MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e121517da483476572f65604a6c5afc5352b49c9c259ddc07b5e7c75fc8e481. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	3e121517da483476572f65604a6c5afc5352b49c9c259ddc07b5e7c75fc8e481
SHA3-384 hash:	7f1df499e603e5db0e49104c61f01e3d0f92f91edabc551506c52d570de4e06caaf5a66500d69c461fac70a69a0c7c99
SHA1 hash:	0d75d723367dad7b415cc3fd8c8c9a0fe90eae24
MD5 hash:	8b62f48c8eaf2086d8d435cff2e1f8af
humanhash:	zebra-yellow-speaker-hydrogen
File name:	PASU5160894680 DOCS.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	751'616 bytes
First seen:	2024-09-09 11:30:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:XzjLf30WH0ND79hxy0dU2DiWSeC/18F4k9n7xPGncDHVx6SC1gyRW+cLTsSF3:Djj0yW79ryDv1G97dRSX+6e1
TLSH	T11AF4231168FA6B6DE5AACBFA45A30080533735332172E71D7A5960DD4C33F8256E233B
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	adrian__luca
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

404

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PASU5160894680 DOCS.exe

Verdict:

No threats detected

Analysis date:

2024-09-09 11:49:00 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/5b75b052-4e53-4a31-a683-09480fbc4cc7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Packed.Msilheracles-10020638-0

Win.Packed.Agensla-10021078-0

Win.Packed.Formbook-10021419-0

Win.Dropper.Nanocore-10024150-0

Win.Packed.LokiBot-10026312-0

Win.Packed.LokiBot-10027126-0

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66dedc90ee4e81557817166a

Tags:

Execution Generic Static Stealth Msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Adding an exclusion to Microsoft Defender

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

formbook packed vbnet

Link:

https://www.filescan.io/uploads/66dedc8a7fd554a24b9b542b/reports/0274f7d3-19f2-4611-8600-a6b04df91859/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/3e121517da483476572f65604a6c5afc5352b49c9c259ddc07b5e7c75fc8e481

Result

Verdict:

MALICIOUS

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f908a4cd-e896-4285-bc4e-6f44abc0f2c1

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1507876

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/3e121517da483476572f65604a6c5afc5352b49c9c259ddc07b5e7c75fc8e481

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3e121517da483476572f65604a6c5afc5352b49c9c259ddc07b5e7c75fc8e481/

Threat name:

ByteCode-MSIL.Backdoor.FormBook

Status:

Malicious

First seen:

2024-09-04 18:29:41 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 24 (91.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hyjbkf62ja2hmvzpmvqeu3c27rjvfne4tqsz3xahwxt4ox6i4saq._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery execution

Link:

https://tria.ge/reports/240909-nmq1fsxgme/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/928f6810-72e0-4575-b8e6-34dc719aa19b

Unpacked files

SH256 hash:

c29d7b27825595bdd242ca177e624bc2e1e3e171e44a0b901d356c96acf38031

MD5 hash:

b92ae828676e499e1cb88d1df8d0a508

SHA1 hash:

cb9865ea876ef2abed29c9c376e8e8a8785a69c4

Link:

https://www.unpac.me/results/e1744bc3-633c-49f5-802c-ca2a89354c90/

SH256 hash:

c7965f9601a87fc6015d61ad2a38edfa333023f62b041d1e3fd72c9728d8a24f

MD5 hash:

473fa4e825eb6e59751a5a6a08d3ac0d

SHA1 hash:

190a2fade997a0aad017bc02d711793f78c956c7

Link:

https://www.unpac.me/results/e1744bc3-633c-49f5-802c-ca2a89354c90/

SH256 hash:

7a4b1c2b3a236bc7cac25c9aa07163d9eb19233065e88b7304ce6e46c6a36e0f

MD5 hash:

7fa95c2554a74e0805581e20305069d8

SHA1 hash:

aa77eebba993f3e79b4971f5c135286e40b066a1

Link:

https://www.unpac.me/results/e1744bc3-633c-49f5-802c-ca2a89354c90/

SH256 hash:

7e8da12dddf67cf9ce6a497b12283f013258d018f6054f4687a8662f1786fcd7

MD5 hash:

e4a0c4eb01e03511df4d796d04ee6a7f

SHA1 hash:

194aeb9fd3da7e5aa431afb29c85f481f28eaf13

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/e1744bc3-633c-49f5-802c-ca2a89354c90/

SH256 hash:

3e121517da483476572f65604a6c5afc5352b49c9c259ddc07b5e7c75fc8e481

MD5 hash:

8b62f48c8eaf2086d8d435cff2e1f8af

SHA1 hash:

0d75d723367dad7b415cc3fd8c8c9a0fe90eae24

Link:

https://www.unpac.me/results/e1744bc3-633c-49f5-802c-ca2a89354c90/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3e121517da48/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3e121517da483476572f65604a6c5afc5352b49c9c259ddc07b5e7c75fc8e481

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 3e121517da483476572f65604a6c5afc5352b49c9c259ddc07b5e7c75fc8e481

(this sample)

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample