MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b612f10d1f41e30c40ce875d094f2e78c8744d4b3647683fc6af2212da4e233. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b612f10d1f41e30c40ce875d094f2e78c8744d4b3647683fc6af2212da4e233
SHA3-384 hash: c33f81c56dab244318b26f3c614295feea6dff2b43c05abc7131213d3b4e000a7f04020252e7cee2c67549691ef5517a
SHA1 hash: d7db4332d9815e1645c89594666bb133eb881f4b
MD5 hash: 2dff0088cd70e51e064c7e7393e53ddf
humanhash: jupiter-alpha-river-butter
File name:scab_document087654321234567.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:234'286 bytes
First seen:2021-08-06 13:45:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0c517b095db8f3da579eca576ece2d27 (4 x Loki, 3 x Formbook, 1 x AgentTesla)
ssdeep 6144:SHa7kigAgZKA1xG7plOkMdpHnJCp4XStzADm2nTp:v7xgN0SxG7fNMrHM4XS4m2nTp
Threatray 7'476 similar samples on MalwareBazaar
TLSH T1F334121FA0231B31E02558749BD165F9485D0AB2CBD219E4DD42B5BEE272B309BF8F27
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
400
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
scab_document087654321234567.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-06 13:53:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/75eb1f5b-aa25-4d2c-b85a-958a2df22ede

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/177038/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.57569.1639.24616.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eba95c42-9144-47a0-9929-b2a4629cf45a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/828324
Signature
Detected unpacking (changes PE section rights)
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3b612f10d1f41e30c40ce875d094f2e78c8744d4b3647683fc6af2212da4e233/
Threat name:
Win32.Trojan.Fugrafa
Create hunting rule
Status:
Malicious
First seen:
2021-08-06 06:03:29 UTC
AV detection:
20 of 46 (43.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hnqs6egr6qpdbram5b25bfhs46giorguwnshna74nlzcclne4izq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
12c961f1b5f752a22c1a3085fc2447749572fbcb35b3c6e46f6fa310b19572b7
Formbook
22ae731061f7359c7467be0f7a710013516ed356a79b2e23adec7c57a12624a2
Formbook
6bb8fa14bf9c650a67541ffedff2e3f1c055454b90489653c95aa39284d7eb92
Formbook
6c6dd45a923d7eb6fa1f114a5a4c20fab27bc03e44a5c8cb8627d43da93dfe48
Formbook
6d308c2e93c341ef11c0b14420e158fd650c637190a4daedf003ec091e703a85
Formbook
6da50c6b31b4125631987f40d7bd3dacab22c961ca9ba60dfdfa45120d5ec17a
Formbook
6f536ae781fd98358126408aa6991b4bb3ec3f9940929a22b25f785b71ec770d
Formbook
9b985974efb3d7555b61cec77f2667cd6aca5f74a07f712b3aa58a54aa03bebb
Formbook
c494dceddfa1c8c6944a93f902c641ab5f99352ba48b81849e576f7da353314c
Formbook
e1fee7ee20f6d3bd6e913baeae737c558014454223d552c125c3f963e7c1a843
Formbook
+ 7'466 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:nt83 loader rat
Link:
https://tria.ge/reports/210806-lghqbp18tx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.bnmud.com/nt83/
Unpacked files
SH256 hash:
b4f8fb64a26d5cc53d5679664d8eee30ca750514f8f3df9e5638a6c28d9fe8d6
MD5 hash:
6df3febe6011c2890b6596efbbc3de0b
SHA1 hash:
9a104ed3f498f5f520a0144e2e50536b167aa59c
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/cd2b0d60-d6bc-4128-9360-e19c8a830272/
SH256 hash:
3b612f10d1f41e30c40ce875d094f2e78c8744d4b3647683fc6af2212da4e233
MD5 hash:
2dff0088cd70e51e064c7e7393e53ddf
SHA1 hash:
d7db4332d9815e1645c89594666bb133eb881f4b
Link:
https://www.unpac.me/results/cd2b0d60-d6bc-4128-9360-e19c8a830272/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.13
Link:
https://yomi.yoroi.company/submissions/3b612f10d1f41e30c40ce875d094f2e78c8744d4b3647683fc6af2212da4e233

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 3b612f10d1f41e30c40ce875d094f2e78c8744d4b3647683fc6af2212da4e233

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/177038/

Comments