MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d5b5fd7346a2b3a5950888dc55d1434e6bbba21dcba56a5d26e38163db8a523. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d5b5fd7346a2b3a5950888dc55d1434e6bbba21dcba56a5d26e38163db8a523
SHA3-384 hash: 1bebdb191037ec4295603e85b1cfc19c36f2ef88f37daee31b24f2366817e393824bcb5a5e8e4b9334cc7fede67eb730
SHA1 hash: 4df62f3a7513f28566ad65d2dfbbef319783d46f
MD5 hash: 9744374e36ae57b30760ba03d5da9aec
humanhash: october-purple-georgia-monkey
File name:9744374e36ae57b30760ba03d5da9aec.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:878'080 bytes
First seen:2022-03-23 20:07:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:iHrAUcKaA7LJyLNKQPBkXtbBLxaF4/8dTCFFm2zLKsfrFZg1uG:GFda+KNK1bLsFUbmoLKQZg
Threatray 14'352 similar samples on MalwareBazaar
TLSH T13515AD7133B41606DDA66E3BBAD0019FAB6C3BF8B504C8D1709C41CA9AE908DD5DC9F6
File icon (PE):PE icon
dhash icon ccaaa2d4ecc8d0cc (1 x Formbook)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/256879/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Adding an access-denied ACE
Launching a process
Creating a file
Searching for synchronization primitives
Searching for the window
Launching cmd.exe command interpreter
DNS request
Sending an HTTP GET request
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/623b7e5edfdfa8501cd47a0a/reports/ed8f1e86-a168-4cc8-a918-82383bf87a8c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0588cf7c-4bc7-4843-a4e4-37dc22379a63
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/963176
Behaviour
Behavior Graph:
n/a
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3d5b5fd7346a2b3a5950888dc55d1434e6bbba21dcba56a5d26e38163db8a523/
Threat name:
ByteCode-MSIL.Trojan.RealProtect
Create hunting rule
Status:
Malicious
First seen:
2022-03-23 15:27:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hvnv7vzunivtuwkqrcg4kxiugttlxorb3s5fnjosny4bmpnyuurq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
42c22b1ceff07541d20717e8b9fea63a1418dc92917303cdcf48cce246a7d29f
Formbook
4362e65d6f2a5101b1f93ff87e77f0323dc58a87b4034fb2fa23fc876742b2cc
Formbook
4ba70a201f9aeed927954ccf79ebba102df5f50c437c278636b1905b3f71058f
Formbook
4ef7fd77d0aeab8a926e96d00d212b4ba60c3ef74d43dc31b18780853134f13d
Formbook
667e5e3584ef11bc6dc12e693546b3a62cb487d507379e9dc4be3a1767d80be9
Formbook
cd8517b48008d82b4246f4fa0dee41f6510127486f8c1e24293174c794f35684
Formbook
+ 14'342 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:dgrg loader rat
Link:
https://tria.ge/reports/220323-ywlr7saed6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
740d2eb0636ec3b5cd90dfca1eeee0c571f5181626759773940eca1948b4d292
MD5 hash:
3ca197ae99921e142f7e8a139e66cb39
SHA1 hash:
0be110c5ed8e25188c1030a43f758438cec47d50
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/a3c41e66-0c28-4c90-b9c7-07353736cbb6/
SH256 hash:
786da15bf16d8ad992d32721ad276b03c5fe3f7e25cc98413b677f23cb8423b1
MD5 hash:
7c998c7c7ee8901a3ab19dcd71a68b85
SHA1 hash:
cb6a7fd8a06bba09b8a7a50a3a0df772e995eed0
Link:
https://www.unpac.me/results/a3c41e66-0c28-4c90-b9c7-07353736cbb6/
SH256 hash:
152865132ee14fb933578ce06ed31b6e623d576f42f97dd88dc645e7a3bc728d
MD5 hash:
1ecb00ceb1d5475e751c3648ca1f33f0
SHA1 hash:
22dd46b403b5f57f628a1e9a955596828b733735
Link:
https://www.unpac.me/results/a3c41e66-0c28-4c90-b9c7-07353736cbb6/
SH256 hash:
70b785e5cb5b2e61c0f5da4a71ab0bbd14d9a0849387f037e0d75cc1ffe0a082
MD5 hash:
5951b52c9b4d11ca7f4f33e5a3fb2c31
SHA1 hash:
0bc54fd699fff7b93e5c447a141c0d904924ab0d
Link:
https://www.unpac.me/results/a3c41e66-0c28-4c90-b9c7-07353736cbb6/
SH256 hash:
3d5b5fd7346a2b3a5950888dc55d1434e6bbba21dcba56a5d26e38163db8a523
MD5 hash:
9744374e36ae57b30760ba03d5da9aec
SHA1 hash:
4df62f3a7513f28566ad65d2dfbbef319783d46f
Link:
https://www.unpac.me/results/a3c41e66-0c28-4c90-b9c7-07353736cbb6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.98
Link:
https://yomi.yoroi.company/submissions/3d5b5fd7346a2b3a5950888dc55d1434e6bbba21dcba56a5d26e38163db8a523

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819
Rule name:malware_Formbook_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 3d5b5fd7346a2b3a5950888dc55d1434e6bbba21dcba56a5d26e38163db8a523

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2111141/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/256879/

Comments