MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f0b6a2e50e39420c7b91acb35c08bb088c1ccaaa889491559a572dc481bf489. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f0b6a2e50e39420c7b91acb35c08bb088c1ccaaa889491559a572dc481bf489
SHA3-384 hash: 2a99c57585453e000134dec0edade85e9f654622fcceb98413ed8447f8bcd14d9cc7787c6a0a63577be8add223f1d500
SHA1 hash: c88cb7b2ab5e14fdcf1cf9453b580991e2cd861c
MD5 hash: 6fba76418a9572cd9e80aa95861cb86b
humanhash: lemon-idaho-gee-london
File name:6fba76418a9572cd9e80aa95861cb86b.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'241'600 bytes
First seen:2022-03-18 11:43:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:M3P9uZI2mu4JOE8Br7IbrWbHwbenfRLLrWsG3J+:M3FuZfmu7JIPYwbenfVLrW/3
Threatray 12'462 similar samples on MalwareBazaar
TLSH T17C45F030671555CEE87AE2B4825230CC0BF42EC7D11D9F49BAC164BB3B627B40EDAA57
File icon (PE):PE icon
dhash icon 64e4ccdcb2c2d4cc (9 x Formbook, 4 x BluStealer, 3 x RemcosRAT)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
193
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/252571/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.26954.32349.12653.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe keylogger obfuscated packed replace.exe shell32.dll
Link:
https://www.filescan.io/uploads/623470aab94fb38cb4a2a376/reports/926df554-e8f1-4671-9721-b3419ba192e2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c1545533-05d2-41f8-ae07-8e59804147f0
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/959449
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 591930 Sample: OzOzFPu843.exe Startdate: 18/03/2022 Architecture: WINDOWS Score: 100 31 www.bees88.com 2->31 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 9 other signatures 2->45 11 OzOzFPu843.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\OzOzFPu843.exe.log, ASCII 11->29 dropped 57 Tries to detect virtualization through RDTSC time measurements 11->57 59 Injects a PE file into a foreign processes 11->59 15 OzOzFPu843.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 18 explorer.exe 15->18 injected process9 dnsIp10 33 14plaisanteinfo.com 37.187.131.150, 49801, 80 OVHFR France 18->33 35 www.5128hnwj.com 107.186.167.165, 49787, 80 EGIHOSTINGUS United States 18->35 37 2 other IPs or domains 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 mstsc.exe 18->22         started        signatures11 process12 signatures13 49 Self deletion via cmd delete 22->49 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3f0b6a2e50e39420c7b91acb35c08bb088c1ccaaa889491559a572dc481bf489/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-17 17:29:00 UTC
AV detection:
18 of 27 (66.67%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
31fcd3d5d4db88d5742905ad8c2717d6c107b246ff4423745c3bbaf8f66e1a7a
Formbook
374874898c5386561d60c3fae0482d1caee783f1096dda6742b1c073175a0a14
Formbook
4892e9b8ed5aa57661e3a1fd4bc2d48570cd416af12ab88bbade473ede45c1ed
Formbook
502303edd5a9de57b3667146e84f15fc4957242ca2ef8f75f5e503946c452ee2
Formbook
75362f20dab8d57db3ade6427e647b0bc01d8345ccfa9781d5778877f04f7fb5
Formbook
8e2fa281cc72512de1fc53eb27a9c04a524ce87c3cdf5932931ea3dc463a459a
Formbook
b36891ab4a7fa6be1680a65614dd5551a3fa8a89052c381a954601eedd82e62c
Formbook
d89f28603b8948dd7217e42366328a6e9bd05d59e5de67a4c39f207f8a520d43
Formbook
df1510f64189b49ffeb4630c74af81a86888114102b493f52b5ad1c1cb58d121
Formbook
+ 12'452 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:cm5a loader rat
Link:
https://tria.ge/reports/220318-nv7yyahgfn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
a05c68a70fd1acc3016d06ae9f78780474e05bdbae51316aefac43618a7f6446
MD5 hash:
a8cc4bb1053c6e34ea4da54621c858dd
SHA1 hash:
2ee81c4ccba1cebe5b3b141fd8dd32fb5f65f6ef
Link:
https://www.unpac.me/results/9d03ad76-11eb-45ce-b51a-55a929b0aecd/
SH256 hash:
6ff21c090296e9fd3ec2b17e03e184e2396adf4013b2a4f4c9dea5bd7aff38f7
MD5 hash:
7c3fb3e3d91e338ae917c4cb46895e71
SHA1 hash:
ba577b8ccb3c6bbc5e9e3a838aec98859cd4dbaa
Link:
https://www.unpac.me/results/9d03ad76-11eb-45ce-b51a-55a929b0aecd/
SH256 hash:
91257599535b7dd9bc35af9e333daedd24b16ddb5babd5f59af7ce7c309768ea
MD5 hash:
ffa32accbb4db557627c5cacf909fb66
SHA1 hash:
dad92bbb59036076609bc105e7f72e52f6c645d3
Link:
https://www.unpac.me/results/9d03ad76-11eb-45ce-b51a-55a929b0aecd/
SH256 hash:
fca0857dfc70eef56888299f9a94ee3ee36892f7cadef16074f2a5abbc8a085f
MD5 hash:
2deca73b418ef75f6e4381e67a71d43e
SHA1 hash:
b24e3779fdd13f3c24d353110433594cef101a97
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/9d03ad76-11eb-45ce-b51a-55a929b0aecd/
Parent samples :
9aaa7c573063de657a71a30e4818c8490ef9ee776c443489a9b6b13d3fc1ad25
3f0b6a2e50e39420c7b91acb35c08bb088c1ccaaa889491559a572dc481bf489
0c00b068d5bfd4dc81a3868464cdc8058a8a258db2b446722a601eb942b69068
8e89881e34371e10b7f9cb943183a061aab9b22853cb7192e1ac09401f4cc545
SH256 hash:
3f0b6a2e50e39420c7b91acb35c08bb088c1ccaaa889491559a572dc481bf489
MD5 hash:
6fba76418a9572cd9e80aa95861cb86b
SHA1 hash:
c88cb7b2ab5e14fdcf1cf9453b580991e2cd861c
Link:
https://www.unpac.me/results/9d03ad76-11eb-45ce-b51a-55a929b0aecd/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3f0b6a2e50e3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3f0b6a2e50e39420c7b91acb35c08bb088c1ccaaa889491559a572dc481bf489

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 3f0b6a2e50e39420c7b91acb35c08bb088c1ccaaa889491559a572dc481bf489

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2103580/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/252571/

Comments