MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e940bd501847e7bf60b525599626211d32f705d7c616584629a5dc0206bc52d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments

SHA256 hash:	3e940bd501847e7bf60b525599626211d32f705d7c616584629a5dc0206bc52d
SHA3-384 hash:	4897b2df9d478ae0b50e5f68d2cbea35ddf30bbbcc130f57793022769b4fde54223f481aa642620a1a5ad22ebd514ea7
SHA1 hash:	f472edc2b7a4ef96f5bda3f9c79436729051904b
MD5 hash:	279b67bd99398311b8bd9e633b3fc6a5
humanhash:	white-king-crazy-single
File name:	Quotation 78957.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	707'584 bytes
First seen:	2023-10-03 13:49:07 UTC
Last seen:	2023-10-03 14:38:00 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:cpEiSAx5PWPQ5PgV7CvgMAWiqwEShrPOn0NIrb2a0P:cm7Ax5uPi4pCB9ieCPOaIr6a4
Threatray	76 similar samples on MalwareBazaar
TLSH	T134E412093BBC8578DA6ECE3E1273445203FF7109BA54C38A2D8764C9EDD73934A85B96
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	8b0b0b2361392f2b (3 x Formbook, 1 x AgentTesla)
Reporter	malwarelabnet
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

283

Origin country :

Vendor Threat Intelligence

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Restart of the analyzed sample

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/651c1c0c1e07d7e1e9ac1233/reports/804d71d1-e40e-40bf-b1cd-d7dc7fa7e7d5/overview

Verdict:

Malicious

Labled as:

TrojanS.C5A2F73F

Link:

https://www.hybrid-analysis.com/sample/3e940bd501847e7bf60b525599626211d32f705d7c616584629a5dc0206bc52d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c58f2036-8bce-42ad-bedb-f102b8683da3

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1318750

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Uses ipconfig to lookup or modify the Windows network settings

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3e940bd501847e7bf60b525599626211d32f705d7c616584629a5dc0206bc52d/

Threat name:

ByteCode-MSIL.Spyware.Negasteal

Status:

Malicious

First seen:

2023-10-03 02:24:54 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 35 (54.29%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=h2kaxvibqr7hx5qlkjkzsytcchjs64c5prqwlbdctjo4aidlyuwq._file

Verdict:

malicious

Label(s):

formbook

Formbook

1290bedfe236cb0894d63d8ea46b115ff26bd7694a16ae290fdcbc91291096a4

Formbook

2483bf5285752b850cda81452f1fe3755e0f97ab108748edbe2e6756c23850e4

Formbook

2ea01def771f0e57b541d4819dd9a543c5adb3a4452c6f5c03eac2c49c542bfa

Formbook

5cb54293ba5cf461f2a5dd557dcf1526f1609e31759c77b293e36cb815599169

Formbook

7b798cee09b1e65922731c0ac1ddc080ce0560fe68a01c70e19bcc1bb59cd047

Formbook

a3e03018e2dba7a61cd424c3b09864decf28815e7a3d84187f68ebaa395de908

Formbook

+ 66 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/231003-q49j8sbb3y/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Checks computer location settings

Loads dropped DLL

Unpacked files

SH256 hash:

b8a4d1c36a67c556075dabf27f0d5836a42b39a9fda9788f759716ecf4302555

MD5 hash:

b5717686192f457dc1a44e8da04aedb6

SHA1 hash:

91d1d9774a1bebc866efc415624b6f9f6a0010cd

Detections:

win_formbook_w0

win_formbook_g0

Link:

https://www.unpac.me/results/6ada0ee1-fb3d-4ccc-9fb8-dd49534fc32c/

SH256 hash:

36aeb61d300fef8cecce05d190071644057115880f629aa4b68bc4f85d9182e0

MD5 hash:

9f216e77e7d78a77bc95f4c745eb2f88

SHA1 hash:

bfd799a0006959dd7449620a05076b10543623c4

Link:

https://www.unpac.me/results/6ada0ee1-fb3d-4ccc-9fb8-dd49534fc32c/

SH256 hash:

8f7628cd4d08de3b91fae0885c27f4e82e1d8fde83aa4bb7e837e2ee5f78e636

MD5 hash:

21e9876d1e27478ff10ae763fe5bfaf4

SHA1 hash:

f17ac391d15f6e6f3497dd2aba1b1fc917023b87

Link:

https://www.unpac.me/results/6ada0ee1-fb3d-4ccc-9fb8-dd49534fc32c/

SH256 hash:

54431b8241482126d4250c1e4afbc5ed230f4e5ec3f3d329816b5d8736658270

MD5 hash:

864b2a21cd2fe90f9fb3e9dfc6172415

SHA1 hash:

9b3d2ec6dbbb0b93d5d9d16da962aa0332b9152d

Link:

https://www.unpac.me/results/6ada0ee1-fb3d-4ccc-9fb8-dd49534fc32c/

SH256 hash:

7ec118e70613ce2d9aee29cda2918ca710dde346c68d4da75c2ea0402e6d4391

MD5 hash:

1622a62bf6805b2dca82a8632eceac71

SHA1 hash:

071b72a5a1231149dfe4b9fcfa3a6ee49265ab7c

Link:

https://www.unpac.me/results/6ada0ee1-fb3d-4ccc-9fb8-dd49534fc32c/

SH256 hash:

3e940bd501847e7bf60b525599626211d32f705d7c616584629a5dc0206bc52d

MD5 hash:

279b67bd99398311b8bd9e633b3fc6a5

SHA1 hash:

f472edc2b7a4ef96f5bda3f9c79436729051904b

Link:

https://www.unpac.me/results/6ada0ee1-fb3d-4ccc-9fb8-dd49534fc32c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3e940bd501847e7bf60b525599626211d32f705d7c616584629a5dc0206bc52d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample