MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3af7bca2ef6e2e3325806698564b5de570edbbf0c725fe467910bf36feb21c5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3af7bca2ef6e2e3325806698564b5de570edbbf0c725fe467910bf36feb21c5e
SHA3-384 hash: 9fc702e3bc0b3068f5e8d4812e0691c263b53f2198bc3e76656b049fa0af3ae6be3bad823d9e363e2d7bb3efbc40cf44
SHA1 hash: a6954cc6f84f37a896be0d5ecec8494ccf7e0cb5
MD5 hash: b2fdead3baa53a08f1551c0497843c85
humanhash: freddie-zebra-mirror-video
File name:b2fdead3baa53a08f1551c0497843c85
Download: download sample
Signature Formbook
Create hunting rule
File size:181'248 bytes
First seen:2022-07-19 16:58:06 UTC
Last seen:2022-07-22 10:17:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:k+bMeJGzkzIhW30VPXhcs5BqYPFKxAj0k/G7UtGymiEXws379+D:lpYAzIDVPx/BqY9KxJk/G79+o9+
Threatray 14'759 similar samples on MalwareBazaar
TLSH T1E704AE32E741C070E3B251F5B26D2B7B883E6D343354A0AAE3E11AD46EB05E5B56931F
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
262
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
http://193.233.179.125/HaDmF.exe
Verdict:
Malicious activity
Analysis date:
2022-07-19 21:41:10 UTC
Tags:
loader formbook trojan stealer
Link:
https://app.any.run/tasks/c2851167-bc11-4ae7-bb28-33017ddb71c1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/291946/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Banker1.29984.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
formbook overlay packed
Link:
https://www.filescan.io/uploads/62d6e2f045a9cc40878d6ac2/reports/d8bdd773-3160-4cc9-ade5-469aaecbfecb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/106c894f-0c3b-4422-9f37-55d132391cc4
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1036691
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3af7bca2ef6e2e3325806698564b5de570edbbf0c725fe467910bf36feb21c5e/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-07-19 16:52:02 UTC
File Type:
PE (Exe)
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hl33zixpnyxdgjmam2mfms254vyo3o7qy4s74rtzcc7tn7vsdrpa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
09a7e10a1a6d589f868ad25906c6fe212c9d1bd68772f59f55fbb0b528e8ec8a
Formbook
151572bec6e274bad481a8c0736a4888931c086f3fdf890be9811eae7c0c0c36
Formbook
3235d12ee1b9b108d372200b7bda8b6074881f0fd8953ef80b3e2351da328c0c
Formbook
400cf8fe4f1f1d748f7e6696227fe25164aa51e2c731e5cc621d708d0015065b
Formbook
8d9dfcc6b6ca6a08a839d8d87ec1e36e79523b63b4564ed22a5bba7adc6e0a55
Formbook
b8d8a8ab682956d7abd31c4fa49690ece5f9349ea7753e83243ef5a933df4684
Formbook
bd05508fe06a7725b7b3f6c43cef2575936941dd55cb3d0b04c8a9817f8bd595
Formbook
c14b5f56387ad871d44cc3f3d9e079b2fa5bb711374aefe34f91e8d963c53dbb
Formbook
c3b9bd6a3c03e763f6255c275cbb3a068de6feef7417d18b7a3e92c6b28753e5
Formbook
efc51781bc3e82733e68f330ce4905d57bd3188a3584faa693a18223f17ec7ff
Formbook
+ 14'749 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220719-vhdb5agcgl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Unpacked files
SH256 hash:
3af7bca2ef6e2e3325806698564b5de570edbbf0c725fe467910bf36feb21c5e
MD5 hash:
b2fdead3baa53a08f1551c0497843c85
SHA1 hash:
a6954cc6f84f37a896be0d5ecec8494ccf7e0cb5
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/28076fd9-ead7-48f1-af2d-642abb4a4ec8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3af7bca2ef6e2e3325806698564b5de570edbbf0c725fe467910bf36feb21c5e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_Formbook_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 3af7bca2ef6e2e3325806698564b5de570edbbf0c725fe467910bf36feb21c5e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2259020/
  
URLhaus
https://urlhaus.abuse.ch/url/2259022/
Cape
Cape
https://www.capesandbox.com/analysis/291946/

Comments


Avatar
zbet commented on 2022-07-19 16:58:17 UTC

url : hxxp://193.233.179.125/XkSBA.exe