MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b012c89bb2f6a513be0335d94b0b7f8517edeb70ba37b559a94b0993df4ad80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b012c89bb2f6a513be0335d94b0b7f8517edeb70ba37b559a94b0993df4ad80
SHA3-384 hash: 3be275c71569e9adbaa65dfcf32034034799f5fca52656510f0ce1fdce2bdd59294aaeee2ddf893db9215d111b5dd913
SHA1 hash: 218fbe2c10e0bfaf100695523bcc5ca24bf26ded
MD5 hash: 3811dd96b6bbae4548337336368461eb
humanhash: december-thirteen-saturn-seventeen
File name:3811dd96b6bbae4548337336368461eb.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:626'176 bytes
First seen:2021-09-28 06:28:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 6144:KubE9Umzrbz08KGBAOq+hKqr7tGUAl5IoBAsIeMUCoT4W469rK4OW8VeapDfaeTo:izPzVNi+hBr7IUAcZJodB1I7jF0F
Threatray 9'546 similar samples on MalwareBazaar
TLSH T17AD4AEDA1EB463CBFB5E01F8F9782B8813BA9024D59BF3C2DA46B0B311367545920DD6
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3811dd96b6bbae4548337336368461eb.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-28 06:35:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/62695c3d-213d-4874-8226-f20cec5903ca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/192398/
Detection(s):
SecuriteInfo.com.Scr.Malcodegdn30.14006.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2408a1fd-c9e1-4cd9-bdcf-7378071c50c5
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/859543
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: CMSTP Execution Process Creation
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491973 Sample: mwh9Lw7d9G.exe Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 8 other signatures 2->42 10 mwh9Lw7d9G.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\...\mwh9Lw7d9G.exe.log, ASCII 10->28 dropped 54 Tries to detect virtualization through RDTSC time measurements 10->54 14 mwh9Lw7d9G.exe 10->14         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.letteringdagabi.com 17->30 32 www.ibusinesshero.com 17->32 34 ibusinesshero.com 34.98.99.30, 49821, 80 GOOGLEUS United States 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 cmstp.exe 17->21         started        signatures10 process11 signatures12 46 Self deletion via cmd delete 21->46 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3b012c89bb2f6a513be0335d94b0b7f8517edeb70ba37b559a94b0993df4ad80/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-28 06:29:10 UTC
AV detection:
12 of 44 (27.27%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
34ff91c0be47c6edae673081f4814ca9b7432d6db4975ab66a911f36fe481d70
Formbook
39e1002eaf485405155f98f77b331263ab1e6fea26623dd83029f9bcc58d3c9f
Formbook
3f8cd22d1b3b93b4884c70e6a9c032d2d7e2bb341db8ea85d4c86b1d0e5cfaf9
Formbook
70d759be9f935d289ee1627038a118e9493d45ecebfcd477f0b43a8253afffb4
Formbook
7287808b83f962ac07183a16ed4da5748e84b51946905ce0156c3b3b93ac9240
Formbook
73c2ee6d691663df62c983da3572abc381a0940f2cbdfb2ed8d48cb225d7b5f9
Formbook
878730d98ca2b265653a8c94f41fbb35a564fd36453a04c830d7c59a626f633e
Formbook
c32e7fab7c0e4d5aed13b94b07fcbf1f46106000bb2388301a0a2bcbc920c757
Formbook
+ 9'536 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:mxwf rat spyware stealer trojan
Link:
https://tria.ge/reports/210928-g8yh4aaha9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.zahnimplantatangebotede.com/mxwf/
Unpacked files
SH256 hash:
58a8d91b66a32898bb3b9d29ad32ac91916d3c6ef814bf364c728fa70d068385
MD5 hash:
d4df5abbec423b07def7ab5d036f5dbe
SHA1 hash:
f082f1451a77d793ec3607fe801e4f67086c2977
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/9292190d-86c4-4be6-bf2b-9cf0fcd0dc2b/
Parent samples :
34ff91c0be47c6edae673081f4814ca9b7432d6db4975ab66a911f36fe481d70
7240d57a675a066d7dcb095a520ec2b86c2460080ccfbc759a9d404dec7d3817
0ea81e325568a6d5c8ecde8ce0198dabe9553e237ef46b328240d7f51231d3bb
878730d98ca2b265653a8c94f41fbb35a564fd36453a04c830d7c59a626f633e
35a776da3e6d2d8bcd69a7427ab25846c233403372bf3ecb6055c252ae696766
cc9460866fbf6ae7430f759bc11a90a3536a0032319f20757421a2e08f60faba
73c2ee6d691663df62c983da3572abc381a0940f2cbdfb2ed8d48cb225d7b5f9
39e1002eaf485405155f98f77b331263ab1e6fea26623dd83029f9bcc58d3c9f
6cbc8098614c094caf34a0eae5242f77ae55e6ff77184f6a5b708703698ccc1a
3f8cd22d1b3b93b4884c70e6a9c032d2d7e2bb341db8ea85d4c86b1d0e5cfaf9
0aa68b819455d1810d114c502d6a221d0da9320d506c31b9e83b7a488f46a954
c27adae0af4b3c5c71d33f4707fc1e0c51cd9ed61f88169014a6022fabc87dc8
70d759be9f935d289ee1627038a118e9493d45ecebfcd477f0b43a8253afffb4
df19a60152fff0338d5ee7d2b969a4dbded6d3f2752ae246090e7e8f79c43815
11dde0ea97b2f63edbd9d6b42af105bff7fad9225396219a6de96cb8d51125d7
924f1664b6169e8237010c409e5f7e492f406154939718ce7a6ebf24cb707e99
a03553c928c61ff148b7440e8dab61dc7eac554f576a35d9418f438439cc18d7
bd7323675e66df34d833d17897c6f98e9848dd062be6f299f482c09a90de4255
759cc43ff9429a9b6e48c20708461b7af39a106efbcb98d541c01d6c44ea9b3f
11c58c805f392c745057848c834966d60da68935cc077206951dbde69585ac6c
c32e7fab7c0e4d5aed13b94b07fcbf1f46106000bb2388301a0a2bcbc920c757
fcd82e581d68847a1f240bcf0123de948a8bde781a05fbbb805d0033bf91ff43
7287808b83f962ac07183a16ed4da5748e84b51946905ce0156c3b3b93ac9240
3b012c89bb2f6a513be0335d94b0b7f8517edeb70ba37b559a94b0993df4ad80
e55a6e9d04d90fe3e41ce6b936bc7642dee3e7a804abfc7527ff74ee3062a1ea
41c5b0b2b9afd1f7dc207176e2a200042660dcdb02c745cc750e13f1d3ad7b01
51d534b716e35b643ac2a4aa73effe9607abfc61a36b7b4a423c9383002b755e
ee0d275c50b493cc73f73d19665d9b126e038a7ea1307043eb71442280f6bd7d
2486c4ebc2834ad7e9517107e7d7813fa1b84d5b2df4f928a0144b81d1273e8c
c4b1789371d832969f812bd0a577e380cdac00db6775d7fc251adf8d92c15d74
3cf411dfe4bd60c8bb4c7e0c77d0418c885e65570c7a5b8458d60cdf06423960
81ca6e69c74078c286b640b713714f3c8dd178bf231736919a01d653422fa5b5
0c20d42cbdc31d5b40846425b381c84761898abe3659ba221d2b8e9e213964a2
f0b80a2a51f2e8fa5ceb014b82d25cb1fbf586c85bdd35bf0b0ab165aa7cbc3a
221e9e3719749c7017ad2100a3d48e0ddb47824e02627fe859706fb591332849
eb1a7fdf49ef074c93385c99303fb92155f677f17c17dff1f1ad5967700d6410
SH256 hash:
a06a5a28f3c163da5a07d19bf6916857b6726b7a4dd74c47d34cd0a92db4395e
MD5 hash:
ff113846ec21dc96d1d3b56641682aae
SHA1 hash:
d4a65df330531fa6aa8001c7a785bb153a774d33
Link:
https://www.unpac.me/results/9292190d-86c4-4be6-bf2b-9cf0fcd0dc2b/
SH256 hash:
6a671abf66304301602b4afd0902840bc3915455cffc58d8916eaa693abe33ec
MD5 hash:
681eca96e4e7b513317178dc7065ef39
SHA1 hash:
24af82015bc57d125f1ccb759840118b2283d1dc
Link:
https://www.unpac.me/results/9292190d-86c4-4be6-bf2b-9cf0fcd0dc2b/
SH256 hash:
cfce66dc3c2c136e65ffcbf892f94816a3caa972a8191121fa91f9f048075cff
MD5 hash:
bb4ad84eae8749fa5cffcfffe2fd996f
SHA1 hash:
006b28b7e1bc94b884583b4f51bb537bac51f294
Link:
https://www.unpac.me/results/9292190d-86c4-4be6-bf2b-9cf0fcd0dc2b/
SH256 hash:
3b012c89bb2f6a513be0335d94b0b7f8517edeb70ba37b559a94b0993df4ad80
MD5 hash:
3811dd96b6bbae4548337336368461eb
SHA1 hash:
218fbe2c10e0bfaf100695523bcc5ca24bf26ded
Link:
https://www.unpac.me/results/9292190d-86c4-4be6-bf2b-9cf0fcd0dc2b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/3b012c89bb2f6a513be0335d94b0b7f8517edeb70ba37b559a94b0993df4ad80

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 3b012c89bb2f6a513be0335d94b0b7f8517edeb70ba37b559a94b0993df4ad80

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1583601/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/192398/

Comments