MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3bdc8a2cdae7fb2ab12ead1f0ced298aefb6cdcd9d35e88295a71192e193d481. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3bdc8a2cdae7fb2ab12ead1f0ced298aefb6cdcd9d35e88295a71192e193d481
SHA3-384 hash: e66db110a41eeea4272545c515dfd90adfad87d814b81aed0f252fdabf847d91bba350307258e1a6bddd71ae7974c0fb
SHA1 hash: 6de7786af64243fc2c37d1c660a7a49485bb27e2
MD5 hash: 8dfd157a338780f5b297db88b8261e65
humanhash: pasta-kansas-nine-music
File name:Yeni siparis eklendi.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'079'808 bytes
First seen:2022-04-07 11:36:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4116ae7b3160bb7c72cca76cb8e5eb22 (5 x Formbook, 5 x DBatLoader, 3 x ModiLoader)
ssdeep 12288:33NcL6BFE+1exrI13sasf0iLBBejqqB7WLjq716TnT0tyB3h2uZec4qOjF:3aj4eisasTBorATnT00Wuby
Threatray 11'945 similar samples on MalwareBazaar
TLSH T17E358E12FB59A473C8321A355D0F67A869267E033D3844462BF26D5CEEF73827939683
File icon (PE):PE icon
dhash icon b2b1f1ecccce9c98 (8 x Formbook, 6 x DBatLoader, 5 x ModiLoader)
Reporter malwarelabnet
Tags:exe FormBook modiloader xloader

Intelligence

File Origin
# of uploads :
1
# of downloads :
268
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Yeni siparis eklendi.exe
Verdict:
Malicious activity
Analysis date:
2022-04-07 11:55:22 UTC
Tags:
formbook trojan stealer phishing covid19
Link:
https://app.any.run/tasks/b8da0cb8-f325-4a7f-84bc-787fafafc4bd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/261700/
Detection(s):
Win.Trojan.Pwsx-9943091-0
Create hunting rule

SecuriteInfo.com.W32.AIDetect.malware2.28889.30456.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Searching for synchronization primitives
Launching cmd.exe command interpreter
Reading critical registry keys
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/12992/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe greyware keylogger packed replace.exe
Link:
https://www.filescan.io/uploads/624ecce0bbd90911a28ed226/reports/7fabe5b3-249c-474c-ac8c-656b835a8064/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8aec3c92-088d-49a5-9594-3e315f0d33b5
Result
Threat name:
DBatLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/972330
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Suspicious Svchost Process
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 604813 Sample: Yeni siparis eklendi.exe Startdate: 07/04/2022 Architecture: WINDOWS Score: 100 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 Antivirus detection for URL or domain 2->68 70 8 other signatures 2->70 10 Yeni siparis eklendi.exe 1 18 2->10         started        15 Cnfnytz.exe 16 2->15         started        17 explorer.exe 88 2->17         started        process3 dnsIp4 46 onedrive.live.com 10->46 48 ngqv6w.dm.files.1drv.com 10->48 50 dm-files.fe.1drv.com 10->50 44 C:\Users\Public\Libraries\Cnfnytz.exe, PE32 10->44 dropped 104 Writes to foreign memory regions 10->104 106 Allocates memory in foreign processes 10->106 108 Creates a thread in another existing process (thread injection) 10->108 19 logagent.exe 10->19         started        52 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49782, 49784 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 15->52 54 onedrive.live.com 15->54 56 2 other IPs or domains 15->56 110 Injects a PE file into a foreign processes 15->110 22 logagent.exe 15->22         started        file5 signatures6 process7 signatures8 80 Modifies the context of a thread in another process (thread injection) 19->80 82 Maps a DLL or memory area into another process 19->82 84 Sample uses process hollowing technique 19->84 86 2 other signatures 19->86 24 explorer.exe 19->24 injected process9 process10 26 Cnfnytz.exe 16 24->26         started        30 help.exe 24->30         started        32 svchost.exe 24->32         started        dnsIp11 58 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49787, 49789 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->58 60 192.168.2.1 unknown unknown 26->60 62 4 other IPs or domains 26->62 90 Writes to foreign memory regions 26->90 92 Allocates memory in foreign processes 26->92 94 Creates a thread in another existing process (thread injection) 26->94 96 Injects a PE file into a foreign processes 26->96 34 DpiScaling.exe 26->34         started        98 Modifies the context of a thread in another process (thread injection) 30->98 100 Maps a DLL or memory area into another process 30->100 102 Tries to detect virtualization through RDTSC time measurements 30->102 37 cmd.exe 1 30->37         started        signatures12 process13 signatures14 72 Modifies the context of a thread in another process (thread injection) 34->72 74 Maps a DLL or memory area into another process 34->74 76 Sample uses process hollowing technique 34->76 78 Tries to detect virtualization through RDTSC time measurements 34->78 39 WWAHost.exe 34->39         started        42 conhost.exe 37->42         started        process15 signatures16 88 Tries to detect virtualization through RDTSC time measurements 39->88
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3bdc8a2cdae7fb2ab12ead1f0ced298aefb6cdcd9d35e88295a71192e193d481/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2022-04-07 07:24:37 UTC
File Type:
PE (Exe)
Extracted files:
43
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hpoiulg2475svmjovupqz3jjrlx3ntontu26rauvu4izfymt2saq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
28562d1e97597dbe302d550277e91bd4aa6869bd3d356668bc7c48b2b6eaa3d1
Formbook
3e25c1a249031c7ec06d4d6ad15a9dcd9f6cf0a72053663ebdd7a31eafb59c35
Formbook
42df3a16fea8171aa66fc7856671ef94f20245a3bd98787a7070ee8b690430d2
Formbook
53685ac5f275b61fc580f2203e7d7e431d2b03b8e4320015b428745d68d5e333
Formbook
755563f333f32b67a9920bc004ca720c9ad07a7d04d0f29fbbc0e7c634973ef6
Formbook
c180bb8451472fc5931d0dc3aac6ef18ca417665b958d1480dd0787ba3de238a
Formbook
f8912392c18231844c4e49111d668fab371e0854ce732571e0b171fdbd0758a9
Formbook
fc791a24b4250988196f8c8b174d778e0ed1f4ea2a3c8601b25ab4431df56f08
Formbook
+ 11'935 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:xloader campaign:uj3c loader persistence rat trojan
Link:
https://tria.ge/reports/220407-nq5m1scddq/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Downloads MZ/PE file
Xloader Payload
ModiLoader, DBatLoader
Xloader
Unpacked files
SH256 hash:
4f921407dc157cd3ec27cf0bfb6bba1e1b5463076526378fa65e8121288a774b
MD5 hash:
f125d9101ccc3b42b5a847f8182b85e5
SHA1 hash:
c2f18fe8876110488df97d0818e0dd3cb89b0105
Detections:
win_dbatloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/78001817-0eb6-4f54-b4c3-7f97228008ff/
Parent samples :
3e25c1a249031c7ec06d4d6ad15a9dcd9f6cf0a72053663ebdd7a31eafb59c35
710c03f2e039d3bde583d2fa87faa58d17cbe6655a31b1e4e7890bf9687952c5
3bdc8a2cdae7fb2ab12ead1f0ced298aefb6cdcd9d35e88295a71192e193d481
805d05e4bc4ea60742052443cb9e2a4b3527aee8f311862ed37ec98559884555
571776f9f0168eb83034055ce51c1c72d1dcc6cb10445ac4de70104f97a170ff
2bc652d367cd94c0eb550959e49567754d73f8eb19a485cc229ffe4caab5605d
afb058fdd8aa200fe754289c9b48d8876f4bbd7cbcefc964742d76c32a990340
7ac202314f674281f31bad6e38a61c4bdd54c07f14b6dfd260d0665b8f2d0fa5
4690e84717b8b884bec65eddf700c6c99cfd19ebacbeadd766f9c3088c291112
03632b99b5401681e8dacf45710bfce9919f840843b836bad53c3113dacb097e
7cb6095dfefda254e0f96c3613cddcbcff7ce50b57a78e7f369d846d222eef49
82fc93baeea70f5e1c60ea976212b5cd2a33402ede66cd0efb059eaa5fae8150
b931f34008a112398ad48f0bd4e2e955dd7385bcc5cafd41cdb2220f26bddc44
6353828ddb8f70dd9a535d3314ac328b044539563334f093173b86fd96e24707
687b7b359a5cac51eeb2d8bd04b147bdca3af96f148c2e560b3aff235d48e6b0
bea87dfd8f3d79c5948163bb57da34a9c86b798817c9e5b9c8f169175b3f2a33
27309bb8844a4d48af2527787b781fdac2917d6f75f870743428a3e7aa44fc1a
fcc249e21fb278d56fcc3758f3b5f3730420688791b2195255ae8e6cc4bc5334
a421a1405a23a9e8e3807cee8c264a3068171e19f01f3d00e318a1757024db18
ee0e3ef0d4e024fee83ad9744a0c2fda54ea009c099144d7f3f5972b0e3c7c4d
4f921407dc157cd3ec27cf0bfb6bba1e1b5463076526378fa65e8121288a774b
70784bb09d094929ecd5666ae8d5ee613c7dbee18a21b009595f0b19777f5ec5
3f402617d9bbe740d49a4c0e0b17e4c704a11f04ad5c708a08c5a6988e7c181f
c122639d652908b10751cb546a1c48e753427aa4d74f6a638fcb6c829b65e12f
5a66917ff5fd5809f0c83a8240aeb983799f54916c0f45d2f1af61de5b7741f1
ac749d4dc15be0711d85256e946a41958427a7468dc3e15f0069d3691364c45a
c130e105a03b4d144a63a8be13f6c84aa4bb01df2a566756e022e79bec487c20
6a52acf5de13a2c4d6fa927727fb868db6d97220c5eb837ca307d19c0b7cf128
9ef6b1868ca09cf927398496746dc5c1e73980fe7e3c1ffe4f45004a1f11d16b
75b7d30e6f26fbb3fbac284ed75356cc874e73365764130209d4937d80a6c80d
08c0273e2bd04a047d150303d4cd05076c2d2877afa82543ce43fc8296d86a7c
dcccbb97201914164dc8bed003f14daadfa300a6206b7ce835f6c7ee8b686405
3e755ebc4b3e451616df6473cf0f804e3c0d79e06e4f7bd54f94544848961f12
d228e18c458c31492267b3167e1bde3b8702de493ea612d0ecf400835f490982
6097ee7a7f386804b11c435db24b34c3e54bb26b4cb4569c6c8c06f471513c73
c97ea7770bdc793b6e4f5ecdd0ab4454b51475faebb2368f338f620b353a0db1
6db572b2a372da55a29c00656ffdc03d279b01a57eaf854f58441847d3915ebc
9ea23f24620fd64243f22df105d30b97810377238aed2fd83aa31665198175db
26b24f28b0173c020071085d65b260207d5856a8a93c1c1acce7d5cca5e8835f
101159b2df3d82639b34a56f1b72524504492b91c80543689484a6e4ead0848c
a51e73ec5bca72dcebd78f128e76fa4bcb942ee0509d9c549e721806301a3e13
5be80161a65053eed5a2e9f84fd3c28eed3b40df540614ac86b56f6c5a3a5233
c27f65a625e611d0d29febe606a4e48421b30085f1536fe18fa8d41e665ccced
240970ef6292a02db1cd7c6fec1aa55036b11a20a3bed21318a056f9063e5088
SH256 hash:
47b0808dc672bdab43262faac9ee31d26f18ecd0527419ee9a8ded53e508e2b9
MD5 hash:
6339f06b4dea9250f8009b63ddee95e6
SHA1 hash:
b010c6e985916d5b1c4148870a7093ad324e06ff
Link:
https://www.unpac.me/results/78001817-0eb6-4f54-b4c3-7f97228008ff/
SH256 hash:
3bdc8a2cdae7fb2ab12ead1f0ced298aefb6cdcd9d35e88295a71192e193d481
MD5 hash:
8dfd157a338780f5b297db88b8261e65
SHA1 hash:
6de7786af64243fc2c37d1c660a7a49485bb27e2
Link:
https://www.unpac.me/results/78001817-0eb6-4f54-b4c3-7f97228008ff/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3bdc8a2cdae7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3bdc8a2cdae7fb2ab12ead1f0ced298aefb6cdcd9d35e88295a71192e193d481

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/261700/

Comments