MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3da9fb7836eba199f838a991f8b25e1c5930572a0b3b1935c4d9342020986093. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	3da9fb7836eba199f838a991f8b25e1c5930572a0b3b1935c4d9342020986093
SHA3-384 hash:	e14e385d1299862e604f16f15cab496730f6731bed1b52fce60942791bd3b73171416d5a76026c62dd1fb93c7556c72e
SHA1 hash:	5b5d738c5bc450fc7101177581328ee9b1006574
MD5 hash:	b4f63e508c2f7a20c40d74bd1478aa21
humanhash:	west-virginia-arizona-fanta
File name:	3da9fb7836eba199f838a991f8b25e1c5930572a0b3b1935c4d9342020986093
Download:	download sample
Signature	Formbook Create hunting rule
File size:	186'368 bytes
First seen:	2023-04-05 12:20:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	3072:+v2nYDcl5S857LjTJ/fuDiRDBW/0CmoWEkpQ1H6SlmJwRE/RYyvzAyFKMgDh1G:+eYDlQLjTJeORDBGB1aAmJwREVbA2f+c
Threatray	2'477 similar samples on MalwareBazaar
TLSH	T16404234347CAE6E8F727157536599FFC40C725BC31A8E45E7C38AA201FBE1DD90A8A60
Reporter	adrian__luca
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

253

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

3da9fb7836eba199f838a991f8b25e1c5930572a0b3b1935c4d9342020986093

Verdict:

No threats detected

Analysis date:

2023-04-05 12:20:23 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/803f5630-a39a-43c3-a41d-eefc1d14c290

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/380289/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Banker1.29984.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

75%

Tags:

packed

Link:

https://www.filescan.io/uploads/642d67b005c72da113b38f93/reports/b773fd30-9a88-4eb3-80c1-a26565799e55/overview

Verdict:

Malicious

Labled as:

Ser.Razy.Generic

Link:

https://www.hybrid-analysis.com/sample/3da9fb7836eba199f838a991f8b25e1c5930572a0b3b1935c4d9342020986093

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a4178b14-f43a-4204-9b2d-6fc62452a39a

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1208806

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

System process connects to network (likely due to code injection or exploit)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3da9fb7836eba199f838a991f8b25e1c5930572a0b3b1935c4d9342020986093/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2023-04-05 12:21:07 UTC

File Type:

PE (Exe)

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hwu7w6bw5oqzt6byvgi7rms6drmtavzkbm5rsnoe3e2caieymcjq._file

Verdict:

malicious

Label(s):

formbook

Formbook

07d979878c4aabc0af1120eccb19293cdd19658b840268e4145e56f5c4e13053

Formbook

3f0c02a6aba9a637ccbc0e9f3ba35e50ef50d89827d804c163a77fa4e027b583

Formbook

48f874286909722bc890448810d0ebd5b3b711e9511e08fcd07fea4f59910ba2

Formbook

4fec09c02c8f80d1d158bfd9bc6e4adc5aa9891726901db4572843c405e2519d

Formbook

5e517d06a3b252c0bced1ed16f1741fa73b4e0d4b81ec2daf71b57954604afc8

Formbook

62d20f5ce8950e995b0736bb3bafedb34f3b7d95f190b3a0a1592d808f697cac

Formbook

702acb0430f103fa80b26f74c5a6beb1de35b6d3779ae6568fe17ac76c0b980d

Formbook

c827c4ccc4914e937026eee75929817bd13977777900d97a14834582c55e8824

Formbook

+ 2'467 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/230405-pjbl2agf2y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Unpacked files

SH256 hash:

bc5b1604e13a8bf063b5faae2cd9400268b7082b97c9f412bb9b086a149be28a

MD5 hash:

8c18850df1d7f17a9cc13a532f248e10

SHA1 hash:

aa42c4a83ae066eb41d27164c8fcd8588124e618

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/697200f7-ffd6-491f-8452-5cb6e849ce63/

SH256 hash:

3da9fb7836eba199f838a991f8b25e1c5930572a0b3b1935c4d9342020986093

MD5 hash:

b4f63e508c2f7a20c40d74bd1478aa21

SHA1 hash:

5b5d738c5bc450fc7101177581328ee9b1006574

Link:

https://www.unpac.me/results/697200f7-ffd6-491f-8452-5cb6e849ce63/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3da9fb7836eb/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3da9fb7836eba199f838a991f8b25e1c5930572a0b3b1935c4d9342020986093

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/380289/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample