MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c527de135d22c07a5d30fa7b77508aba40953749118d516b4d148aa83e4e895. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c527de135d22c07a5d30fa7b77508aba40953749118d516b4d148aa83e4e895
SHA3-384 hash: ca6a33d6986ccf397159c7ff38d3a6dc0791e1990ead81b84cc361b7c159fd8d9a7ded30395c072c38295cb57e109504
SHA1 hash: 57d585516caf6888721004c2922eb71eec740740
MD5 hash: eb4239d070621b62079f30e89138c5dc
humanhash: emma-salami-saturn-nitrogen
File name:JESlUUyfIaG1uZ2.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:705'024 bytes
First seen:2022-05-17 13:17:16 UTC
Last seen:2022-05-17 13:43:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:AGmMcP2gAzI9GSnPG357+ywupwCbxAIdyf4FSXRad9YSrkiLDi:T5cOPzzkA5yFuXxAMyXXRanYC
Threatray 15'556 similar samples on MalwareBazaar
TLSH T1B1E4F1597EA1CF12C36A52B5C1E7542803B291066336D74B7FCE53EA0D023E66DCA78E
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 65e4d2eaecc4d859 (17 x AgentTesla, 7 x SnakeKeylogger, 7 x Loki)
Reporter malwarelabnet
Tags:exe FormBook xloader formbook

Intelligence

File Origin
# of uploads :
2
# of downloads :
225
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
JESlUUyfIaG1uZ2.exe
Verdict:
Malicious activity
Analysis date:
2022-05-17 23:44:50 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/6de9dced-e9f7-4207-8496-953503fae817

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/271609/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.14323.5926.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/6283a0f7cc43366302d0f650/reports/db42b594-c54e-45bb-8e7b-59b6102850b5/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3578bd94-ea45-4c26-8df7-0b2191a75d45
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/995852
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 628368 Sample: JESlUUyfIaG1uZ2.exe Startdate: 17/05/2022 Architecture: WINDOWS Score: 100 31 www.thorrmetals.com 2->31 33 www.0w67.com 2->33 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for URL or domain 2->39 41 8 other signatures 2->41 11 JESlUUyfIaG1uZ2.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\...\JESlUUyfIaG1uZ2.exe.log, ASCII 11->29 dropped 51 Tries to detect virtualization through RDTSC time measurements 11->51 53 Injects a PE file into a foreign processes 11->53 15 JESlUUyfIaG1uZ2.exe 11->15         started        signatures6 process7 signatures8 55 Modifies the context of a thread in another process (thread injection) 15->55 57 Maps a DLL or memory area into another process 15->57 59 Sample uses process hollowing technique 15->59 61 Queues an APC in another process (thread injection) 15->61 18 explorer.exe 15->18 injected process9 process10 20 cmstp.exe 18->20         started        signatures11 43 Self deletion via cmd delete 20->43 45 Modifies the context of a thread in another process (thread injection) 20->45 47 Maps a DLL or memory area into another process 20->47 49 Tries to detect virtualization through RDTSC time measurements 20->49 23 cmd.exe 1 20->23         started        25 explorer.exe 128 20->25         started        process12 process13 27 conhost.exe 23->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3c527de135d22c07a5d30fa7b77508aba40953749118d516b4d148aa83e4e895/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-05-17 12:53:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hrjh3yjv2iwapjotb6t3o5iivosasu3usemnkfvu2fekva7e5ckq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
387234df5ff2369a1a2bd25b060d5d7dd3817e07577baadd33bdf5c2dc7725c1
Formbook
3bdf54d6b07a96a026ed34f1db8d5cc442c1a211d02ff888659d7263ccc77c4c
Formbook
3e20e05dc0f89bd2a37936b5e3a2631af6cdb687218275731b6f7e7f79febc9e
Formbook
3f38d14b57be8821c36b5a3b35fee281a0371fb2b41cbecb2f788c29a34f05ef
Formbook
4ac982ea35522a13de30ff7ddbbec9becf2c7528a48f0aff377e3d6758a7ae7b
Formbook
6b19bf1ec55b55f38c00c74fd66dd45c8d7e12eebebca913c4d21152ed0ced8c
Formbook
6eef88d9b2ada286ff5f0ee740bd12a593a6111f2e29e0b86cc43dc437701edf
Formbook
bea7dde650c823aa2887bc7065abd818c02e573c041ea69c1ea60c43fe1a79df
Formbook
d7dc569e0cf8cc6afc0a4a922263195ea12051b1db428fcf9fba724d90261a5e
Formbook
d951d78db324f840c3dd3233c7900a8193329d769550cbf1c8857d5ef3fb5252
Formbook
+ 15'546 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader campaign:zu08 loader persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220517-qjx1psfabk/
Behaviour
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Xloader Payload
Formbook
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Unpacked files
SH256 hash:
999f56bcf47a52e9532d726f8591c22bbf92377a9c771e07b3698078ac178bce
MD5 hash:
a8956c5a544bc95926729cc2a7b6d887
SHA1 hash:
fcdd94ffc7f88d47f1154f7347de24bf5642003e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/9f3d26f5-2134-4b50-96f7-b897f58f4425/
Parent samples :
3c527de135d22c07a5d30fa7b77508aba40953749118d516b4d148aa83e4e895
89cdf1763a4e844821117df0e03d1447ec951fa3d512e53356c1af5c1a96b2d0
b3079271c72a5c63650370194d8ad28525c77fc82597c27814721f9e7353ce7f
a93c67d2ae1acd50d6d898346aef23fb611bc48ec65424c71d59a309beda6007
decd4856d8e7fd3697f2d31c429a87bb46ffd0a8036707ebc1c59de447f36525
SH256 hash:
148cd91eeb8ef926cdf0181cb77d3d0fb2183ff2dffe0a61983bf1b1642d4340
MD5 hash:
65ab2c6e5ae607fe1a3f1b832831e7f2
SHA1 hash:
f842dd493b923bd3c09f80d907f13750d81249f3
Link:
https://www.unpac.me/results/9f3d26f5-2134-4b50-96f7-b897f58f4425/
SH256 hash:
97527da0af9e8321eb6aa2c760bc3a6453341b0fef90c44595a02945c2dd3144
MD5 hash:
332f0164e6b19699174c491d839d6ec9
SHA1 hash:
eadeadeaf7bf3978d86d633bd054e4ff317ecc40
Link:
https://www.unpac.me/results/9f3d26f5-2134-4b50-96f7-b897f58f4425/
SH256 hash:
df4423a36ab0c4e3c409b9472a304703740ca1726568bead0692d9c6e43c7f94
MD5 hash:
d0adb7a5ee2f2c003969b9810875baa9
SHA1 hash:
e640af4f0d70265a4ea7107204c298ab8417da92
Link:
https://www.unpac.me/results/9f3d26f5-2134-4b50-96f7-b897f58f4425/
SH256 hash:
2674737b51fd4bea5fcff0dcdb216d664f42aba1e48650f5dd5a0cde05301cb0
MD5 hash:
4bd08d07bbbcd6f818d4bac3ca888915
SHA1 hash:
e54578b1d07d24734cd6662ab8a746a3ddf0646c
Link:
https://www.unpac.me/results/9f3d26f5-2134-4b50-96f7-b897f58f4425/
SH256 hash:
3c527de135d22c07a5d30fa7b77508aba40953749118d516b4d148aa83e4e895
MD5 hash:
eb4239d070621b62079f30e89138c5dc
SHA1 hash:
57d585516caf6888721004c2922eb71eec740740
Link:
https://www.unpac.me/results/9f3d26f5-2134-4b50-96f7-b897f58f4425/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/3c527de135d22c07a5d30fa7b77508aba40953749118d516b4d148aa83e4e895

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/271609/

Comments