MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d46460aaf215354db83b8299f13c6574f1792582add090d05ec38107c377e23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	3d46460aaf215354db83b8299f13c6574f1792582add090d05ec38107c377e23
SHA3-384 hash:	33130af6bae4d46157171f21c09d3522d17f88d69b1c55373f2006c6f10fdf70d46e899de102e75b55e8095e1fc699ba
SHA1 hash:	a7ce553bbfe39b808be71d08502d22bc7dec97f0
MD5 hash:	a2cd698d3b58c0530006a14593501d64
humanhash:	sad-steak-idaho-sweet
File name:	yeni siparis listesi.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	748'032 bytes
First seen:	2021-09-13 20:48:47 UTC
Last seen:	2021-09-13 22:19:32 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	82370a24b9c73cf4d64f411275d30e40 (2 x Formbook)
ssdeep	12288:TRuJxR+RWGfhP1FBZE0Dfe4jy77ijVa4nB40lRS/HqJ:TE6P5dZ9fzjDRa4B45v6
Threatray	9'471 similar samples on MalwareBazaar
TLSH	T1FAF47C5DE2E38D72E253933DAE5BEBC16D0A6E423D55E8D92F80BC538B37594A0041CB
dhash icon	b0b03a343630b8c0 (8 x RemcosRAT, 2 x BitRAT, 2 x Formbook)
Reporter	abuse_ch
Tags:	exe FormBook geo TUR

Intelligence

File Origin

# of uploads :

# of downloads :

214

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

yeni siparis listesi.exe

Verdict:

Suspicious activity

Analysis date:

2021-09-13 20:51:21 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/428c8466-b82d-4da3-ade3-495e3a1d580b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/187585/

Detection(s):

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

keylogger

Link:

https://www.filescan.io/uploads/617505e49a5a1e91c5d1fdcd/reports/0ea08ec2-2bec-4716-8dd6-8ce228419e95/overview

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d74871a4-7af8-44a8-b4c8-ae6c34f1632a

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/850172

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Uses netsh to modify the Windows network and firewall settings

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3d46460aaf215354db83b8299f13c6574f1792582add090d05ec38107c377e23/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2021-09-13 01:32:40 UTC

AV detection:

23 of 45 (51.11%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hvdemcvpefjvjw4dxauz6e6gk5hrpesyfloqsdif5q4ba7bxpyrq._file

Verdict:

malicious

Label(s):

formbook

Formbook

3009ff9d8a1675709ccb395bb2c45fb0046a19389e37f4e20bc672efee49f8cd

Formbook

3e167fe206a19097cd08d00335fc45f98a75cdb4697b3c530773c8803d50d0f9

Formbook

4fa4620f075ed6875b96da8c661287fc12c586ddc524c866a6861a6a94a26bee

Formbook

8943af6c4da94f93c169ef98a7b8393ca92b01753e89ea5503d5740bcc45296d

Formbook

98f8f84dbf9e3a4462066c94e447ba3bdc6bc3d0119511e8c6d6cea0234f885c

Formbook

b04306fa8223c20a1abaaa6aeb5cabb2a83dc04337beb2acfd47784b34b682bc

Formbook

d71f2defd3e3aa48697681a732a8c5ce8df75479b65953ba3063e028fc3d9116

Formbook

+ 9'461 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:bc3s rat spyware stealer suricata trojan

Link:

https://tria.ge/reports/210913-zl1daahdfm/

Behaviour

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook Payload

Formbook

suricata: ET MALWARE FormBook CnC Checkin (GET)

Malware Config

C2 Extraction:

http://www.topei-products.com/bc3s/

Unpacked files

SH256 hash:

3d46460aaf215354db83b8299f13c6574f1792582add090d05ec38107c377e23

MD5 hash:

a2cd698d3b58c0530006a14593501d64

SHA1 hash:

a7ce553bbfe39b808be71d08502d22bc7dec97f0

Link:

https://www.unpac.me/results/a6c4b64e-8745-4a3c-97e0-d3731020f32d/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/3d46460aaf21/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3d46460aaf215354db83b8299f13c6574f1792582add090d05ec38107c377e23

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Formbook Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 3d46460aaf215354db83b8299f13c6574f1792582add090d05ec38107c377e23

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/187585/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample