MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3aff0b3e7195005380f87feb7753190fa70cd885d10721e2fac690eb41690f2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments 1

SHA256 hash:	3aff0b3e7195005380f87feb7753190fa70cd885d10721e2fac690eb41690f2b
SHA3-384 hash:	343bba8420253a7028b3ed2dce81bf2b28df410a69b9917235da7303c39e17cca87e60af5c16d842182b52344365af4f
SHA1 hash:	a4fff395b9ff3c8077a4001484dfadb758fc025d
MD5 hash:	1216baf1163100675d8854e5baa4140b
humanhash:	five-thirteen-twenty-football
File name:	1216baf1163100675d8854e5baa4140b
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'029'632 bytes
First seen:	2022-03-10 10:29:25 UTC
Last seen:	2022-03-10 13:42:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:AWHx+tiqkCcTfbdKUn66Sktx6KslveRm:AWwcMz6Sktx6KsOm
Threatray	11'779 similar samples on MalwareBazaar
TLSH	T12E25DFE2BF5C877EDC04323BD0E904701EF55A8A3821BF19AA8D42DD4A57ACF19A741D
Reporter	zbetcheckin
Tags:	32 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

226

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/249103/

Detection(s):

SecuriteInfo.com.Suspicious.Win32.Save.a.6538.22663.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control.exe obfuscated packed replace.exe

Link:

https://www.filescan.io/uploads/6229d3330cd58dbd927597c2/reports/4a42f410-5e83-47b8-b7a7-5196968dac68/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/09f65d8a-6ab2-4d7c-b7c5-7138c5f6f117

Result

Threat name:

FormBook gzRat

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/954091

Signature

.NET source code contains method to dynamically call methods (often used by packers)

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Self deletion via cmd delete

Sigma detected: Suspect Svchost Activity

Sigma detected: Suspicious Svchost Process

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Yara detected gzRat

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/3aff0b3e7195005380f87feb7753190fa70cd885d10721e2fac690eb41690f2b/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2022-03-10 10:30:18 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 27 (74.07%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

Formbook

0d77b75875a9194d47cc35e0a00c6ae29215e585616a28b2519239ee6a6a8165

Formbook

3c010d88a118ba3cc666e05c6f8f82159ac38e5486b5ed60c65d870287b8cff6

Formbook

6ecfdff224175dade2cbf63719974b5335c1a81cf787142681163ddf882ce00e

Formbook

6ed4597153654e9526d066d62bbf7cc0e7d7e0660049f9e3b826475d3fa71abe

Formbook

8c7c6966c40ca10cdb43c9520c24ae932e63429fbc858b2c05f94f1bedbe0efa

Formbook

9577df8b7e48bb30b9bd48e49c548d45cc5cc4a9bf1b93aa79f4ab35fc977cb3

Formbook

bcb97b3cbfe72dac8416a224ddb03a17ccba79da52872c6f5fcb13b93b43a247

Formbook

+ 11'769 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:m0a8 rat spyware stealer trojan

Link:

https://tria.ge/reports/220310-mjvnssefa9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

.NET Reactor proctector

Formbook Payload

Formbook

Unpacked files

SH256 hash:

9b00e2fa33ad72dec22a5e107ab6886da72bbe0bed89a721e877c1dc3ce6a662

MD5 hash:

b4c9c16228f0ee1de70ffc6264fb720c

SHA1 hash:

437049e452a511e220abdb32df695cdf07f5a7d0

Link:

https://www.unpac.me/results/40820142-22ea-49eb-837e-6f5c4431e17e/

SH256 hash:

694c6756b90b1e4ab142b7dbbfcda1f2e302ff7c0a34165e4d159e144995c2d4

MD5 hash:

97d530e56b34fad0ff6fd572b9ab05df

SHA1 hash:

9b964922706478051b811b43fd7333dd6206d862

Link:

https://www.unpac.me/results/40820142-22ea-49eb-837e-6f5c4431e17e/

SH256 hash:

a802d5fa1aa28f8b5227769814122442cf3306ad8102f9870f95732a61d3ba9c

MD5 hash:

fc061355b80d8c921e34c778fc0ecd41

SHA1 hash:

d18d0644ae9e4f340dfcfc5c0eb96252e1a095c1

Link:

https://www.unpac.me/results/40820142-22ea-49eb-837e-6f5c4431e17e/

SH256 hash:

8eb8f44af58ae986986469b04f5c991c95ad5eda8c96dbbe938fcd7f7e87fdb3

MD5 hash:

89bc7cef19d898eae5f43966393fc1fb

SHA1 hash:

a31292d9f39f9fd58ff0102e3fb8e2692137d6ea

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/40820142-22ea-49eb-837e-6f5c4431e17e/

Parent samples :

3aff0b3e7195005380f87feb7753190fa70cd885d10721e2fac690eb41690f2b
6bd24ce0a16599d97686146c6a822023f0f4896fcee914eed9a4e45a7e46b864
5d73c1ce4d0c8beea33b6eaef76d82e389d139d8e6caa17c2767c70889697c3b
de9fdb344c542595de3ddf65357a6982f0085d0f7b42c1de534c3963134c2cb3
eabfcd738bc46581870a5671823ed4dda66a507606187b0f2a25a3b0f1fa9720

SH256 hash:

3aff0b3e7195005380f87feb7753190fa70cd885d10721e2fac690eb41690f2b

MD5 hash:

1216baf1163100675d8854e5baa4140b

SHA1 hash:

a4fff395b9ff3c8077a4001484dfadb758fc025d

Link:

https://www.unpac.me/results/40820142-22ea-49eb-837e-6f5c4431e17e/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/3aff0b3e7195/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.81

Link:

https://yomi.yoroi.company/submissions/3aff0b3e7195005380f87feb7753190fa70cd885d10721e2fac690eb41690f2b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 3aff0b3e7195005380f87feb7753190fa70cd885d10721e2fac690eb41690f2b

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/249103/

URLhaus

https://urlhaus.abuse.ch/url/2087761/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2022-03-10 10:29:27 UTC

url : hxxp://103.207.37.129/xprotector/csrss.exe