MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e8bbd563bf539b08acb62ff89b43353549e9d0aee0a32567eb42d7f0687e51c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 28 File information Comments

SHA256 hash:	3e8bbd563bf539b08acb62ff89b43353549e9d0aee0a32567eb42d7f0687e51c
SHA3-384 hash:	630f82089f26d5ec99505a9e90245cf1ad0a95ca59249c90e8de1ca4ac974e7871ba2320d485933cae7ae1bc3c76041e
SHA1 hash:	20873e960f5f027206be4cdc5b3b76c2ee2b1d21
MD5 hash:	6ba74e260251f49ce3eb6cf56cc25192
humanhash:	bluebird-maine-texas-timing
File name:	HSBC Payment Advise_pdf.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'049'600 bytes
First seen:	2023-08-09 17:40:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bdf6349f4337edc78aae879092566618 (1 x RemcosRAT, 1 x Formbook, 1 x ModiLoader)
ssdeep	12288:q+V0OGY20hP4SpWD4XIiIlYqHrvd6FE3TNDJrYb0fZp0B0Yi7fLssVcgbbFWWRpD:qWAs6lD4XNVQrvd/DFR20fI0JzR/RcA
Threatray	5 similar samples on MalwareBazaar
TLSH	T1E125AE37FEC29C37E176157C4C0A1A647C297FB30A386445AAE87D8AAF3D150363D266
TrID	49.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 15.5% (.SCR) Windows screen saver (13097/50/3) 12.4% (.EXE) Win64 Executable (generic) (10523/12/4) 7.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 5.3% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	e4e084849496d09c (1 x RemcosRAT, 1 x Formbook, 1 x ModiLoader)
Reporter	abuse_ch
Tags:	exe FormBook HSBC

Intelligence

File Origin

# of uploads :

# of downloads :

270

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

HSBC Payment Advise_pdf.exe

Verdict:

Malicious activity

Analysis date:

2023-08-09 17:49:41 UTC

Tags:

dbatloader loader

Link:

https://app.any.run/tasks/f3c15b13-0d72-4578-b509-038cc7a3b5c8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

ModiLoader

Link:

https://www.capesandbox.com/analysis/441741/

Detection(s):

SecuriteInfo.com.Generic-EXE.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

Sending a custom TCP request

DNS request

Sending an HTTP GET request

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/102335/overview

Behaviour

MalwareBazaar

CheckScreenResolution

CheckCmdLine

Gathering data

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/3e8bbd563bf539b08acb62ff89b43353549e9d0aee0a32567eb42d7f0687e51c

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Dbatloader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e350d422-60c6-4b40-80db-2c97ff243c61

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1288850

Signature

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3e8bbd563bf539b08acb62ff89b43353549e9d0aee0a32567eb42d7f0687e51c/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2023-08-09 08:20:55 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 38 (47.37%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=h2f32vr36u43bcwlml7ytnbtknkj5hik5yfdevt6wqwx6buh4uoa._file

Verdict:

malicious

Formbook

d815c085093b35ac977c206b6ea93dee817c02e926dd32768713b3a6bc7d1869

Formbook

dc99dacdbd53fe4163b9e32e7ef490b354d8c0c81089614ceae1ecada11263bd

Formbook

Result

Malware family:

modiloader

Score:

10/10

Tags:

family:modiloader trojan

Link:

https://tria.ge/reports/230809-v9fassea39/

Behaviour

Script User-Agent

ModiLoader Second Stage

ModiLoader, DBatLoader

Unpacked files

SH256 hash:

570d50b649829cd3e6f62c02ef89e69c0886e9f1664cceb5ac57977fa23f4eb8

MD5 hash:

85b7b59e9888d3885a1068cb2e0350ed

SHA1 hash:

e550b26fd606cfad460ebd774e42541c57e22851

Detections:

win_dbatloader_g1

Link:

https://www.unpac.me/results/1f3fc792-bda6-4251-bcd9-d58946068974/

Parent samples :

dc99dacdbd53fe4163b9e32e7ef490b354d8c0c81089614ceae1ecada11263bd
3e8bbd563bf539b08acb62ff89b43353549e9d0aee0a32567eb42d7f0687e51c
3dec0f077df087f3e1c0e2f49194c0362bf56c3fb3ba18fa60b499495e729f48

SH256 hash:

7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

MD5 hash:

c116d3604ceafe7057d77ff27552c215

SHA1 hash:

452b14432fb5758b46f2897aeccd89f7c82a727d

Link:

https://www.unpac.me/results/1f3fc792-bda6-4251-bcd9-d58946068974/

SH256 hash:

3e8bbd563bf539b08acb62ff89b43353549e9d0aee0a32567eb42d7f0687e51c

MD5 hash:

6ba74e260251f49ce3eb6cf56cc25192

SHA1 hash:

20873e960f5f027206be4cdc5b3b76c2ee2b1d21

Detections:

DbatLoaderStage1

Link:

https://www.unpac.me/results/1f3fc792-bda6-4251-bcd9-d58946068974/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3e8bbd563bf5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3e8bbd563bf539b08acb62ff89b43353549e9d0aee0a32567eb42d7f0687e51c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	BobSoftMiniDelphiBoBBobSoft Create hunting rule
Author:	malware-lu

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	CMD_Ping_Localhost Create hunting rule

Rule name:	DebuggerCheck__GlobalFlags Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MALWARE_Win_ModiLoader Create hunting rule
Author:	ditekSHen
Description:	Detects ModiLoader

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Typical_Malware_String_Transforms Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

Rule name:	Typical_Malware_String_Transforms_RID3473 Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

Rule name:	Windows_Trojan_Formbook Create hunting rule
Author:	@malgamy12

Rule name:	Windows_Trojan_Formbook_1112e116 Create hunting rule
Author:	Elastic Security

Rule name:	win_formbook_w0 Create hunting rule
Author:	@malgamy12

Rule name:	without_attachments Create hunting rule
Author:	Antonio Sanchez <asanchez@hispasec.com>
Description:	Rule to detect the no presence of any attachment
Reference:	http://laboratorio.blogs.hispasec.com/

Rule name:	without_urls Create hunting rule
Author:	Antonio Sanchez <asanchez@hispasec.com>
Description:	Rule to detect the no presence of any url
Reference:	http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 3e8bbd563bf539b08acb62ff89b43353549e9d0aee0a32567eb42d7f0687e51c

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/441741/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample