MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a8196dc93da2c2e2a9515cbc5ff7e47d679e04ce51957551ebabc6496cc3103. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 6 File information Comments

SHA256 hash:	3a8196dc93da2c2e2a9515cbc5ff7e47d679e04ce51957551ebabc6496cc3103
SHA3-384 hash:	c575193326a361ec9f77d7b9a7c5d245586b0b3301347606adc4520106d6bc1bfc204643845628e3c9d90eb8720e8e4e
SHA1 hash:	57d126275f4cb5a3599714e73a750c3c0ee43549
MD5 hash:	8fc0d31734978c221b06ed494b0388f4
humanhash:	robert-illinois-yellow-berlin
File name:	Invoice 9673usd.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'211'904 bytes
First seen:	2024-11-27 01:45:23 UTC
Last seen:	2024-11-27 04:38:18 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep	24576:dtb20pkaCqT5TBWgNQ7aFFq96FClWSYSBIef5Yt0i+6A:OVg5tQ7aFE64/YSBPBCE5
Threatray	1'814 similar samples on MalwareBazaar
TLSH	T1CB45C02373DD8361C3725273BA15BB01BEBB782506A5F96B2FD40D3DE920122525EA73
TrID	68.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 12.5% (.EXE) Win64 Executable (generic) (10522/11/4) 6.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.4% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
File icon (PE):
dhash icon	aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter	cocaman
Tags:	exe FormBook INVOICE

Intelligence

File Origin

# of uploads :

# of downloads :

509

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Invoice 9673usd.rar

Verdict:

Malicious activity

Analysis date:

2024-11-27 01:48:39 UTC

Tags:

arch-exec autoit

Link:

https://app.any.run/tasks/dbfa4dec-12ed-430b-9c0b-1895df712c00

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=674679dbb31374f09834f74c

Tags:

autoit emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Launching a process

Сreating synchronization primitives

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

autoit compiled-script fingerprint keylogger lolbin masquerade microsoft_visual_cc packed packed packer_detected schtasks wscript

Link:

https://www.filescan.io/uploads/674679dbd00b44b0b2a6f9b2/reports/243b7888-c7c9-4ef4-8e75-48e720a85552/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/3a8196dc93da2c2e2a9515cbc5ff7e47d679e04ce51957551ebabc6496cc3103

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f7fa618f-7c93-4757-a5ee-214972dc6f2f

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1563522

Signature

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/3a8196dc93da2c2e2a9515cbc5ff7e47d679e04ce51957551ebabc6496cc3103

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3a8196dc93da2c2e2a9515cbc5ff7e47d679e04ce51957551ebabc6496cc3103/

Threat name:

Win32.Trojan.AutoitInject

Status:

Malicious

First seen:

2024-11-27 01:45:29 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 38 (73.68%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hkaznxet3iwc4kuvcxf4l736i7lhtycm4umvovi6xk6gjfwmgebq._file

Verdict:

malicious

Label(s):

autoit

Formbook

90e512c7bcc7ff595750229a34b01cdaea4fb77bb688c24192c92096b0848111

Formbook

985729c4a77f2146cf65fe2c8c63222ba27ed1fc643e02cae53e0b64a075f622

Formbook

a6383c0e6d1660f45356eb6b6cfcb90d7558682c94994b7f23c02764a7d4fc08

Formbook

a949711a2548287c4da624ebf136e41df1deba6b67783bf3dc3a30fded99d12c

Formbook

error

Formbook

+ 1'804 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery

Link:

https://tria.ge/reports/241127-b6y4yszqby/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

AutoIT Executable

Suspicious use of SetThreadContext

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/8178d076-a1d8-4613-ae00-708fba149334

Unpacked files

SH256 hash:

3356c68a07332bc673a401d0344b916064090ccd447377d9335f42f34262b458

MD5 hash:

1c828bf0048602596d820514936d947e

SHA1 hash:

f3b0d2b360e467475b08e86393f2d89b63a7cf59

Link:

https://www.unpac.me/results/16ab0176-1696-400c-ad3f-03fc5fd44fe6/

Parent samples :

78ccda9ce77fc7adb68fac21cc8019dbdc10fadd481f28f28e0428eb35828fbf
693424f033f85a79af47963f829e65b5315faad47cd4a82d3a0a76c6962c9968
66414ea66a2dc1d4bc840e98b4b7f22d78826e39370fdb44c62260dc1d048a8f
0cf59270641cc6e7790ae47a708f1e4e2fa9735d1743dc507b2e733fe9b7cfb4

SH256 hash:

34729ecfa93d2fa712b217df79618e82170cd359155752013dcd73c006c37b87

MD5 hash:

db2e04af69eff7d66698317c7a37dfc5

SHA1 hash:

99a4fbae56fe197c3631fd7f05d5b1b8872fb84f

Link:

https://www.unpac.me/results/16ab0176-1696-400c-ad3f-03fc5fd44fe6/

SH256 hash:

3a8196dc93da2c2e2a9515cbc5ff7e47d679e04ce51957551ebabc6496cc3103

MD5 hash:

8fc0d31734978c221b06ed494b0388f4

SHA1 hash:

57d126275f4cb5a3599714e73a750c3c0ee43549

Link:

https://www.unpac.me/results/16ab0176-1696-400c-ad3f-03fc5fd44fe6/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3a8196dc93da/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3a8196dc93da2c2e2a9515cbc5ff7e47d679e04ce51957551ebabc6496cc3103

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	RansomPyShield_Antiransomware Create hunting rule
Author:	XiAnzheng
Description:	Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	YahLover Create hunting rule
Author:	Kevin Falcoz
Description:	YahLover

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 3bf60bc7f408e13988860051412a1c538537b0d532cf0283ae3eed2e36025043

Formbook

exe 3a8196dc93da2c2e2a9515cbc5ff7e47d679e04ce51957551ebabc6496cc3103

(this sample)

Delivery method

Other

Dropped by

SHA256 3bf60bc7f408e13988860051412a1c538537b0d532cf0283ae3eed2e36025043

Dropped by

MD5 dc8694245c13b1220685e0534c15a5e1

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::AllocateAndInitializeSid ADVAPI32.dll::CopySid ADVAPI32.dll::FreeSid ADVAPI32.dll::GetLengthSid ADVAPI32.dll::GetTokenInformation ADVAPI32.dll::GetAce
COM_BASE_API	Can Download & Execute components	ole32.dll::CLSIDFromProgID ole32.dll::CoCreateInstance ole32.dll::CoCreateInstanceEx ole32.dll::CoInitializeSecurity ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_API	Can Play Multimedia	WINMM.dll::mciSendStringW WINMM.dll::timeGetTime WINMM.dll::waveOutSetVolume
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AddAce ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::CheckTokenMembership ADVAPI32.dll::DuplicateTokenEx ADVAPI32.dll::GetAclInformation ADVAPI32.dll::GetSecurityDescriptorDacl
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteExW SHELL32.dll::ShellExecuteW SHELL32.dll::SHFileOperationW
WIN32_PROCESS_API	Can Create Process and Threads	ADVAPI32.dll::CreateProcessAsUserW KERNEL32.dll::CreateProcessW ADVAPI32.dll::CreateProcessWithLogonW KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken ADVAPI32.dll::OpenThreadToken
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::SetSystemPowerState KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::LoadLibraryW KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateHardLinkW IPHLPAPI.DLL::IcmpCreateFile KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW
WIN_BASE_USER_API	Retrieves Account Information	KERNEL32.dll::GetComputerNameW ADVAPI32.dll::GetUserNameW ADVAPI32.dll::LogonUserW ADVAPI32.dll::LookupPrivilegeValueW
WIN_NETWORK_API	Supports Windows Networking	MPR.dll::WNetAddConnection2W MPR.dll::WNetUseConnectionW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegConnectRegistryW ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW
WIN_USER_API	Performs GUI Actions	USER32.dll::BlockInput USER32.dll::CloseDesktop USER32.dll::CreateMenu USER32.dll::EmptyClipboard USER32.dll::FindWindowExW USER32.dll::FindWindowW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample