MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3be8a41bb629cd3aec0ad28a8f7ab3d1645a538f233dceefc78332c4c48aebdd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3be8a41bb629cd3aec0ad28a8f7ab3d1645a538f233dceefc78332c4c48aebdd
SHA3-384 hash: b260459bc4f81c458ad2fbe1fb321ae5181356c086f6258857cde72be155e36a2d1c28eb4594f9a6852f1e3715c02edb
SHA1 hash: a2704c3f0128abd6a3d2bd5cc0bd9a0859ba7516
MD5 hash: e3ce454bea0677f6fe837524bb992be7
humanhash: alpha-cold-texas-skylark
File name:e3ce454bea0677f6fe837524bb992be7
Download: download sample
Signature Formbook
Create hunting rule
File size:803'840 bytes
First seen:2021-09-11 07:46:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:jrECkXXai8kVpy1cq5AQ0kYLzmwpZNo9y:1kXXai9Vw1lAQezmsr
Threatray 9'321 similar samples on MalwareBazaar
TLSH T14305AF076118871FDF3DA3A71F90A12B91A21CABF34496A4DAF3C358DC956C6712A7C3
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
178
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e3ce454bea0677f6fe837524bb992be7
Verdict:
Malicious activity
Analysis date:
2021-09-11 07:49:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b2abb847-5709-4b1a-862b-a080698d183b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/187026/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/52ecf7e4-e051-4226-ab48-5e041d623593
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/848957
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 481388 Sample: 54U89TvWvD.exe Startdate: 10/09/2021 Architecture: WINDOWS Score: 100 32 www.medicarehealthenroll.com 2->32 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 7 other signatures 2->48 11 54U89TvWvD.exe 3 2->11         started        signatures3 process4 file5 30 C:\Users\user\AppData\...\54U89TvWvD.exe.log, ASCII 11->30 dropped 62 Tries to detect virtualization through RDTSC time measurements 11->62 64 Injects a PE file into a foreign processes 11->64 15 54U89TvWvD.exe 11->15         started        signatures6 process7 signatures8 66 Modifies the context of a thread in another process (thread injection) 15->66 68 Maps a DLL or memory area into another process 15->68 70 Sample uses process hollowing technique 15->70 72 Queues an APC in another process (thread injection) 15->72 18 explorer.exe 15->18 injected process9 dnsIp10 34 www.nowfitnessreviews.com 91.195.240.87, 49836, 80 SEDO-ASDE Germany 18->34 36 www.cignaheathspringsotc.com 81.17.29.146, 49843, 80 PLI-ASCH Switzerland 18->36 38 3 other IPs or domains 18->38 50 System process connects to network (likely due to code injection or exploit) 18->50 52 Performs DNS queries to domains with low reputation 18->52 22 wscript.exe 12 18->22         started        signatures11 process12 dnsIp13 40 www.cayugaantifrackingalliance.com 22->40 54 System process connects to network (likely due to code injection or exploit) 22->54 56 Self deletion via cmd delete 22->56 58 Modifies the context of a thread in another process (thread injection) 22->58 60 2 other signatures 22->60 26 cmd.exe 1 22->26         started        signatures14 process15 process16 28 conhost.exe 26->28         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3be8a41bb629cd3aec0ad28a8f7ab3d1645a538f233dceefc78332c4c48aebdd/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-09 16:24:38 UTC
AV detection:
31 of 45 (68.89%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
170eb254fe7cae506272dd7f934000734f55648fcefab6843eca50311a98a07d
Formbook
1de5c6b986a6401ba0490ccce78e8bf125d9604d07c4ad87a856a588f0aba6cb
Formbook
2cea4d259b54152c7e175ed0739e4c4c70050a49d07cacae4d9003032e7d9990
Formbook
4796e12d5a33b3b717b0ddc65286b9de7479e86bc91cc0bdb843722a5b62951b
Formbook
8700797586a744fd3e998733ed63ab6f721bacd87c6796ea7f5c1a8f2c17a3f4
Formbook
a49278e32de8c758012e44c3519591a7997b261e453827ff7b11158786563430
Formbook
caebdbf7464e4fd875d5b487a5a0e1399329a59ae747ae86db03401f3991811f
Formbook
dd4114ea355d3f70e7683fb8491e2499347b6133bd9ef6d094a0cb6ad8aa4609
Formbook
f45a023c86d834183f3073c05227d6f40686aef4a71b3893b823be493d7aae83
Formbook
fda0e6ebd67375985d5085de99a4f09f197bf8ec7950eff540565ea8517fd8e1
Formbook
+ 9'311 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:t6de loader rat
Link:
https://tria.ge/reports/210911-jmh8dsbbe4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.medicarehealthenroll.com/t6de/
Unpacked files
SH256 hash:
81f9eac76804c02f5baaa34c91b5775f965a34ad7811218d9c24e50cb6d9a90c
MD5 hash:
bae511742374b721136acaa03b0c1fa0
SHA1 hash:
215c50455b01a78ea173bbb034ddbe4b452ea734
Link:
https://www.unpac.me/results/5a85e575-fad9-4232-bb21-3832a6f61027/
SH256 hash:
c9e67552c60f69c5c14bfd2ec1eac884987482cf2ec82c91bacfeea91431cfb8
MD5 hash:
063040e9030da5ac3b020e7d89506a4c
SHA1 hash:
9e28faa24ee9b18ef926abfc6132b01a50127b4d
Link:
https://www.unpac.me/results/5a85e575-fad9-4232-bb21-3832a6f61027/
SH256 hash:
04a46004f2b9ed4365c39038612e231b8932cb98f815d01a03d501d46dfd7d18
MD5 hash:
ee5015f3e60e34e6c750dc3d2ed05881
SHA1 hash:
cf9d9deb5f10816c38634c4d2ed3387a078a68d5
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/5a85e575-fad9-4232-bb21-3832a6f61027/
SH256 hash:
3be8a41bb629cd3aec0ad28a8f7ab3d1645a538f233dceefc78332c4c48aebdd
MD5 hash:
e3ce454bea0677f6fe837524bb992be7
SHA1 hash:
a2704c3f0128abd6a3d2bd5cc0bd9a0859ba7516
Link:
https://www.unpac.me/results/5a85e575-fad9-4232-bb21-3832a6f61027/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3be8a41bb629cd3aec0ad28a8f7ab3d1645a538f233dceefc78332c4c48aebdd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 3be8a41bb629cd3aec0ad28a8f7ab3d1645a538f233dceefc78332c4c48aebdd

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1610215/
Cape
Cape
https://www.capesandbox.com/analysis/187026/

Comments


Avatar
zbet commented on 2021-09-11 07:46:16 UTC

url : hxxp://52.47.201.149/r1/z/shipping%20doc.exe