MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c3ef93ea804d5d80ecbdb244ddf7fe2ab657f54089a397f0c79d89dfef5c95c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	3c3ef93ea804d5d80ecbdb244ddf7fe2ab657f54089a397f0c79d89dfef5c95c
SHA3-384 hash:	0dae0b850b1953bdc30d7c3e6e280e8319c26a67e161119eca8ee22560aeae56715d03c4991b170197dd44b149350458
SHA1 hash:	30454ccb5adc2b97044ac8aaed0d0501b935779d
MD5 hash:	f3f12d3364bc3b19cca3e79a989137f4
humanhash:	indigo-double-delaware-pennsylvania
File name:	Swift mesajı 4.02.2022.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	7'168 bytes
First seen:	2022-02-08 06:49:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	96:3+9SFoH0i3zgzmJhulmOBiJxeY9vfl9gvp3nfzNt:u9coU40qJhYmOBQX9vflM3nJ
Threatray	17'036 similar samples on MalwareBazaar
TLSH	T1CDE1E811D7D81B37EFB70BB1A8639310E330E7519D4BDF6E6589125A3F12B900962FA2
Reporter	lowmal3
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

140

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/237711/

Detection(s):

Win.Packed.Lazy-9937692-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated packed replace.exe update.exe

Link:

https://www.filescan.io/uploads/6202129f845a69d7734ce3ef/reports/2b1199a4-a435-4a7d-9b23-ed7da9d75f91/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/76eb49b8-f31c-41ab-8862-fcd15afb639a

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/935821

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3c3ef93ea804d5d80ecbdb244ddf7fe2ab657f54089a397f0c79d89dfef5c95c/

Threat name:

ByteCode-MSIL.Backdoor.Andromeda

Status:

Malicious

First seen:

2022-02-08 06:14:12 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hq7pspviatk5qdwl3mse3x374kvwk72ubcnds7ymphmj37xvzfoa._file

Verdict:

malicious

Label(s):

formbook

Formbook

4d1ac5962b58c0bf6386b85fc1c2029efb0c8d5ccf0054733795eec1ea8b3291

Formbook

703f4546b4adc3e685275a9840bafac150717c3259f629f6bf9bd8e5d191ad46

Formbook

7c7116c6a0f1e06e4c252ea45668b85c1fdf3f35216097be1208e14be4066b36

Formbook

a42b3919356aa815980faeac0fc6222bd4a2d6f6cc5bdc01c5a5f55014a9c66e

Formbook

acb28239c256d400e79f51a7f83036d19daa0d814d32dcf765d8ec9aa0293cea

Formbook

b1e2238ed835357f061456c7a38d0620cef8b78f0e1a9856133cc5b2805e0ed1

Formbook

dc65156bfa6da463f9eb980c3a551ba0cd494b53a55b3a2e9b41c766ca3c011c

Formbook

f777ad0feb1db2da7abb7c793515f7af49d06a7b4fc5904a9da436ccbd59ddc3

Formbook

ff3f7736a06e89ae300270369d83b922423c8a840903b30a8a21365c4b0b0628

Formbook

+ 17'026 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

4/10

Tags:

n/a

Link:

https://tria.ge/reports/220208-hmg5naeff4/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Drops file in Windows directory

Unpacked files

SH256 hash:

3c3ef93ea804d5d80ecbdb244ddf7fe2ab657f54089a397f0c79d89dfef5c95c

MD5 hash:

f3f12d3364bc3b19cca3e79a989137f4

SHA1 hash:

30454ccb5adc2b97044ac8aaed0d0501b935779d

Link:

https://www.unpac.me/results/7dc5a112-4d1f-47fe-914d-321fe065e2ee/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 3c3ef93ea804d5d80ecbdb244ddf7fe2ab657f54089a397f0c79d89dfef5c95c

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/237711/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample