MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ede9e9bdf0965f93b5351cc4be670b30934bc39aca24a3f3ac5f245f47c5073. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ede9e9bdf0965f93b5351cc4be670b30934bc39aca24a3f3ac5f245f47c5073
SHA3-384 hash: 1be1739763b1d3d687673b77af705c9b40383b582be85724787b6b6dffde5de03a058710031dcacec15a27e652d7f6e9
SHA1 hash: 971a1b851d914a17b97cdc95c17fc7d3f962c009
MD5 hash: d90d38f2dc39b8b19368a55a44841fa9
humanhash: pip-nine-seventeen-twenty
File name:IMAGE00037.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'920'512 bytes
First seen:2021-07-27 09:56:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:q8pmoHM0rFHOtzfArHR19OZ2f1a8+VzKroYrgLExfT4J9:q8pmos05OhfA7bcgNa8+9KrqExr4J9
Threatray 7'935 similar samples on MalwareBazaar
TLSH T1E69501F5162C7F1BF0AF1B7D906140229BF0409BC96ADBE4FF6614EAAF242975052286
dhash icon ae53d212daccccca (8 x Formbook, 4 x AsyncRAT, 1 x NetWire)
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Formbook C2:
178.18.247.188:4433

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
178.18.247.188:4433 https://threatfox.abuse.ch/ioc/163158/

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
IMAGE00037.exe
Verdict:
Malicious activity
Analysis date:
2021-07-27 09:58:26 UTC
Tags:
trojan rat asyncrat
Link:
https://app.any.run/tasks/53f02a16-aa6d-46e0-8198-0a9e80209ff3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/174322/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.953-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Creating a file in the %temp% directory
Creating a process from a recently created file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9cbc5a46-58c6-41a2-b318-e6b9b98857eb
Result
Threat name:
AsyncRAT FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/822278
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AsyncRAT
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 454686 Sample: IMAGE00037.exe Startdate: 27/07/2021 Architecture: WINDOWS Score: 100 60 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->60 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 8 other signatures 2->66 12 IMAGE00037.exe 3 2->12         started        process3 file4 54 C:\Users\user\AppData\...\IMAGE00037.exe.log, ASCII 12->54 dropped 90 Injects a PE file into a foreign processes 12->90 16 IMAGE00037.exe 3 12->16         started        signatures5 process6 file7 46 C:\Users\user\AppData\...\rabwnZTK6eR3mtJ.exe, PE32 16->46 dropped 48 C:\Users\user\AppData\...\6molUfaaYOUHEjk.exe, PE32 16->48 dropped 19 6molUfaaYOUHEjk.exe 3 16->19         started        22 rabwnZTK6eR3mtJ.exe 6 16->22         started        process8 file9 70 Tries to detect virtualization through RDTSC time measurements 19->70 72 Injects a PE file into a foreign processes 19->72 25 6molUfaaYOUHEjk.exe 19->25         started        50 C:\Users\user\AppData\Local\...\tmpEE38.tmp, XML 22->50 dropped 52 C:\Users\user\AppData\Roaming\eYhwPQL.exe, PE32 22->52 dropped 74 Uses schtasks.exe or at.exe to add and modify task schedules 22->74 28 rabwnZTK6eR3mtJ.exe 2 22->28         started        31 schtasks.exe 1 22->31         started        signatures10 process11 dnsIp12 82 Modifies the context of a thread in another process (thread injection) 25->82 84 Maps a DLL or memory area into another process 25->84 86 Sample uses process hollowing technique 25->86 88 Queues an APC in another process (thread injection) 25->88 33 explorer.exe 25->33 injected 58 podzeye.duckdns.org 178.18.247.188, 4422, 49728 INLINE-ASDE Germany 28->58 37 conhost.exe 31->37         started        signatures13 process14 dnsIp15 56 www.jasoneganrealtor.com 52.71.133.130, 49740, 80 AMAZON-AESUS United States 33->56 68 System process connects to network (likely due to code injection or exploit) 33->68 39 wscript.exe 33->39         started        signatures16 process17 signatures18 76 Modifies the context of a thread in another process (thread injection) 39->76 78 Maps a DLL or memory area into another process 39->78 80 Tries to detect virtualization through RDTSC time measurements 39->80 42 cmd.exe 39->42         started        process19 process20 44 conhost.exe 42->44         started       
Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-27 09:57:09 UTC
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h3pj5g67bfs7so2tkhgexztqwmetjpbzvsreupz2yxzel5d4kbzq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
formbook
Create hunting rule
Similar samples:
1299373ec40fc1f3f16957338574a9ad51a94e62220cc8c08f1ad81dee443544
Formbook
16fc0cec13d88da3d0a36e4c42e733db8f1e21cafc18fd813a25cd0bc835f35a
Formbook
438e8f8d626ca18bb5fbd3499cad058033b199c865badba6415e362d5b8dcd49
Formbook
98525018b61a01c4525b801032cc9b1f433cb6ddc707eb52d70769f227e5baa3
Formbook
c2e6a6a4dcceeb65c2b769b92223c4b5c6de325709146391a4863dd56f4eb3d1
Formbook
c578d33e132ccbbc26a4a31e6054fea7f42591b391e9b8eb30eaf732ed119088
Formbook
c7e4b8b9ded5df50dc1b2b8e6af95cb6cfb310c20be19c879c48a83371b345da
Formbook
e7c0c0108074647bb7a3c9d976c478e3fdbb047a910af9d988057508cec4dd8c
Formbook
eee7f4dd424733c57b1fe3712d215129f3494536bf6277d1811417c8a0a1baae
Formbook
fa26846e38ca581bcfeb41da686153970b4d29ed706e76352dd2771c12267cde
Formbook
+ 7'925 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:formbook rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/210727-bb956lsyca/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Async RAT payload
CustAttr .NET packer
Formbook Payload
AsyncRat
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
Malware Config
C2 Extraction:
podzeye.duckdns.org:4422
podzeye.duckdns.org:4442
podzeye.duckdns.org:4433
http://www.hometowncashbuyersgroup.com/kkt/
Unpacked files
SH256 hash:
93ec3cf66e61ee93356126325df26ceef1ef4c3063ab57c850774dfa9ba9860c
MD5 hash:
cdfebcc13d93f121b9b499400b305c56
SHA1 hash:
72dc802ec503d430d707641d9beb634d245d7064
Link:
https://www.unpac.me/results/b841593c-30da-4278-9463-d1d56a593e63/
SH256 hash:
0280c959e553d1e95fad64b90dbbdcb430b578a23ada02f1200c57a65b5d1d59
MD5 hash:
84ad046b21c0ce11b680b7d191ee758d
SHA1 hash:
f2871fea3097966f051fab538eacd5f06cdef1a6
Link:
https://www.unpac.me/results/b841593c-30da-4278-9463-d1d56a593e63/
SH256 hash:
3d26f53c30f4d6fd070e0eb51fc0a713eae0ceadef3e537272dd0adf3160b98d
MD5 hash:
ecad566a63c7c8e0203574e6ac8176da
SHA1 hash:
8b5e4ffcd59487879e86109c398ab2c394c83cac
Link:
https://www.unpac.me/results/b841593c-30da-4278-9463-d1d56a593e63/
SH256 hash:
5861ee83ca80dbfd549f2d8132c317020de7d070c5cf965518c552656fd54d7c
MD5 hash:
fae4eb97ef670e17d1dfd5def02055d7
SHA1 hash:
5b3d7e28242ca089aedde236dbb5982107422ede
Link:
https://www.unpac.me/results/b841593c-30da-4278-9463-d1d56a593e63/
SH256 hash:
97d2fa1d01b2f9a2199896e05e0cf60c14a9f41ef2d72e15fbb862b7afa08438
MD5 hash:
68463851c0e6fe7a254c99fae763d454
SHA1 hash:
4587a5371d88c296a0184fe47ee0c5245b187127
Link:
https://www.unpac.me/results/b841593c-30da-4278-9463-d1d56a593e63/
SH256 hash:
b3040213159633a30e364d15cead228ab5ae84c1c8322d8a323bc77170a20acd
MD5 hash:
fd1915351b866de1d53e9460d2d0b5cd
SHA1 hash:
1eb9cf61e9a7799ac3635c3040899a043c08e0c1
Link:
https://www.unpac.me/results/b841593c-30da-4278-9463-d1d56a593e63/
SH256 hash:
3ede9e9bdf0965f93b5351cc4be670b30934bc39aca24a3f3ac5f245f47c5073
MD5 hash:
d90d38f2dc39b8b19368a55a44841fa9
SHA1 hash:
971a1b851d914a17b97cdc95c17fc7d3f962c009
Link:
https://www.unpac.me/results/b841593c-30da-4278-9463-d1d56a593e63/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/3ede9e9bdf0965f93b5351cc4be670b30934bc39aca24a3f3ac5f245f47c5073

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/174322/

Comments