MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d28df7c5fa301b4e6d80f4bbc9dfa70bec762ca5ef085bcc8373b4b359b177f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	3d28df7c5fa301b4e6d80f4bbc9dfa70bec762ca5ef085bcc8373b4b359b177f
SHA3-384 hash:	81bb745933aa5c289a3aa94482eed026136f8a99f4fc3d4e97a0c835085d5bb7b07fe932b59722ca555994ca0939c4ae
SHA1 hash:	37a88f4f80b5e8e4345eefbbb9f2b23df08de18a
MD5 hash:	6d1c90c44010cfd2f785c5d415a5cd18
humanhash:	zulu-speaker-fish-floor
File name:	comandă de achiziție pdf.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	418'816 bytes
First seen:	2022-01-27 13:06:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:LD50VO+Q45IX8LhyTah2QFvuQp5D2oeGBtAzY6XXXtDMpgAHiW18sk/OIw:XWFWQp81gtOYkXNMgMifh2I
Threatray	10'183 similar samples on MalwareBazaar
TLSH	T1DA94F138228AC69AF04F89F4167CF9B1017230E379C84A75075E565ADBEDEA53F8160F
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

181

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

comandă de achiziție pdf.exe

Verdict:

Malicious activity

Analysis date:

2022-01-27 23:09:14 UTC

Tags:

trojan formbook stealer

Link:

https://app.any.run/tasks/2fea2517-4226-4bdc-a0dd-ff9ddd80ed56

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/224316/

Detection(s):

SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Sending a custom TCP request

Сreating synchronization primitives

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/61f29903c4bcf3287a612a33/reports/a51de8d0-d06b-410d-83d8-5975997d8c59/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/59214965-97f2-4d6b-9902-d65eb8dc4429

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/928970

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3d28df7c5fa301b4e6d80f4bbc9dfa70bec762ca5ef085bcc8373b4b359b177f/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-01-27 06:19:41 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 43 (60.47%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=huun67c7uma3jzwyb5f3zhp2oc7moywkl3yilpgig45uwnm3c57q._file

Verdict:

malicious

Label(s):

formbook

Formbook

10aa7088156f972d7f44c8183c9b26c4ca290e5e1b92b59585a91b9946fb73e2

Formbook

123ff9f9a3f12261b2f1b201cf6c0c009b94ccab53d22f414113dc926f9eef63

Formbook

2e6c1e04f6f08de897e180ebf20a7ee0c5dc54e1c4041580386e24f8fbf67658

Formbook

6403d40c99b5036c9410e11c11872bdceb1955da70a17bdb979cac381d09cc74

Formbook

711f3855c0fe6398f1fdb5a870de829c005b60cd4c90bd8ecae5780b9427716f

Formbook

a92ecb180e390074e280143710c718ab92687c893701b7c535f704231c92175f

Formbook

+ 10'173 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:g2m3 rat spyware stealer trojan

Link:

https://tria.ge/reports/220127-qcn48adee2/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Unpacked files

SH256 hash:

c5b71db9f1b9cd63452ad836762bf1381ddf0a833df8ce17a3439ae9e92178cb

MD5 hash:

681a48e3a833b98293bebb8f47b2fc3d

SHA1 hash:

610f31e10da0f45fa658594f784eba651b99bee1

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/a79a5f55-a15b-4dcc-b719-53f32ca2814b/

Parent samples :

3d28df7c5fa301b4e6d80f4bbc9dfa70bec762ca5ef085bcc8373b4b359b177f
13ce54d053256ed33282cc8e8a47f9a3c83f9b96f4230df70a7b947c55c611f5
7480e4ba962590b3f14f4516861bb1aa80ffa08223a944ee6599cfe3b4e89bce
134564f9e07f69726c8cfc19fcaf998d7f00163d704e9a2864b2d592be84d091
e9f29862ff2acf2bf4ca90262d717a32ed3236656081e6014e9b55d962707c1f
2c3c06ae684b68083640169fb962cc24fb32d4efe232a0ec0727f7c5d69dacae
dce0a6cd0dcb808bfcdd3539f85721d004f7b528832314d40149039262440349
8c3f224cf0567bbd99154105d471e29b60f5e5c0afb2683be992c9f702a7e7d9
38b3959cf30fce3b03c31286231db4d220427e31af7e3d7458792cdb3e8b895d
a0af1e02a12e827298c0209e485466f4c3ce4d3bfc9b50f778d6004d5c2abde0
a8e45b2b0117e0a1e195a054667fca524862223bd2838a17f2ac9f47fe6191cc

SH256 hash:

5247926388ed51a1178cb1de85bc5df1443c240ace43d7d9386edf8d7fceec02

MD5 hash:

9a6cb543f17cc6f61c016dbc8a331bc2

SHA1 hash:

62210e9d0f4d5b8101886a336feb3e1ae0eaf824

Link:

https://www.unpac.me/results/a79a5f55-a15b-4dcc-b719-53f32ca2814b/

SH256 hash:

cd42915d172d862f86cd677ccc2f5980f24c78bc8c400aca74e9f0cb3eff7869

MD5 hash:

627ac8775c5605d0c4ed8bfae3bc1adf

SHA1 hash:

096f8777aeb05a6484a965ba9cfa85b46a2d817e

Link:

https://www.unpac.me/results/a79a5f55-a15b-4dcc-b719-53f32ca2814b/

SH256 hash:

3d28df7c5fa301b4e6d80f4bbc9dfa70bec762ca5ef085bcc8373b4b359b177f

MD5 hash:

6d1c90c44010cfd2f785c5d415a5cd18

SHA1 hash:

37a88f4f80b5e8e4345eefbbb9f2b23df08de18a

Link:

https://www.unpac.me/results/a79a5f55-a15b-4dcc-b719-53f32ca2814b/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/3d28df7c5fa3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3d28df7c5fa301b4e6d80f4bbc9dfa70bec762ca5ef085bcc8373b4b359b177f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/224316/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample