MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d5d3eb3853ff82697da75cf6da041f61f72e06d686010a02d52ebaa63ddca65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d5d3eb3853ff82697da75cf6da041f61f72e06d686010a02d52ebaa63ddca65
SHA3-384 hash: 23467f21996a445b567a037a340841c38cb8689a9b9fd4f92d986f1ba1249b43fe8417211d7cbd51c0e695ab7c15078a
SHA1 hash: 1929c4c64ea4cc18608eaf6140d1b28fa98d7ed3
MD5 hash: 2220944d9985a6843374f41b835a9825
humanhash: michigan-mississippi-hamper-dakota
File name:2220944d9985a6843374f41b835a9825
Download: download sample
Signature Formbook
Create hunting rule
File size:278'528 bytes
First seen:2021-06-25 08:35:24 UTC
Last seen:2021-06-25 10:45:38 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 6144:5EtTqjFaFtV9KoA68Atd/Tdle0U0gCKTkn9om07/6s2eD5HG:5E9fN26ZtLlDGCos9ofis2gH
Threatray 6'043 similar samples on MalwareBazaar
TLSH F4441227B2E184B7E10497321CBAAF75F6BEDD219E62270717003F3E2EB15DB4906265
Reporter zbetcheckin
Tags:FormBook msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/168281/
Detection(s):
SecuriteInfo.com.Trojan.Loader.847.26111.24412.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/3d5d3eb3853ff82697da75cf6da041f61f72e06d686010a02d52ebaa63ddca65
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/808008
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
DLL side loading technique detected
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 440419 Sample: hGpEbxogJ3 Startdate: 25/06/2021 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 4 other signatures 2->52 8 MSIB1B9.tmp 20 2->8         started        12 explorer.exe 2->12         started        15 msiexec.exe 2 2->15         started        process3 dnsIp4 26 C:\Users\user\AppData\Local\Temp\xtztqqxjwt, DOS 8->26 dropped 28 C:\Users\user\AppData\Local\...\System.dll, PE32 8->28 dropped 54 Detected unpacking (changes PE section rights) 8->54 56 Maps a DLL or memory area into another process 8->56 58 DLL side loading technique detected 8->58 60 Tries to detect virtualization through RDTSC time measurements 8->60 17 MSIB1B9.tmp 8->17         started        30 bebek-store.com 109.106.250.157, 49737, 80 NETNET-ASRS Serbia 12->30 32 www.stranded.xyz 64.190.62.111, 49732, 80 NBS11696US United States 12->32 34 2 other IPs or domains 12->34 62 System process connects to network (likely due to code injection or exploit) 12->62 64 Performs DNS queries to domains with low reputation 12->64 66 Uses ipconfig to lookup or modify the Windows network settings 12->66 20 ipconfig.exe 12->20         started        file5 signatures6 process7 signatures8 36 Modifies the context of a thread in another process (thread injection) 17->36 38 Maps a DLL or memory area into another process 17->38 40 Sample uses process hollowing technique 17->40 42 Queues an APC in another process (thread injection) 17->42 44 Tries to detect virtualization through RDTSC time measurements 20->44 22 cmd.exe 1 20->22         started        process9 process10 24 conhost.exe 22->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d5d3eb3853ff82697da75cf6da041f61f72e06d686010a02d52ebaa63ddca65/
Threat name:
Win32.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2021-06-24 13:16:43 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hvot5m4fh74cnf62oxhw3icb6ypxfydnnbqbbibnklv2uy65zjsq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1d500cd661df7071f1ff76b19067cef40b5a0ab4b4a9ac26425dcdbac6eb7e7e
Formbook
818b8b831f3c774e034e2794f1eae71f62f5388355916e948b472cfdac7f5508
Formbook
8cb74806517e40a80a20af452d811eb8c6894f29400c2c67e844b5476eb7e001
Formbook
9349259160fa0f5b568826e27ea3e372372e7fcf4d0d8b9a7a2057195824506c
Formbook
ad86b6dd3faef43b4ef56786e35a7d2b38a369e6082c72c3cac0267a5b8efc5a
Formbook
b03f6bc5eec0f24076b3ef2c761b21d75c489ad34c5f94dcffab6d2b4d65263f
Formbook
b3c5b3cf581d15fcbacf67b4bdba199bfe7089704875746109b3206eb07b99e2
Formbook
c2336a135878814b7b9b82146879a4ee8910e0a7e540415cb3716e1f62c1ea41
Formbook
d0116b0ea676a655b1d55a2b7a79fb2585c1d04803e9d1d6f9cd1da15f789138
Formbook
da8ac5be69302fcd92625e881ea1494e67b97ace71fcfa9e068f7d7b004f2248
Formbook
+ 6'033 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook macro rat spyware stealer trojan xlm
Link:
https://tria.ge/reports/210625-3e55lmsdge/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Enumerates connected drives
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.withrachlv.com/thl4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/3d5d3eb3853ff82697da75cf6da041f61f72e06d686010a02d52ebaa63ddca65

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Executable_Converted_to_MSI
Create hunting rule
Rule name:INDICATOR_MSI_EXE2MSI
Create hunting rule
Author:ditekSHen
Description:Detects executables converted to .MSI packages using a free online converter.
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Microsoft Software Installer (MSI) msi 3d5d3eb3853ff82697da75cf6da041f61f72e06d686010a02d52ebaa63ddca65

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1397039/
Cape
Cape
https://www.capesandbox.com/analysis/168281/

Comments