MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e3ac1d0d519e933394b3c728713b102b9ca63d57bc2427591f4fccf0c9c012a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e3ac1d0d519e933394b3c728713b102b9ca63d57bc2427591f4fccf0c9c012a
SHA3-384 hash: c725adf2c13ddb452f4e0aab4c9b51987d70df011ce4e17daa66c66c395d39af3bb53eaac3043bbf89bae56273277ef3
SHA1 hash: db3bb0fa734a9f555e01d2011dc8e626abe9aaa6
MD5 hash: 2f3ee0a5e9aad3010204c7a547761e13
humanhash: alaska-bulldog-football-victor
File name:JOU23013126.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:638'650 bytes
First seen:2023-12-12 13:28:52 UTC
Last seen:2023-12-12 15:29:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7ed0d71376e55d58ab36dc7d3ffda898 (133 x GuLoader, 28 x RemcosRAT, 23 x AgentTesla)
ssdeep 12288:Nk4Yq4qo7hwWUydd5gMKtQv2L/cDFdNY+aFy7Mms8TYamQOSm4Lq0:P2qoSWUCvgN+uL/cNL73samBS/Lq
Threatray 599 similar samples on MalwareBazaar
TLSH T1CED423E97A948563ECC1CAB14E79A3A697F96F084363620F6720BF77363374091446CB
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon dc9c98d991285458 (17 x GuLoader, 6 x Formbook, 6 x SnakeKeylogger)
Reporter malwarelabnet
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
284
Origin country :
CA CA
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/466389/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.5987.13094.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the Program Files subdirectories
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65786026fa995ae15340ab0f/reports/902f38f8-098a-45e5-bf95-0d3aed5def57/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/3e3ac1d0d519e933394b3c728713b102b9ca63d57bc2427591f4fccf0c9c012a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fe0d9e4f-211f-4530-b53b-02bdf04f63f5
Result
Threat name:
FormBook, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1360147
Signature
Antivirus detection for URL or domain
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Queues an APC in another process (thread injection)
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1360147 Sample: JOU23013126.exe Startdate: 12/12/2023 Architecture: WINDOWS Score: 100 45 www.massiliapousse.com 2->45 47 www.lemartinez.za.com 2->47 49 6 other IPs or domains 2->49 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus detection for URL or domain 2->69 71 Yara detected FormBook 2->71 73 2 other signatures 2->73 12 JOU23013126.exe 9 46 2->12         started        15 wab.exe 1 2->15         started        17 wab.exe 3 1 2->17         started        signatures3 process4 file5 41 C:\Users\user\AppData\Local\...\Falsummet.Qui, data 12->41 dropped 43 C:\Users\user\AppData\...\ornithorhynchus.sen, COM 12->43 dropped 19 powershell.exe 12 12->19         started        process6 signatures7 75 Suspicious powershell command line found 19->75 77 Very long command line found 19->77 79 Found suspicious powershell code related to unpacking or dynamic code loading 19->79 22 powershell.exe 15 19->22         started        25 conhost.exe 19->25         started        process8 signatures9 81 Writes to foreign memory regions 22->81 27 wab.exe 6 22->27         started        process10 dnsIp11 57 lemartinez.za.com 50.115.174.254, 443, 49713 VIRPUS United States 27->57 83 Maps a DLL or memory area into another process 27->83 31 VtlipLUDtT.exe 27->31 injected signatures12 process13 process14 33 verclsid.exe 1 13 31->33         started        signatures15 59 Tries to steal Mail credentials (via file / registry access) 33->59 61 Tries to harvest and steal browser information (history, passwords, etc) 33->61 63 Writes to foreign memory regions 33->63 65 3 other signatures 33->65 36 VtlipLUDtT.exe 33->36 injected 39 firefox.exe 33->39         started        process16 dnsIp17 51 www.weber-e-store.com 91.195.240.117, 49715, 80 SEDO-ASDE Germany 36->51 53 massiliapousse.com 109.234.161.150, 49720, 49721, 49722 O2SWITCHFR France 36->53 55 2 other IPs or domains 36->55
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3e3ac1d0d519e933394b3c728713b102b9ca63d57bc2427591f4fccf0c9c012a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3e3ac1d0d519e933394b3c728713b102b9ca63d57bc2427591f4fccf0c9c012a/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-12-12 00:16:05 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hy5mdugvdhutgoklhrzioe5rak44uy6vppbee5mr6t6m6de4aeva._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0cfc4a24356e2c51ac3513f44b2ab354b72bf131c334c0a5206e9c39dbf15104
Formbook
50fc82d5c17dd18d51f9c65c690592c4af3717d213fec18bc06543729bc464bd
Formbook
6682a9ae29a4788eb3b06d9b81f0966b18f75543626817908cfd57be91f39bf0
Formbook
7a2b3db6ca1b0485e240d6da031f84da23ea0009e759404dbaa9eaeae6122721
Formbook
a20fa4193eed761f19b7fd7abca68d837d1a93df5bfff216573fddb830999f10
Formbook
af40728c6916a1018b6ac0a6639eb8d357f1253d5ca073b8aebc18dffdb9fac6
Formbook
d0c0f885cba76d7fe0c438ce7c3dbada5c8a46cd47e0f61b5f1258cf5cd3b53f
Formbook
fd587ce57f6dd70465fd3d9e6115cfb866baae9ed94993d17191a50f76570eb4
Formbook
+ 589 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231212-qq8qsafcc3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
3e3ac1d0d519e933394b3c728713b102b9ca63d57bc2427591f4fccf0c9c012a
MD5 hash:
2f3ee0a5e9aad3010204c7a547761e13
SHA1 hash:
db3bb0fa734a9f555e01d2011dc8e626abe9aaa6
Link:
https://www.unpac.me/results/cf9bea40-fa1c-4380-824e-3f30999a9e8f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3e3ac1d0d519/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3e3ac1d0d519e933394b3c728713b102b9ca63d57bc2427591f4fccf0c9c012a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/466389/

Comments