MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ca71ea7d01b1f1e3613781fcd68b47c09a159af5876c134065bef4d912917a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ca71ea7d01b1f1e3613781fcd68b47c09a159af5876c134065bef4d912917a6
SHA3-384 hash: 312308216076a4beaf47e3e9b5abebb4ea2509e2862a0ba29df17a0a069c25f4549be018ab9ea3c316f8ae9220ec0ac9
SHA1 hash: d8113fa2bd2b2fa43f3920b93f9a5217b9cb69a2
MD5 hash: 73b6e5a11aff9e7bd681b55136c5fbcf
humanhash: uranus-dakota-maryland-winner
File name:RFQ 0400-ENPI-RQMA.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:723'464 bytes
First seen:2024-04-23 12:21:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:ijF9WMP0l64aOQ3p2K2pp4o1aCoaCoDVAcN2jWN9uq+V9mYxfY5fkR:ij2MPwc52h5YCXXjN2yD/+V9XNa6
TLSH T1A7F42350B2E45F12FABB9BB522968A219730B8CB5431DBDCDDD121CE51A1F01D6A2F0F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon d2e8ecb2b2a2b282 (106 x AgentTesla, 106 x Formbook, 24 x RedLineStealer)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
394
Origin country :
DE DE
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Moving a file to the Program Files subdirectory
Replacing files
Creating a window
Sending an HTTP GET request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Forced shutdown of a system process
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/3ca71ea7d01b1f1e3613781fcd68b47c09a159af5876c134065bef4d912917a6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MSIL Injector
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/21af75e3-ca45-4536-9b38-109904540718
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1430324
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3ca71ea7d01b1f1e3613781fcd68b47c09a159af5876c134065bef4d912917a6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ca71ea7d01b1f1e3613781fcd68b47c09a159af5876c134065bef4d912917a6/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-04-23 09:11:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hstr5j6qdmpr4nqtpap422fupqe2cwnplb3mcnaglpxu3ejjc6ta._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240423-pjwl7sgb98/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
f55fc16088c590695e7cf64d637da6104a4985273442ae8316d0e53dab8c8f23
MD5 hash:
0a2c403bb749e1bfc7c3ea140d96744c
SHA1 hash:
83c92cfd6f6027d64eff7bc7763eb95cee4b62e3
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/12317c25-ce9f-43f5-9ccf-3be57bc28c08/
SH256 hash:
f0e65bf293dcce196162c676486073a745f072db86e553e73c2e73404dacd1c0
MD5 hash:
15abc10dff1a7ab6eddea2d73f4ac80c
SHA1 hash:
c1d1bdee4577a5d95d4c4524ae922a6ba756f846
Link:
https://www.unpac.me/results/12317c25-ce9f-43f5-9ccf-3be57bc28c08/
SH256 hash:
68974819ddb70508ed2128bcdf04cb188fa65d6185d5c73032bbcc2698a1c844
MD5 hash:
1e49f47db86b3c9979ddf936e6f650d1
SHA1 hash:
ea22be266642a0ce9a742c3ecaed5b2a0940d9ec
Link:
https://www.unpac.me/results/12317c25-ce9f-43f5-9ccf-3be57bc28c08/
SH256 hash:
6138a88db5c86a4e848d5ebd616b61f37712f6ff8f74c3c3fbc028e740d51aac
MD5 hash:
4d2c440ac7689504f32954079a8505cc
SHA1 hash:
a3161360dffb13423051fba7691e85c73bba03fe
Link:
https://www.unpac.me/results/12317c25-ce9f-43f5-9ccf-3be57bc28c08/
SH256 hash:
9d29ddb766975d283e42d47ee67fd1f3b88ddecf6defe6f408651984a1eb7313
MD5 hash:
fab0e6b2412a13709095243bcf12af07
SHA1 hash:
23ad8b746833f68dcad791f23f3c7f236af907bb
Link:
https://www.unpac.me/results/12317c25-ce9f-43f5-9ccf-3be57bc28c08/
SH256 hash:
618aaa82ab08a658cd1771378ebcc600ae5b3164fee03807642a4d346f9b271e
MD5 hash:
43ce72e32e38d1149f702121ad9523c8
SHA1 hash:
a86a2574e53a03c4ef46846996f473a7fa268911
Link:
https://www.unpac.me/results/12317c25-ce9f-43f5-9ccf-3be57bc28c08/
SH256 hash:
33627a636aef9e4424ca681c2a18cddbd4b3b99942288bdb9b24a0f5d4745f8a
MD5 hash:
bb02050d6f658588f2a4e3e66694cacc
SHA1 hash:
9a71b5b2b1e523e3b05e47da89dd0fdfbc10a556
Link:
https://www.unpac.me/results/12317c25-ce9f-43f5-9ccf-3be57bc28c08/
SH256 hash:
440e1e17966e6320d1cdbbb35f554d3ed931dae2bb3b530be6d1fc480b877a04
MD5 hash:
e795810a7cd911f46cf280525b853f69
SHA1 hash:
9262ad99cf40bcaba6679b34a5452ad1d7a5349e
Link:
https://www.unpac.me/results/12317c25-ce9f-43f5-9ccf-3be57bc28c08/
SH256 hash:
3295c44491815fac9ad3ec821d6c6063f3ce091a9a3ecd6060d63cbee34b225a
MD5 hash:
d99754af9b581b98c9455a2c46c35d10
SHA1 hash:
80e124c699ecebb3891ff021ea78baf1cd4bdca6
Link:
https://www.unpac.me/results/12317c25-ce9f-43f5-9ccf-3be57bc28c08/
SH256 hash:
661925bf4aabb06f61ac73d28a4970451e52818b68bbaed32d51821ddf3738e5
MD5 hash:
97f7b622205824b203bca2089e865793
SHA1 hash:
3a5cbaffb11a034405723a398c546d402fc7f13e
Link:
https://www.unpac.me/results/12317c25-ce9f-43f5-9ccf-3be57bc28c08/
SH256 hash:
2451fd68ae74b50aa49c8778f91c5ef4aadc7f867bc22b13be328d68409bfab9
MD5 hash:
9fdaa4d728dca7974e5fe48b983e70df
SHA1 hash:
26ae1ffe2b618a3f7e0686dbffdc58b8db647274
Link:
https://www.unpac.me/results/12317c25-ce9f-43f5-9ccf-3be57bc28c08/
SH256 hash:
3ca71ea7d01b1f1e3613781fcd68b47c09a159af5876c134065bef4d912917a6
MD5 hash:
73b6e5a11aff9e7bd681b55136c5fbcf
SHA1 hash:
d8113fa2bd2b2fa43f3920b93f9a5217b9cb69a2
Detections:
INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Link:
https://www.unpac.me/results/12317c25-ce9f-43f5-9ccf-3be57bc28c08/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3ca71ea7d01b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:Formbook
Create hunting rule
Author:kevoreilly
Description:Formbook Payload
Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/formbook-adopts-cab-less-approach
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 3ca71ea7d01b1f1e3613781fcd68b47c09a159af5876c134065bef4d912917a6

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments