MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3acd90196dcf53dd6e265dc9c89b3cb0c47648a3b7ac8f226c6b4b98f39f2fc8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3acd90196dcf53dd6e265dc9c89b3cb0c47648a3b7ac8f226c6b4b98f39f2fc8
SHA3-384 hash: 6447659714f1d89d219f80f0543d93b1c1210c98bdcd6bdf02576b798010a871b75d1bf1d0232b81f34941c7b3e3410f
SHA1 hash: a4d4f31fb794bbf59be542f493aea9f9e3857d47
MD5 hash: 0f60f086665fd4d442821851c878c21b
humanhash: gee-alaska-violet-hotel
File name:0f60f086665fd4d442821851c878c21b
Download: download sample
Signature Formbook
Create hunting rule
File size:7'680 bytes
First seen:2023-12-01 03:59:41 UTC
Last seen:2023-12-01 05:16:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 96:K1FlqCSVw5PbMDDLUr39zf4trmVS0JTA5LqtCnl8HvPvmXzNt:K1CMbUnE3Nf49wSwA5LqtBPP+B
Threatray 4'014 similar samples on MalwareBazaar
TLSH T1DBF109149BAC8337EAAF0BBADC7743831335F3919881AB8F396C62151D076500D6B7A4
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
313
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0f60f086665fd4d442821851c878c21b
Verdict:
Malicious activity
Analysis date:
2023-12-01 04:02:35 UTC
Tags:
purecrypter evasion stealer
Link:
https://app.any.run/tasks/386b42cb-c0b3-47f1-a539-c1b621f5a5ae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/461552/
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/3acd90196dcf53dd6e265dc9c89b3cb0c47648a3b7ac8f226c6b4b98f39f2fc8
Result
Verdict:
MALICIOUS
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fbfa2e53-952c-4c7c-9678-3f6cf7a0f82c
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1351061
Behaviour
Behavior Graph:
n/a
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3acd90196dcf53dd6e265dc9c89b3cb0c47648a3b7ac8f226c6b4b98f39f2fc8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3acd90196dcf53dd6e265dc9c89b3cb0c47648a3b7ac8f226c6b4b98f39f2fc8/
Threat name:
ByteCode-MSIL.Trojan.ZgRAT
Create hunting rule
Status:
Malicious
First seen:
2023-11-28 02:02:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
22 of 37 (59.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hlgzaglnz5j523rglxe4rgz4wdchmsfdw6wi6itmnnfzr447f7ea._file
Verdict:
malicious
Similar samples:
3f26b871b1e556d19b67814d3a758316b655cd508be014a2eea2cf40e1371b94
Formbook
46f28066c02abc39d4f13b5370838c2e0b3d8471c8db9cc5079a41146edbfed7
Formbook
7cbd052cfacbd32d5d3f4d39f630d2e016e03311a61b16f568e242b26b91c211
Formbook
991ceb2cca00bbb3bdec6e91d434d7dec7581721ff45154db40104702f18f437
Formbook
aa0fa30ef80538c3902ec9e99e8309606b1e5a81ac6113a43ee79d22f3548f96
Formbook
+ 4'004 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat persistence rat spyware stealer
Link:
https://tria.ge/reports/231201-ekf8sseg47/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
3acd90196dcf53dd6e265dc9c89b3cb0c47648a3b7ac8f226c6b4b98f39f2fc8
MD5 hash:
0f60f086665fd4d442821851c878c21b
SHA1 hash:
a4d4f31fb794bbf59be542f493aea9f9e3857d47
Link:
https://www.unpac.me/results/c0ea6feb-7ba6-41f3-a818-f78eddbb11b2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3acd90196dcf53dd6e265dc9c89b3cb0c47648a3b7ac8f226c6b4b98f39f2fc8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_TinyDownloader_Generic
Create hunting rule
Author:albertzsigovits
Description:Detects small-sized dotNET downloaders
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 3acd90196dcf53dd6e265dc9c89b3cb0c47648a3b7ac8f226c6b4b98f39f2fc8

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/461552/
  
URLhaus
https://urlhaus.abuse.ch/url/2736470/

Comments


Avatar
zbet commented on 2023-12-01 03:59:41 UTC

url : hxxp://5.181.80.126/Elbfyhag.exe