MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3dffc312e024e6daba1c3ff795a3070682341d9f99bd6e9f103d28234c695589. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 18

Intelligence 18 IOCs YARA 17 File information Comments 1

SHA256 hash:	3dffc312e024e6daba1c3ff795a3070682341d9f99bd6e9f103d28234c695589
SHA3-384 hash:	ccde079ceea99d1e953dbf48ab37f45954320909d13ff9fbe8c3305a1db105d541e97225287df932e915f2be420e2866
SHA1 hash:	2c94db7ff0bd3c6964605f84b2bf2cefec0486d6
MD5 hash:	898a7d62ce8f67a4bf58a4d697ee65da
humanhash:	venus-happy-triple-three
File name:	898a7d62ce8f67a4bf58a4d697ee65da
Download:	download sample
Signature	Formbook Create hunting rule
File size:	673'038 bytes
First seen:	2023-10-13 20:47:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f4639a0b3116c2cfc71144b88a929cfd (97 x GuLoader, 53 x Formbook, 39 x VIPKeylogger)
ssdeep	12288:JfLGuL+Ybqt4KEzCkTj5ot3/BxnoFQaLn6R0:JfLGLYGOKcnT2t3bJIM0
Threatray	70 similar samples on MalwareBazaar
TLSH	T16BE4E0403760EC9AC7D63EF37EA1E3552630EB395351060761713FAB3FAC1A36A16896
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	60f8fcfcfcfcfc08 (1 x Formbook)
Reporter	zbetcheckin
Tags:	32 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

306

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

Order No 455100.doc

Verdict:

Malicious activity

Analysis date:

2023-10-13 20:14:54 UTC

Tags:

exploit cve-2017-11882 loader formbook xloader stealer spyware

Link:

https://app.any.run/tasks/0a518bf6-e1c2-4aeb-a7c5-22170648d954

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/454212/

Detection(s):

SecuriteInfo.com.Win32.Evo-gen.17049.32373.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Sending a custom TCP request

Launching a process

Сreating synchronization primitives

Launching cmd.exe command interpreter

Setting browser functions hooks

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Unauthorized injection to a system process

Unauthorized injection to a browser process

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control formbook installer lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/6529ad04422e14c65a8f5214/reports/fd2d6087-d0cc-4622-85a3-ac4253dcdd90/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/3dffc312e024e6daba1c3ff795a3070682341d9f99bd6e9f103d28234c695589

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8d7d1bee-c1cf-465f-a537-79bed5108554

Result

Threat name:

FormBook, NSISDropper

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1325488

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Yara detected NSISDropper

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/3dffc312e024e6daba1c3ff795a3070682341d9f99bd6e9f103d28234c695589

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/3dffc312e024e6daba1c3ff795a3070682341d9f99bd6e9f103d28234c695589/

Threat name:

Win32.Trojan.Nsisx

Status:

Malicious

First seen:

2023-10-13 19:03:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

15 of 38 (39.47%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hx74gexaettnvoq4h73zliyha2bdihm7tg6w5hyqhuucgtdjkweq._file

Verdict:

malicious

Label(s):

formbook

Formbook

6168bfdf30f058beb000e91b1ccdb8e264318f8e311f186245b16b8217787c9d

Formbook

6c8bb939433b05a8b56b08ef68f8c5b5f396bc2b5454ec09d4ee1654951ff463

Formbook

795998e9064cb981d6a40a34fbeee48381121ea7ac7175ffe5b506b11cf843d7

Formbook

89bcf1ff783e9986332cd6debe5fe5f424439518b7638f56b8322541a460f596

Formbook

92a11969793b832918bec3384ffadd4c626a7888d97454f4790529566d462022

Formbook

b88b53db5c1fd0779cb7718630d7ac90f0ff81cfc7e8495bff1325743adeff65

Formbook

bbcaa127862b5b70b5a833b3136f431c03a9165dd0a4646ba78922ebcc7ebdc3

Formbook

dc999aa2db84e4f91022be10a55e971c49da82960027b7482b44856fee46f9cc

Formbook

+ 60 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:ge06 rat spyware stealer trojan

Link:

https://tria.ge/reports/231013-zlfc4sbf42/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Executes dropped EXE

Loads dropped DLL

Formbook payload

Formbook

Unpacked files

SH256 hash:

3dffc312e024e6daba1c3ff795a3070682341d9f99bd6e9f103d28234c695589

MD5 hash:

898a7d62ce8f67a4bf58a4d697ee65da

SHA1 hash:

2c94db7ff0bd3c6964605f84b2bf2cefec0486d6

Link:

https://www.unpac.me/results/2c7a4bfc-2e08-4356-8bdc-32d2225b4d26/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3dffc312e024/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3dffc312e024e6daba1c3ff795a3070682341d9f99bd6e9f103d28234c695589

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__GlobalFlags Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_no_import_table Create hunting rule
Author:	qux
Description:	Detects exe does not have import table

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	Windows_Trojan_Formbook Create hunting rule
Author:	@malgamy12

Rule name:	Windows_Trojan_Formbook_1112e116 Create hunting rule
Author:	Elastic Security

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

Rule name:	win_formbook_w0 Create hunting rule
Author:	@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 3dffc312e024e6daba1c3ff795a3070682341d9f99bd6e9f103d28234c695589

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2720360/

Cape

https://www.capesandbox.com/analysis/454212/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2023-10-13 20:47:16 UTC

url : hxxp://mail.treeoflifeadventures.com/wp-content/plugins/70d5e28f51c1438d94e3e6dc84b95311/xt/mmd/shell/windviewcikon2.1.exe