MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e57610037924c21124e91f187f11f45e1d1cc44de45a1d965cd29a92d56f450. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments 1

SHA256 hash:	3e57610037924c21124e91f187f11f45e1d1cc44de45a1d965cd29a92d56f450
SHA3-384 hash:	37b4eae6c534e8cd3a8e25b7f4f2b480eb57fac9c85482a647d802c01808ca5b0adf1b9a81a28967f79ba98242f03401
SHA1 hash:	b791868359118a324ca421e53de444b3c20b7b9a
MD5 hash:	fc079ff271b7d899595dac726f2a97d3
humanhash:	saturn-bacon-hawaii-winter
File name:	SecuriteInfo.com.W32.AIDetect.malware2.8271.16841
Download:	download sample
Signature	Formbook Create hunting rule
File size:	927'744 bytes
First seen:	2021-04-19 10:44:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4ae2c4479d481e228e7e34016a25573e (2 x Formbook)
ssdeep	12288:e+e11/n842jZtcjy3wkqXlg8mh/otvVIRyLT2l1sQCLV:e+ev/ycrdhvVl9
Threatray	4'353 similar samples on MalwareBazaar
TLSH	63156D11B28144F7F27E1E388C1B2664D9A6AE703A345D461BB41D48BEBF7513F3DA82
Reporter	SecuriteInfoCom
Tags:	FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

3.zip

Verdict:

Malicious activity

Analysis date:

2021-04-19 08:23:19 UTC

Tags:

trojan formbook stealer

Link:

https://app.any.run/tasks/dfecc242-847a-40c3-87e0-aab9213ed957

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/138393/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.8271.16841.UNOFFICIAL

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

DNS request

Sending a custom TCP request

Creating a file

Launching a process

Launching cmd.exe command interpreter

Setting browser functions hooks

Unauthorized injection to a system process

Unauthorized injection to a browser process

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/686626

Signature

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Creates an undocumented autostart registry key

Detected FormBook malware

Found malware configuration

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Steal Google chrome login data

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3e57610037924c21124e91f187f11f45e1d1cc44de45a1d965cd29a92d56f450/

Gathering data

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hzlwcabxsjgccesoshyyp4i7ixq5dtce3zc2dwlfzuu2slkw6ria._file

Verdict:

malicious

Label(s):

formbook

Formbook

40877c93388c9ea545a95760ecd8fe9f7e9909b4cb96a906a3ab90408cf6c6cf

Formbook

85c528083c96b1f895ddd73681a8b78caf639b8dcf91eca47ae4e7e7cd3e3540

Formbook

8cbda95915fcb9696e4e221cdb72f9dc9175af27e348f05bede3f988aee9070c

Formbook

b38c11ce5d7c368dd1b51d1b5d8df3e09abff40390f68a1f81dacccfe3f01725

Formbook

d8ae48ff83b31d072c1a9d988660e2a0be125aa9373a4adb1dd807d0fea4ebe5

Formbook

d8e0edf1cca3b6edefcd830e233131c593997b5bd4454891dc1b70614862f718

Formbook

dd4d1da7c146e47e25b601cba1d6f324eace694055d43e1c67288df6a0ea1951

Formbook

e096e858f6e33e79359f9be68c43cdb8536c99a6282adb420496e11b12a4aa4c

Formbook

e5561555b0be45246e4ce5418a203d5a0d800595de770d772d0d86d0ed2662bb

Formbook

+ 4'343 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/210419-1jgd98314a/

Behaviour

Gathers network information

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds policy Run key to start application

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.joomlas123.info/3nop/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3e57610037924c21124e91f187f11f45e1d1cc44de45a1d965cd29a92d56f450

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_DLAgent07 Create hunting rule
Author:	ditekSHen
Description:	Detects delf downloader agent

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/138393/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-19 11:05:29 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
1) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
2) [F0002.002] Collection::Polling
4) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
5) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
6) [C0060] Data Micro-objective::Compression Library
7) [C0026.002] Data Micro-objective::XOR::Encode Data
9) [C0046] File System Micro-objective::Create Directory
10) [C0049] File System Micro-objective::Get File Attributes
11) [C0051] File System Micro-objective::Read File
12) [C0050] File System Micro-objective::Set File Attributes
13) [C0052] File System Micro-objective::Writes File
14) [C0007] Memory Micro-objective::Allocate Memory
15) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
16) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
17) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
18) [C0038] Process Micro-objective::Create Thread
19) [C0041] Process Micro-objective::Set Thread Local Storage Value
20) [C0018] Process Micro-objective::Terminate Process