88cb933795ea25bf1e9415ed89e83574b7f2566
Formbook
7da9294ba554d4c17ed9e4caac9836e303980814c7898b422ccde7a246ac26a5
Formbook
a184d2ce3480d7760397c33df9cb2558133468bf0872d9653a44efc2d85142b3
Formbook
b25ef1900e652bb134050946db0e2b68db9eb5afe55e93db3fddca8897498048
Formbook
eb2c77eb03b17cdb76301d30bf4b07d97f3d0a742d198cf84a191c8271a42b4a
Formbook
f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949
Formbook
fff4ae5faba33cf9265b80fb2cd328fbd08fd6649fe71c95a5e8bedb22036a7a
Formbook
+ 158 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:o5pf rat spyware stealer trojan
Link:
https://tria.ge/reports/231101-hnnntsbh6t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook payload
Formbook
Unpacked files
SH256 hash:
764626825537bb776af81a162fe5b90c71fb8999d5e31a4bcb486f7b35d346fb
MD5 hash:
1ea222ce3f8474c2e4379cf6fd75a8ba
SHA1 hash:
d5e4ae31492e35d8fe50fdd8f6092450bb87019d
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/b423f437-aa68-4ac7-a88f-551e89581a45/
Parent samples :
eb2c77eb03b17cdb76301d30bf4b07d97f3d0a742d198cf84a191c8271a42b4a
398d4c9bea813210e56da3547fc784f0ffee56f99bb8f95216d05c7d06a14d63
SH256 hash:
a311c67e0bb00a74da93860302adb22926bedbf253cccd412609e8865aaa3577
MD5 hash:
4d9a190baac47411916c5ea0c62ebe91
SHA1 hash:
c54bb84403c45557daa8ddfc23ab94b507b332b9
Link:
https://www.unpac.me/results/b423f437-aa68-4ac7-a88f-551e89581a45/
SH256 hash:
758bfca2d1d77955d3d83e6b42678c3ab63debadbef76ac52e86b7f5a5855dd4
MD5 hash:
626682715389c6d615dc0d4fe2affd27
SHA1 hash:
b332f746b88c4acfd284d68b2223f6f6e413c472
Link:
https://www.unpac.me/results/b423f437-aa68-4ac7-a88f-551e89581a45/
SH256 hash:
a7ef759c38ab070f2c2cf3e71323609c5789cb709d6db2990a1c9ddcd24e3205
MD5 hash:
a315610d6d907f979250c06dfb865743
SHA1 hash:
08f3d6803a08eba2ce729caaa8cd618656929045
Link:
https://www.unpac.me/results/b423f437-aa68-4ac7-a88f-551e89581a45/
SH256 hash:
398d4c9bea813210e56da3547fc784f0ffee56f99bb8f95216d05c7d06a14d63
MD5 hash:
61e99b74b2905cb627430ffcff42dda1
SHA1 hash:
575caf4c6c4d85ed76b60abddbc6dc335ff11177
Link:
https://www.unpac.me/results/b423f437-aa68-4ac7-a88f-551e89581a45/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/398d4c9bea813210e56da3547fc784f0ffee56f99bb8f95216d05c7d06a14d63

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 398d4c9bea813210e56da3547fc784f0ffee56f99bb8f95216d05c7d06a14d63

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2724617/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/457549/

Comments