MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3bafde54ba687060ac7b17a4d377f368d27cf7c21fb369915065ee4995d2c01e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3bafde54ba687060ac7b17a4d377f368d27cf7c21fb369915065ee4995d2c01e
SHA3-384 hash: 690c8059b9f223f18367336be69fa91dbd18502c6211884fde3fa779b706ce5e251f0ce61b2839cddbcb67872dfc36af
SHA1 hash: 1c189b88e848d4f43e0b91f79c415a7081727e45
MD5 hash: 7a7e1fdc019017623308a788e4950392
humanhash: tennis-hawaii-south-asparagus
File name:PURCHASE ORDER.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:13'312 bytes
First seen:2023-02-09 07:15:42 UTC
Last seen:2023-02-09 08:31:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 384:kYVYVMIE/FlaknIbE3lROzZK06wzbaZv:rYVtE/rI8Ozt6SbSv
Threatray 1'091 similar samples on MalwareBazaar
TLSH T138522A6063EC6523F8BE5BB988FA5510477CB6D3AC22DB6E21C551CE6AC23404991B37
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
174
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
PURCHASE ORDER.exe
Verdict:
Malicious activity
Analysis date:
2023-02-09 07:16:18 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/42924dfd-ddb1-4668-9398-2d8b08c8e499

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/362576/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65414124.26085.31393.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
kryptocibule
Link:
https://www.filescan.io/uploads/63e49db313286ddce30b523e/reports/227e3a17-915b-49af-a9f5-b304e8c65ca9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/3bafde54ba687060ac7b17a4d377f368d27cf7c21fb369915065ee4995d2c01e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/932cca5a-69ee-4327-ab68-731ac7a4aba5
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1170556
Signature
Antivirus detection for URL or domain
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 803346 Sample: PURCHASE ORDER.exe Startdate: 09/02/2023 Architecture: WINDOWS Score: 100 34 www.kenymart.online 2->34 44 Snort IDS alert for network traffic 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 50 8 other signatures 2->50 9 PURCHASE ORDER.exe 3 2->9         started        signatures3 process4 dnsIp5 42 185.17.0.79, 49695, 6666 SUPERSERVERSDATACENTERRU Russian Federation 9->42 32 C:\Users\user\...\PURCHASE ORDER.exe.log, CSV 9->32 dropped 54 Writes to foreign memory regions 9->54 56 Injects a PE file into a foreign processes 9->56 14 jsc.exe 9->14         started        17 EdmGen.exe 9->17         started        19 aspnet_regiis.exe 9->19         started        21 4 other processes 9->21 file6 signatures7 process8 signatures9 66 Modifies the context of a thread in another process (thread injection) 14->66 68 Maps a DLL or memory area into another process 14->68 70 Sample uses process hollowing technique 14->70 72 Queues an APC in another process (thread injection) 14->72 23 explorer.exe 1 14->23 injected process10 dnsIp11 36 www.cmproutdoors.com 156.255.170.114, 49697, 49698, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 23->36 38 www.firebirds-softball.org 91.195.240.117, 49696, 80 SEDO-ASDE Germany 23->38 40 7 other IPs or domains 23->40 52 System process connects to network (likely due to code injection or exploit) 23->52 27 raserver.exe 13 23->27         started        30 autochk.exe 23->30         started        signatures12 process13 signatures14 58 Tries to steal Mail credentials (via file / registry access) 27->58 60 Tries to harvest and steal browser information (history, passwords, etc) 27->60 62 Modifies the context of a thread in another process (thread injection) 27->62 64 Maps a DLL or memory area into another process 27->64
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3bafde54ba687060ac7b17a4d377f368d27cf7c21fb369915065ee4995d2c01e/
Threat name:
ByteCode-MSIL.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2023-02-08 10:39:26 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hox54vf2nbygbld3c6sng57tndjhz56cd6zwtekqmxxetfosyapa._file
Verdict:
malicious
Similar samples:
277695c9c74d59d603816ca495662666d702dce65c7949468eed50ad5e8171a8
Formbook
32603d6c0a84eeb638434c8f7e351dd062d88a5da3d4fd659a8ae6570339845c
Formbook
357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51
Formbook
36ce3b9ec0b50fcc219b1f1272363b8d3542b4afc3229e0251f58d9b27fb74e1
Formbook
40fbdffc4c34a41a564d0863ed3563fb04f97b9325c1ec297a4477b15e6efbbc
Formbook
59494a51618f234021c0dae2d87667ce9e431b8a75a1b4952d3e48bf71492fbb
Formbook
66bdde9f427859cc6b7cc1ff67bdf9d93ff8b0d7bc226185cb2195c746e28a0a
Formbook
914e09b5e1bee2e3bbb2d77f8fae1a8069f67b887f6abf9c5785e9fc5e39dd1c
Formbook
c0e2de257b40366c2e97a6c4a074d18a49a8ade3037632cd754489d26198dbd3
Formbook
+ 1'081 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230209-h3sw4ahe83/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Blocklisted process makes network request
Unpacked files
SH256 hash:
3bafde54ba687060ac7b17a4d377f368d27cf7c21fb369915065ee4995d2c01e
MD5 hash:
7a7e1fdc019017623308a788e4950392
SHA1 hash:
1c189b88e848d4f43e0b91f79c415a7081727e45
Link:
https://www.unpac.me/results/ba69ffd7-417e-4961-9929-9b1a74432a1a/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3bafde54ba68/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/3bafde54ba687060ac7b17a4d377f368d27cf7c21fb369915065ee4995d2c01e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 3bafde54ba687060ac7b17a4d377f368d27cf7c21fb369915065ee4995d2c01e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/362576/

Comments