MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e8a45e1f0face1dedab9167d1e0405000f94d1dfaf1780b45cbe315f1ead0d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e8a45e1f0face1dedab9167d1e0405000f94d1dfaf1780b45cbe315f1ead0d4
SHA3-384 hash: 21cf72839301d41ab5896a136bbc55b8ce7d3e1b953f3cd5c8772bf6408e4a1ae720af902905408a0f0490a3c1730f89
SHA1 hash: 76bbd37b9fa76903785813af01c9cfb913c6b7ff
MD5 hash: cfd86b8016c2604ea4b9cf22e6316e22
humanhash: sixteen-monkey-speaker-island
File name:P1 HWT623ATG.bat.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:753'664 bytes
First seen:2024-06-05 16:24:19 UTC
Last seen:2024-06-05 17:23:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:e3qyJMgFKQK9RXZ18byY0Po42ki8BsG5llPjP/3DUhUMn9QVYT:e6OxFKQmRXAz8awlPjn3ohB9VT
Threatray 249 similar samples on MalwareBazaar
TLSH T1BBF4121467B95701E1FC87F9586A01501B793A270A22C718CD86B9FA8DB5BD0DA0FF2F
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 31f0d4b2b2f0e871 (10 x AgentTesla, 8 x Formbook, 3 x Loki)
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
362
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3e8a45e1f0face1dedab9167d1e0405000f94d1dfaf1780b45cbe315f1ead0d4.exe
Verdict:
Malicious activity
Analysis date:
2024-06-05 16:25:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7961ba7c-e901-4fbe-b842-f1cd174c57c1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2886.17533.24609.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6660a4bb31703c6eb9054c29win7simulatehigh_evasion
Tags:
Banker Encryption Execution Network Nekark Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/3e8a45e1f0face1dedab9167d1e0405000f94d1dfaf1780b45cbe315f1ead0d4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a273d0ac-15f0-424a-a3c8-66e75a70dcfe
Result
Threat name:
FormBook, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1452507
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS queries to domains with low reputation
Powershell drops PE file
Queues an APC in another process (thread injection)
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1452507 Sample: P1 HWT623ATG.bat.exe Startdate: 05/06/2024 Architecture: WINDOWS Score: 100 86 www.lenovest.xyz 2->86 88 www.x5hh186z.skin 2->88 90 19 other IPs or domains 2->90 116 Malicious sample detected (through community Yara rule) 2->116 118 Antivirus detection for URL or domain 2->118 120 Antivirus / Scanner detection for submitted sample 2->120 124 12 other signatures 2->124 12 P1 HWT623ATG.bat.exe 7 2->12         started        16 GnVIdcfKFYG.exe 5 2->16         started        signatures3 122 Performs DNS queries to domains with low reputation 86->122 process4 file5 74 C:\Users\user\AppData\...behaviorgraphnVIdcfKFYG.exe, PE32 12->74 dropped 76 C:\Users\...behaviorgraphnVIdcfKFYG.exe:Zone.Identifier, ASCII 12->76 dropped 78 C:\Users\user\AppData\Local\...\tmpC293.tmp, XML 12->78 dropped 80 C:\Users\user\...\P1 HWT623ATG.bat.exe.log, ASCII 12->80 dropped 132 Adds a directory exclusion to Windows Defender 12->132 134 Injects a PE file into a foreign processes 12->134 18 P1 HWT623ATG.bat.exe 12->18         started        21 powershell.exe 23 12->21         started        23 powershell.exe 23 12->23         started        25 schtasks.exe 1 12->25         started        136 Antivirus detection for dropped file 16->136 138 Multi AV Scanner detection for dropped file 16->138 140 Machine Learning detection for dropped file 16->140 27 schtasks.exe 1 16->27         started        29 GnVIdcfKFYG.exe 16->29         started        signatures6 process7 signatures8 100 Maps a DLL or memory area into another process 18->100 31 hCVJFOyzXcYEeTIAROhZtqYPJEhCFf.exe 18->31 injected 102 Obfuscated command line found 21->102 104 Found suspicious powershell code related to unpacking or dynamic code loading 21->104 106 Loading BitLocker PowerShell Module 21->106 108 Powershell drops PE file 21->108 34 conhost.exe 21->34         started        36 WmiPrvSE.exe 23->36         started        38 conhost.exe 23->38         started        40 conhost.exe 25->40         started        42 conhost.exe 27->42         started        process9 signatures10 150 Found direct / indirect Syscall (likely to bypass EDR) 31->150 44 compact.exe 31->44         started        process11 dnsIp12 98 2.56.245.142, 49731, 80 GBTCLOUDUS Germany 44->98 82 C:\Users\user\AppData\Local\Temp\bfc.exe, PE32 44->82 dropped 84 C:\Users\user\AppData\...behaviorgraphuzzler[1].exe, PE32 44->84 dropped 142 Tries to steal Mail credentials (via file / registry access) 44->142 144 Tries to harvest and steal browser information (history, passwords, etc) 44->144 146 Modifies the context of a thread in another process (thread injection) 44->146 148 2 other signatures 44->148 49 bfc.exe 44->49         started        53 hCVJFOyzXcYEeTIAROhZtqYPJEhCFf.exe 44->53 injected 56 firefox.exe 44->56         started        file13 signatures14 process15 dnsIp16 68 C:\Users\user\AppData\...\skuboppernes.sys, data 49->68 dropped 70 C:\Users\user\AppData\Local\...\Renowned.tha, ASCII 49->70 dropped 110 Suspicious powershell command line found 49->110 112 Sample is not signed and drops a device driver 49->112 58 powershell.exe 49->58         started        92 shahaf3d.com 64.46.118.35, 49719, 49720, 49721 SINGLEHOP-LLCUS United States 53->92 94 www.lenovest.xyz 162.0.213.94, 49727, 49728, 49729 ACPCA Canada 53->94 96 10 other IPs or domains 53->96 114 Found direct / indirect Syscall (likely to bypass EDR) 53->114 file17 signatures18 process19 file20 72 C:\Users\user\AppData\Local\Temp\Smilet.exe, PE32 58->72 dropped 126 Obfuscated command line found 58->126 128 Writes to foreign memory regions 58->128 130 Sample uses process hollowing technique 58->130 62 conhost.exe 58->62         started        64 cmd.exe 58->64         started        66 Smilet.exe 58->66         started        signatures21 process22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3e8a45e1f0face1dedab9167d1e0405000f94d1dfaf1780b45cbe315f1ead0d4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3e8a45e1f0face1dedab9167d1e0405000f94d1dfaf1780b45cbe315f1ead0d4/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2024-06-05 02:50:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h2felypq7lhb33nlsft5dycakaapsti57lyxqc2fzprrl4pk2dka._file
Verdict:
malicious
Similar samples:
035b784824ed07c31f8d100b3d92777b5c83ca9113d882a75f13e8b0e283892d
Formbook
08cdc9e60803ba426c8fe8a281fcedc8c9990d8cc3b706eb613f34cbaeb23bf0
Formbook
4aa37a11ddb67e7f38784e08ccebe06e9e9d7a741107a8fb8bbf5f8f86fb4fc5
Formbook
9806d3ef46ca4ff43aa761d7748c3c3963f350573abcc52574a333fd89a28bc5
Formbook
+ 239 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/240605-twx31sbh6w/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Unpacked files
SH256 hash:
a0275052480060a4a56e45279944531c2e2cf6ac26f751df3e795b9f847ef929
MD5 hash:
84fdd240b0e1b10531abfe53c6d78315
SHA1 hash:
c5ab1ed675eb285ce5ad984695f8ef63ca760d52
Link:
https://www.unpac.me/results/34d77d5e-c724-40db-815a-51a6e3e82bb1/
SH256 hash:
4c69437931f31ac36c7ca6801e4fa1dd896e525980fe1304994d7b2d4bec21b6
MD5 hash:
fd8b4d583f055880bc1337c9ce773406
SHA1 hash:
ad63e31f72f5b34dd6df74f381d5b41481d8c1c1
Link:
https://www.unpac.me/results/34d77d5e-c724-40db-815a-51a6e3e82bb1/
SH256 hash:
ed6a89c49a3c974f5dcf714102df0441c61aac9c1be40166ecdf5dc0dfeb6edc
MD5 hash:
b7b4c56f63d83b28c571740c5f0f513f
SHA1 hash:
afc8166c0258ce081769795ffa63e7a63177f1cc
Link:
https://www.unpac.me/results/34d77d5e-c724-40db-815a-51a6e3e82bb1/
SH256 hash:
c33f4dd8ddce7fcbaaf1c3db97943ce68eff43fcad18776ca9286217899355d3
MD5 hash:
64470392c6d2f3baa829fe148dfdf56c
SHA1 hash:
8fb5b344ff22142bcc58dd68fd768f2abfc013d3
Link:
https://www.unpac.me/results/34d77d5e-c724-40db-815a-51a6e3e82bb1/
SH256 hash:
55729815a6ad44739f2af0c7a7096f4153fcc109d440f23d0d609065e96b625e
MD5 hash:
82a8fdab718d8d9c1c82472293a72e3d
SHA1 hash:
042c0d08baf858128d32c01476380e142891456e
Link:
https://www.unpac.me/results/34d77d5e-c724-40db-815a-51a6e3e82bb1/
SH256 hash:
3e8a45e1f0face1dedab9167d1e0405000f94d1dfaf1780b45cbe315f1ead0d4
MD5 hash:
cfd86b8016c2604ea4b9cf22e6316e22
SHA1 hash:
76bbd37b9fa76903785813af01c9cfb913c6b7ff
Link:
https://www.unpac.me/results/34d77d5e-c724-40db-815a-51a6e3e82bb1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3e8a45e1f0fa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3e8a45e1f0face1dedab9167d1e0405000f94d1dfaf1780b45cbe315f1ead0d4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 3e8a45e1f0face1dedab9167d1e0405000f94d1dfaf1780b45cbe315f1ead0d4

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments