MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a6e455b7bf9570c22e255b87a0929af15322ffcb1936a41f782e4f52fd1de6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a6e455b7bf9570c22e255b87a0929af15322ffcb1936a41f782e4f52fd1de6b
SHA3-384 hash: 1508965c09142221fdd54677288fd483ff5fb0933d6a9ed2a6c7ee266d2d34ef4a9c5b155a5a56e50393a9d0f8ceb9d3
SHA1 hash: 49e46ae66b2166e3fe8793e1131607d21ac49d4a
MD5 hash: c2b83e9986717633910e995173e50063
humanhash: moon-table-yellow-dakota
File name:c2b83e9986717633910e995173e50063
Download: download sample
Signature Formbook
Create hunting rule
File size:850'432 bytes
First seen:2022-12-05 07:27:44 UTC
Last seen:2022-12-05 09:40:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:e5rcirkg586aWHffLZWuL2bg0sX/Zx118MZnJ4klnwP//zn9XI:krZrB5O8fLcaZx1154Csz9X
TLSH T195053B4CF3089E36FDA983FD3692409E625E148D7470E7E08A89A4FD7234E9E1BDB505
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Revised PO1KT762000.xls
Verdict:
Malicious activity
Analysis date:
2022-12-05 06:44:02 UTC
Tags:
macros trojan opendir exploit cve-2017-11882 loader formbook xloader stealer
Link:
https://app.any.run/tasks/a58f4cc5-d7ff-437d-98e1-6fdd7a1e2838

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/342761/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.3595.20571.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/638d9d83a2c2485912c79809/reports/7cbeb063-55e5-4587-b582-86710106adef/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/df90cf0e-020f-4ddd-b670-a42faddec0b2
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1127781
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 760505 Sample: x3Yrvnr8kc.exe Startdate: 05/12/2022 Architecture: WINDOWS Score: 100 34 Malicious sample detected (through community Yara rule) 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected AntiVM3 2->38 40 6 other signatures 2->40 10 x3Yrvnr8kc.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\...\x3Yrvnr8kc.exe.log, ASCII 10->28 dropped 50 Tries to detect virtualization through RDTSC time measurements 10->50 52 Injects a PE file into a foreign processes 10->52 14 x3Yrvnr8kc.exe 10->14         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.metamallmarketplace.com 17->30 32 metamallmarketplace.com 34.102.136.180, 49716, 80 GOOGLEUS United States 17->32 42 System process connects to network (likely due to code injection or exploit) 17->42 21 explorer.exe 17->21         started        signatures10 process11 signatures12 44 Modifies the context of a thread in another process (thread injection) 21->44 46 Maps a DLL or memory area into another process 21->46 48 Tries to detect virtualization through RDTSC time measurements 21->48 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3a6e455b7bf9570c22e255b87a0929af15322ffcb1936a41f782e4f52fd1de6b/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-12-05 07:28:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hjxekw337flqyixckw4hucjjv4ktel74wgjwuqpxqlspkl6r3zvq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:dv22 rat spyware stealer trojan
Link:
https://tria.ge/reports/221205-janbkscg8z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook payload
Formbook
Unpacked files
SH256 hash:
bace5ee9a88412c9d14fc931a94105ffa2a4add2df7f673b0ede682c61a2d877
MD5 hash:
6f9728720648a0a5e086e1e35e6719f6
SHA1 hash:
08938fa98338fd732104b3e89a89ae19f9ed9e0e
Detections:
FormBook
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/eeb82e7b-2927-4da8-adf5-2b8e9e4a30f7/
Parent samples :
8ad29501e45ec72a916eccc0b9d34e074dc9f9010c74d32d871d66d4c4351897
3a6e455b7bf9570c22e255b87a0929af15322ffcb1936a41f782e4f52fd1de6b
ddaf9934762825fb0168b9c861d81cbc664ee2248c912e0ed8bd980289577ee5
SH256 hash:
04ae783d6d2f8e1654a54c552f644b4c4d748ab0bfbdd8ea1ae4b58a5615c863
MD5 hash:
e7b54fef0a0624b5da3334562eaadc7b
SHA1 hash:
bb8b17733bb9755d16c38134d7b05e35b4ce8176
Link:
https://www.unpac.me/results/eeb82e7b-2927-4da8-adf5-2b8e9e4a30f7/
SH256 hash:
65321687e5d279d518612099cde2a6a4aa6967cd9feb1f27b5fa9414e91a0f9c
MD5 hash:
7c0b7084eeb6db3caf7a3883accba0b2
SHA1 hash:
910cf8e1cf60a40afdfd1f7d6b3b1a54acfa013d
Link:
https://www.unpac.me/results/eeb82e7b-2927-4da8-adf5-2b8e9e4a30f7/
SH256 hash:
70deaa48d98703d378aeb4f16a4b7ca7e59301fa34844bc118e272f760272b7a
MD5 hash:
25735f700727ca24531930e831e39580
SHA1 hash:
739a0201bbe209e6114f0542ea7ac1784081709d
Link:
https://www.unpac.me/results/eeb82e7b-2927-4da8-adf5-2b8e9e4a30f7/
SH256 hash:
139d326b486356ac5fcf1dc8550ee7e6185abf0cf67aa7570d2278faef9181b7
MD5 hash:
d3c60ea76fbab0c0d8b81906dccf8d46
SHA1 hash:
2e1253da877525d4c719d884fa886f544b25a747
Link:
https://www.unpac.me/results/eeb82e7b-2927-4da8-adf5-2b8e9e4a30f7/
SH256 hash:
3a6e455b7bf9570c22e255b87a0929af15322ffcb1936a41f782e4f52fd1de6b
MD5 hash:
c2b83e9986717633910e995173e50063
SHA1 hash:
49e46ae66b2166e3fe8793e1131607d21ac49d4a
Link:
https://www.unpac.me/results/eeb82e7b-2927-4da8-adf5-2b8e9e4a30f7/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3a6e455b7bf9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/3a6e455b7bf9570c22e255b87a0929af15322ffcb1936a41f782e4f52fd1de6b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 3a6e455b7bf9570c22e255b87a0929af15322ffcb1936a41f782e4f52fd1de6b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2444675/
Cape
Cape
https://www.capesandbox.com/analysis/342761/

Comments


Avatar
zbet commented on 2022-12-05 07:27:50 UTC

url : hxxp://198.23.188.139/125/vbc.exe