MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c0036c86eda77a41369d7727d4825c280a8a32641e66bdb4b67e80d95ced9f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c0036c86eda77a41369d7727d4825c280a8a32641e66bdb4b67e80d95ced9f0
SHA3-384 hash: d4569d62e1a4686839aa794c4d72de213e08c46162439be910d74e4b63ccfd763bfa519ed359380c694f6af85bc0590a
SHA1 hash: 7b4977797332e410fe96126025caedc4a1e673ef
MD5 hash: 6c90161396d9442a6c006600cd7aef7d
humanhash: orange-august-robert-robin
File name:6c90161396d9442a6c006600cd7aef7d.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:310'005 bytes
First seen:2022-03-18 11:40:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:rGiwxcYCUXQRVJucxun8R/8L61qduEcQCUwLar0gw4x/g58CniT0Xv/9kHm6+v:ExcYCfo6un8ZzGCbLaggwc/g5rII7pv
Threatray 14'170 similar samples on MalwareBazaar
TLSH T16F641250B64AC67BC9E15EB41A37D6AEEBF84ADB63016D2F4F749F903C6113B02046B1
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://192.210.149.28/65/vbc.exe
Verdict:
Suspicious activity
Analysis date:
2022-03-18 08:40:11 UTC
Tags:
opendir loader
Link:
https://app.any.run/tasks/5c262b56-72ec-49dc-8016-379b79beafaf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/252552/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for synchronization primitives
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62346fb9dfdfa8501cb54eca/reports/38b2f00d-8173-4d2d-ae7c-233f6da73cf8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/68a8d560-a3c0-4bf9-80d3-7436e462fef4
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/959478
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 591959 Sample: zFKR96vbvy.exe Startdate: 18/03/2022 Architecture: WINDOWS Score: 100 34 www.lebrunconsult.com 2->34 36 lebrunconsult.com 2->36 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 5 other signatures 2->56 12 zFKR96vbvy.exe 18 2->12         started        signatures3 process4 file5 32 C:\Users\user\AppData\...\uxbhszaszq.exe, PE32 12->32 dropped 15 uxbhszaszq.exe 12->15         started        process6 signatures7 66 Multi AV Scanner detection for dropped file 15->66 68 Machine Learning detection for dropped file 15->68 70 Tries to detect virtualization through RDTSC time measurements 15->70 18 uxbhszaszq.exe 15->18         started        process8 signatures9 42 Modifies the context of a thread in another process (thread injection) 18->42 44 Maps a DLL or memory area into another process 18->44 46 Sample uses process hollowing technique 18->46 48 Queues an APC in another process (thread injection) 18->48 21 explorer.exe 18->21 injected process10 dnsIp11 38 www.x27o66w.cfd 43.154.50.22, 49770, 80 LILLY-ASUS Japan 21->38 40 www.momentinv.com 21->40 58 System process connects to network (likely due to code injection or exploit) 21->58 25 cscript.exe 21->25         started        signatures12 process13 signatures14 60 Modifies the context of a thread in another process (thread injection) 25->60 62 Maps a DLL or memory area into another process 25->62 64 Tries to detect virtualization through RDTSC time measurements 25->64 28 cmd.exe 1 25->28         started        process15 process16 30 conhost.exe 28->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3c0036c86eda77a41369d7727d4825c280a8a32641e66bdb4b67e80d95ced9f0/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-03-17 16:42:18 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hqadnsdo3j32ie3j25zh2sbfykakrizgihtgxw2lm7ua3foo3hya._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1ee20ec28c5649c69a2cab43e7f7e99d9f6c839cc5ae5ed2e279281682fe3b53
Formbook
26f8a3be2038752ea7ea42cffe424d460ac03d3128f2e9305259c48a9431a09a
Formbook
452d42cbe3b01ab9afd5799a25d153b0f427a383b97c28d4bf4e1830c501ab8c
Formbook
5beadd0ecc9f1407dab89746630fddf7362dd00323e6a5e5413a0c286e2ee583
Formbook
76c2944d78f0dac034e5a7cc6a916c30e66a88aaaaf3481b9af71db7bcdf9ca6
Formbook
8ee14be97acb9a642ba750f83102361ffa086aeeb3b802531259332fa14e5484
Formbook
8eedc524cbcf57998c67472c72d0db19becad221e770bea32486deb9661d3fd4
Formbook
a00b8665cf484b38e9d12d40208001acd1b890250be4bbcc78807eeedf6c408d
Formbook
c657108efc3f78a3052d15e5f2e8593181566f45c2c3e3316437bf7d6632095c
Formbook
eb75ee1b5895c0cc2882a850fab0f379ca09653d92a3a7ff8569593125622355
Formbook
+ 14'160 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:r75h rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220318-nte7jahgdq/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
3c0036c86eda77a41369d7727d4825c280a8a32641e66bdb4b67e80d95ced9f0
MD5 hash:
6c90161396d9442a6c006600cd7aef7d
SHA1 hash:
7b4977797332e410fe96126025caedc4a1e673ef
Link:
https://www.unpac.me/results/9b0a1282-9436-4588-9b9d-f77bad8a7163/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3c0036c86eda/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3c0036c86eda77a41369d7727d4825c280a8a32641e66bdb4b67e80d95ced9f0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 3c0036c86eda77a41369d7727d4825c280a8a32641e66bdb4b67e80d95ced9f0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2103646/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/252552/

Comments