MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e9f913f4cf9b09b8a9bd4f91b9cf019ed50e6a7c8659af993b8bfafc3aed413. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e9f913f4cf9b09b8a9bd4f91b9cf019ed50e6a7c8659af993b8bfafc3aed413
SHA3-384 hash: 6f9019a7e3623c2adadfe9effe838a493e56753f9daeff1c304865ad24ccd26ccb19308b4515f230d64e9dd5c1d49e58
SHA1 hash: dd3b45063a17bf4675868190bbf81bea83c0a1fb
MD5 hash: 3f52ed5d2e98aa36303c3441b0379e94
humanhash: monkey-gee-delta-monkey
File name:file.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:833'032 bytes
First seen:2024-04-30 10:25:48 UTC
Last seen:2024-04-30 11:33:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:mL+qRFm+xwDad1KQ3/uu023Lq0PXI7lbEuW4b:mpFwDaTPqAXIhzWE
Threatray 697 similar samples on MalwareBazaar
TLSH T10705DF9D3650B6DFC827CE7289A82C64AA616577430BD3439057129DEE0EADBCF142F3
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 8296e6e2b8989684 (8 x AgentTesla, 3 x Formbook, 2 x PureLogsStealer)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
319
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3e9f913f4cf9b09b8a9bd4f91b9cf019ed50e6a7c8659af993b8bfafc3aed413.exe
Verdict:
Malicious activity
Analysis date:
2024-04-30 10:37:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a5f5f591-0b56-4dae-9dda-ee1d7c95123e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6630c74654bafb7d21e72855/reports/24a9f975-ce7e-4138-82de-94aae651e564/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/3e9f913f4cf9b09b8a9bd4f91b9cf019ed50e6a7c8659af993b8bfafc3aed413
Malware family:
MSIL Injector
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c325fdb3-8a92-4548-8e16-51eeaf35a04e
Result
Threat name:
FormBook, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1433981
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus detection for URL or domain
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1433981 Sample: file.exe Startdate: 30/04/2024 Architecture: WINDOWS Score: 100 30 www.quantumboulevard.xyz 2->30 32 www.klingerlumberltd.com 2->32 34 3 other IPs or domains 2->34 44 Snort IDS alert for network traffic 2->44 46 Multi AV Scanner detection for domain / URL 2->46 48 Malicious sample detected (through community Yara rule) 2->48 52 9 other signatures 2->52 10 file.exe 3 2->10         started        signatures3 50 Performs DNS queries to domains with low reputation 30->50 process4 signatures5 64 Detected unpacking (changes PE section rights) 10->64 66 Detected unpacking (overwrites its own PE header) 10->66 68 Injects a PE file into a foreign processes 10->68 13 file.exe 10->13         started        16 file.exe 10->16         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 18 zTtCIhOuvgvIeteyEuPVKfIbV.exe 13->18 injected process8 signatures9 42 Found direct / indirect Syscall (likely to bypass EDR) 18->42 21 unlodctr.exe 13 18->21         started        process10 signatures11 54 Tries to steal Mail credentials (via file / registry access) 21->54 56 Tries to harvest and steal browser information (history, passwords, etc) 21->56 58 Deletes itself after installation 21->58 60 3 other signatures 21->60 24 zTtCIhOuvgvIeteyEuPVKfIbV.exe 21->24 injected 28 firefox.exe 21->28         started        process12 dnsIp13 36 www.gattosat.icu 109.123.121.243, 49715, 49716, 49717 UK2NET-ASGB United Kingdom 24->36 38 www.quantumboulevard.xyz 66.29.135.159, 49723, 49724, 80 ADVANTAGECOMUS United States 24->38 40 2 other IPs or domains 24->40 62 Found direct / indirect Syscall (likely to bypass EDR) 24->62 signatures14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3e9f913f4cf9b09b8a9bd4f91b9cf019ed50e6a7c8659af993b8bfafc3aed413
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3e9f913f4cf9b09b8a9bd4f91b9cf019ed50e6a7c8659af993b8bfafc3aed413/
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2024-04-30 04:48:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h2pzcp2m7gyjxcu32t4rxhhqdhwvbzvhzbszv6mtxc727q5o2qjq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
28e94d28c0ef766cff0b765f103a336c4d7657460cb1e811b1a16e12c645401d
Formbook
3911ca0a3ba01ed03c568bf9e8dba24af0a2d0c4cd05cc4d453d17729f2feace
Formbook
4b0ee61b0c2873d1e86b99f48ddacae7ce51efc7272048827ae368b98cafe2be
Formbook
690955d5af76a8aaac2f4d703f182b0b2d42939d13dce8783313a232ed942719
Formbook
6945513b267f5df1d7eeb48c8d95c6ff83b5f97d105bfd11b666734bf4c3f6b8
Formbook
88f28e5053f90a2b68e11f599f4136eaf462c9ad3cf319c96882f5b19386aef1
Formbook
c4b6e4bd4131eaa2fba28259570135346ea35a90bf271bab1560f019550698fd
Formbook
e6d6e42a6b67e3fdad165a4a0b5659773c3212c3aac6d323c30bea339da8f686
Formbook
e71687f19b2f1b17c4d27477060fa3bb424c77c1ed4163187dd7dbba691a04d8
Formbook
fc0b4a0d0cddb4abdc8288fbdd5331e8805779750648be80e17f0e9adbaec27c
Formbook
+ 687 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240430-mghlfshh24/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
4fd387bf8070993b326569b36950d53fd48ec4260a0e8ef63daf0a62fd8260c7
MD5 hash:
c7a5ff94cd69afb15e2a5c47087ee6f0
SHA1 hash:
be6cf08671406abeea69838958f3253b55f0122c
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/476078df-809e-4af2-ada0-ec34f37bf61e/
Parent samples :
3e9f913f4cf9b09b8a9bd4f91b9cf019ed50e6a7c8659af993b8bfafc3aed413
c040726eab61fc794f91f7d7712de11b4955c76db950e3b85ef57d413b15eb87
2bccfa58d85d040fb05abd1c50ecd107c56c0ac20f84576d7a57b9074e471be5
SH256 hash:
bc8542b7bbbfdb4f7b37497593bbc39835e5fc12341b581c37377b8241d83f18
MD5 hash:
abab05ee1cf56e3127913e9b2eb91d38
SHA1 hash:
e1348c71b67779558f53ab5988af5440a3ec72bf
Link:
https://www.unpac.me/results/476078df-809e-4af2-ada0-ec34f37bf61e/
SH256 hash:
e1c622628bd86d1d3e801afb5dee83b551d223f281e937e17529190d67c2e6ae
MD5 hash:
596ff23b412ac2abc3e5c178558eacfb
SHA1 hash:
8476916e82f85f77ff4cb066110d3a14a5da67ee
Link:
https://www.unpac.me/results/476078df-809e-4af2-ada0-ec34f37bf61e/
SH256 hash:
bf24e3d51b96eb9687fbd9107df383008c95d18244300d0f2270864dea830dd7
MD5 hash:
9b65b3f5b4b6df39b0655be15b23f50c
SHA1 hash:
52a81b7d5377d6aa7a5ef4565b9266c73fa9dd4b
Link:
https://www.unpac.me/results/476078df-809e-4af2-ada0-ec34f37bf61e/
SH256 hash:
cad8a0cb36e52a9df4e8a2991e2815347f4d5c695222074f4786f496002a6fb4
MD5 hash:
5fc84699b2d6327d492028747a55aaa8
SHA1 hash:
47c3df313586279ff7781243ea73ca7becc8ca28
Link:
https://www.unpac.me/results/476078df-809e-4af2-ada0-ec34f37bf61e/
SH256 hash:
e6628ce6c6e23350b8aa56d89ba2abbfeba1ecb3b83ab0fc195ae078b6aa583e
MD5 hash:
e0af67fdeca3e13cb9015a3a59ba8006
SHA1 hash:
d764a3408fe825bc105dfdb9e223b0be891040ef
Link:
https://www.unpac.me/results/476078df-809e-4af2-ada0-ec34f37bf61e/
SH256 hash:
5f90feb6c8ef21615d6cb2270184007b1e40450decc57199261318eeba22a3c0
MD5 hash:
08f6f9395f263c5b1d3b74339cd8016c
SHA1 hash:
d08b33ff242278ce06767cbba42f07ae6f3a5a8f
Link:
https://www.unpac.me/results/476078df-809e-4af2-ada0-ec34f37bf61e/
SH256 hash:
939f2d367a584b36c2d51ad39b6cc2f1f1e9a3c81213ff56fca368786e45ef9d
MD5 hash:
377e39cf58bc0f8eadf284b565dfe556
SHA1 hash:
cfb938573c0b6d452358665a52920cf2f8888cae
Link:
https://www.unpac.me/results/476078df-809e-4af2-ada0-ec34f37bf61e/
SH256 hash:
001eee01f9a55e3421754db3b174e5360f4cbe453aafe81ae027729878b6b3e6
MD5 hash:
f2ed836665eb204aa96f2653a01283c1
SHA1 hash:
635b40fc74e830023afaf7f9cc89ebd4cd362737
Link:
https://www.unpac.me/results/476078df-809e-4af2-ada0-ec34f37bf61e/
SH256 hash:
29896d309a1ce75092ed4b0953575fc306f8ccdc99dd38f10991c95c6e22d5df
MD5 hash:
4958406bbb4d33381452a9ee9bc14ac3
SHA1 hash:
4c485efc71d9c8a541bfd334a545f29b2fd17564
Link:
https://www.unpac.me/results/476078df-809e-4af2-ada0-ec34f37bf61e/
SH256 hash:
c3ea24dee8cde3ba7c8c5ac13e77953765a49bd7357104e1570dcf2869f51360
MD5 hash:
4bbe67201e6ba9ed20fe61fb3a583704
SHA1 hash:
1f493e9c2247d2d7f0398e869fa238af0059d9d6
Link:
https://www.unpac.me/results/476078df-809e-4af2-ada0-ec34f37bf61e/
SH256 hash:
3e9f913f4cf9b09b8a9bd4f91b9cf019ed50e6a7c8659af993b8bfafc3aed413
MD5 hash:
3f52ed5d2e98aa36303c3441b0379e94
SHA1 hash:
dd3b45063a17bf4675868190bbf81bea83c0a1fb
Detections:
INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Link:
https://www.unpac.me/results/476078df-809e-4af2-ada0-ec34f37bf61e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3e9f913f4cf9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3e9f913f4cf9b09b8a9bd4f91b9cf019ed50e6a7c8659af993b8bfafc3aed413

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments