MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b09da74a064a61e7ab0c1ebda53ec9672808950178ae4691ee5ebddf8b278aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b09da74a064a61e7ab0c1ebda53ec9672808950178ae4691ee5ebddf8b278aa
SHA3-384 hash: 293584a5e38abce8a29c6b955c8c361c9247a7d9b7ce75f58623317c7207616a553a08f602f1a03757db48bb9b68fc37
SHA1 hash: 9ece3d8b910d40de4492da23d0640552d860fec9
MD5 hash: 55b0a801d55a185a5f0cd90d96a3220f
humanhash: timing-beer-eight-golf
File name:Payment Copy [GLV12567196618420067].exe
Download: download sample
Signature Formbook
Create hunting rule
File size:472'665 bytes
First seen:2022-04-12 07:16:34 UTC
Last seen:2022-04-12 12:56:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 12288:Z1Sb/h/RuMjikALg3dHy0G27ZCjYqcUxh2pM3H1:KThYM+kwgNHy0L7ZCvxcpM3H1
Threatray 14'872 similar samples on MalwareBazaar
TLSH T1E7A4016C36B2951FD006127C4D58BB6CD1B8AFDA2A819357B360AF7F3F75B82C984250
File icon (PE):PE icon
dhash icon 79ccaeaeaa92cc69 (1 x Formbook)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
284
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Payment Copy [GLV12567196618420067].exe
Verdict:
Malicious activity
Analysis date:
2022-04-13 05:37:22 UTC
Tags:
installer formbook trojan stealer
Link:
https://app.any.run/tasks/77959453-a947-4b06-b54c-b6027a06ac40

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/262893/
Detection(s):
SecuriteInfo.com.Dropped.Generic.NSIS.Injector.A.1F08548C.8345.31513.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Searching for synchronization primitives
Sending a custom TCP request
Setting browser functions hooks
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6255276fffe27d5119b2bc31/reports/175c36e3-7d71-40ea-921b-2ab1eb946d60/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/847e027c-d3e9-49d1-9d26-4f6e54960e1f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/975132
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3b09da74a064a61e7ab0c1ebda53ec9672808950178ae4691ee5ebddf8b278aa/
Threat name:
Win32.Trojan.NSISInject
Create hunting rule
Status:
Malicious
First seen:
2022-04-12 01:37:11 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hme5u5famstb46vqyhv5uu7mszzibckqc6foi2i64xv536fspcva._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
07b410374e6c8e4bf019940912986c0fb1279241bd86d135be323d89df9298b3
Formbook
1d5e0028a025d76c09fbf798a8a3311ed7477c985b16ae8078b110e762778154
Formbook
452d0b533d6269e64c54982fbe5e07ad2f20e113650d559829b27135d8adc285
Formbook
4a7aa26a59cccaa38181f61e413214368bd2cb3b8aa9c93c8694cc7d37591a3f
Formbook
6d1ae3278059d592ae7c4426df9456553b8abfbc3bd90ce0f8d1792e94ae95c2
Formbook
76cc06bfad45121afa9c1b5ac81cfc129a3a16a388170a84e895ed099ccccecb
Formbook
c652919676cc6f3ea808c6e1023de343d27ed8f72f4f1b94523c4ecfb09bf223
Formbook
e638074622767c226f5cdb70802da5b362d775d9eeffb5b69fc372a9b721225d
Formbook
+ 14'862 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:e0i2 rat spyware stealer trojan
Link:
https://tria.ge/reports/220412-h4clhabeg5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
Unpacked files
SH256 hash:
94fcde13fa1a9eb12e3d2d820cad2a62eeb7688293b59b4ab855494aceebcc6f
MD5 hash:
807e5baa8273ab3b0c11ae2ad7310f66
SHA1 hash:
e9725b44ccd2a7d460b7ae4088b77a1adbe0b37d
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/06cf294d-c041-430e-adcf-b4dee77978be/
Parent samples :
e638074622767c226f5cdb70802da5b362d775d9eeffb5b69fc372a9b721225d
76cc06bfad45121afa9c1b5ac81cfc129a3a16a388170a84e895ed099ccccecb
3b09da74a064a61e7ab0c1ebda53ec9672808950178ae4691ee5ebddf8b278aa
SH256 hash:
ee83217c7d87c13311e6044d04cd1a528c3c3c5aa9befc328e0f9911f4be3913
MD5 hash:
f1f1113c39553a3c837238b95523a7ab
SHA1 hash:
36e9e74d1b34b327fd795b0ab1ae20c320405a74
Link:
https://www.unpac.me/results/06cf294d-c041-430e-adcf-b4dee77978be/
SH256 hash:
3b09da74a064a61e7ab0c1ebda53ec9672808950178ae4691ee5ebddf8b278aa
MD5 hash:
55b0a801d55a185a5f0cd90d96a3220f
SHA1 hash:
9ece3d8b910d40de4492da23d0640552d860fec9
Link:
https://www.unpac.me/results/06cf294d-c041-430e-adcf-b4dee77978be/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3b09da74a064/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/3b09da74a064a61e7ab0c1ebda53ec9672808950178ae4691ee5ebddf8b278aa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_Formbook_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 3b09da74a064a61e7ab0c1ebda53ec9672808950178ae4691ee5ebddf8b278aa

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/262893/

Comments