MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d4bcb3525d58d2270133e0349f8cc3463a2c5b151e8cc7b1580806c6e86fbf8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d4bcb3525d58d2270133e0349f8cc3463a2c5b151e8cc7b1580806c6e86fbf8
SHA3-384 hash: 036c6ae3acd21db20c724fad15c9028f711c2cda62b813b911e48427b4430ce7c9d47508b3b71e0097d0f402e85c3973
SHA1 hash: ff2c6c0ceacd9a97c845a1e4056ab7e1c097cf51
MD5 hash: ebf3bd44feb646d0113e34451935faec
humanhash: sweet-blossom-robin-montana
File name:wire_deposito# 00711 23-09-2022_IMG.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:301'552 bytes
First seen:2022-09-23 13:06:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:UL8i9w0XHrJ7Cj3Z3I5shJd78mf9EFV2PsN2sFzVELTlg:ImqF7Mp3IKhJ58mf9E/QOFz8Tlg
Threatray 67 similar samples on MalwareBazaar
TLSH T1C9540290B7E0890BC837AF3698C688940675FD247E02C7B770E9736C4D933DA7A51A67
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon d2e8ecb2b2a2b282 (106 x AgentTesla, 106 x Formbook, 24 x RedLineStealer)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
294
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/312591/
Detection(s):
SecuriteInfo.com.Trojan.DownloaderNET.345.2138.857.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
Reading critical registry keys
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated overlay packed
Link:
https://www.filescan.io/uploads/632daf8039767769653fd8f8/reports/4632fe39-536b-422d-8436-bb6d617cb352/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d51a8743-889e-40b8-96ab-6bb0613ca65b
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1075896
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 708434 Sample: wire_deposito# 00711 23-09-... Startdate: 23/09/2022 Architecture: WINDOWS Score: 100 31 www.whiteoaklimited.com 2->31 33 zhs.zohosites.com 2->33 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected FormBook 2->43 45 5 other signatures 2->45 9 wire_deposito# 00711 23-09-2022_IMG.exe 1 2->9         started        signatures3 process4 file5 23 wire_deposito# 007...09-2022_IMG.exe.log, ASCII 9->23 dropped 55 Writes to foreign memory regions 9->55 57 Allocates memory in foreign processes 9->57 59 Injects a PE file into a foreign processes 9->59 13 aspnet_compiler.exe 9->13         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 13->61 63 Maps a DLL or memory area into another process 13->63 65 Sample uses process hollowing technique 13->65 67 Queues an APC in another process (thread injection) 13->67 16 explorer.exe 13->16 injected process9 dnsIp10 25 www.artofpanyuliang.org 103.10.174.215, 49720, 49721, 49722 HENGTONG-IDC-LLCUS Hong Kong 16->25 27 www.piyushaghera.xyz 209.99.40.222, 49724, 49725, 49726 CONFLUENCE-NETWORK-INCVG United States 16->27 29 3 other IPs or domains 16->29 35 System process connects to network (likely due to code injection or exploit) 16->35 37 Performs DNS queries to domains with low reputation 16->37 20 wlanext.exe 13 16->20         started        signatures11 process12 signatures13 47 Tries to steal Mail credentials (via file / registry access) 20->47 49 Tries to harvest and steal browser information (history, passwords, etc) 20->49 51 Modifies the context of a thread in another process (thread injection) 20->51 53 Maps a DLL or memory area into another process 20->53
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3d4bcb3525d58d2270133e0349f8cc3463a2c5b151e8cc7b1580806c6e86fbf8/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-09-23 04:44:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hvf4wnjf2wgse4athybut6gmgrr2frnrkhumy6yvqcagy3ug7p4a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0055c0240aa6da781fdbe57182ebe6d1e69c9d9a1eb401cdab0ad574e9191c17
Formbook
06a16b27c0fb73721a8e914688491abab539ea56fbe8df580fa91b22a0c8afec
Formbook
5173308acdc7cfbb18621685a0a5a6db64ad1c95aadbe4cceca348f071239245
Formbook
52d2abb85de115be28c584f6801451e67ffb745e1a2bba4589cc42430e6029aa
Formbook
73c3dfae006c92cad0d21f619a4d129475a4bb8e0f1c8922f0975b14b5472ade
Formbook
b17982b84d161b4f3071af6cedb687b80569aff940441f244642599f0eb2f8a0
Formbook
c35cd99a9bd4f1a8289d3bc98bf59a57ac7816ec16de668d37cf4ee747ab7c35
Formbook
c923b5976862e86bd94180a0f141ff001715eed24b895c1e4e2b066107c40412
Formbook
da98cbe42ca0067f1c8646f6cb039fb77e20ec5073d247376db2ee07307d528c
Formbook
f2c121b416fc3e961b271733a3e269b1227d0579676c60da524b80c15dbf33ac
Formbook
+ 57 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:dqrv rat spyware stealer trojan
Link:
https://tria.ge/reports/220923-qcm7xsabhk/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a1ee12d6-6105-4378-86ec-b67fa509171d
Unpacked files
SH256 hash:
d53697a2e9e85cfe9b630101ef6154a6b11e3f4a91b063a73c26fa66c70fa0c3
MD5 hash:
999701571987eaaab43d095870f5a199
SHA1 hash:
c6edc906870069977605e38c600be95e6a6bdec1
Link:
https://www.unpac.me/results/1b1ea9b3-c7e9-4d51-a3a8-54573ccf71d9/
SH256 hash:
a52e0edf3ade811f99480da79d4678786c9710435d5af35e1b2101d0a530dea4
MD5 hash:
55b45a049b712e97736c63a1dba7a109
SHA1 hash:
fa8900c06a172d01eb88728dec35e3688b100281
Link:
https://www.unpac.me/results/1b1ea9b3-c7e9-4d51-a3a8-54573ccf71d9/
SH256 hash:
3d4bcb3525d58d2270133e0349f8cc3463a2c5b151e8cc7b1580806c6e86fbf8
MD5 hash:
ebf3bd44feb646d0113e34451935faec
SHA1 hash:
ff2c6c0ceacd9a97c845a1e4056ab7e1c097cf51
Link:
https://www.unpac.me/results/1b1ea9b3-c7e9-4d51-a3a8-54573ccf71d9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3d4bcb3525d5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/3d4bcb3525d58d2270133e0349f8cc3463a2c5b151e8cc7b1580806c6e86fbf8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 3d4bcb3525d58d2270133e0349f8cc3463a2c5b151e8cc7b1580806c6e86fbf8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/312591/

Comments