MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f0c02a6aba9a637ccbc0e9f3ba35e50ef50d89827d804c163a77fa4e027b583. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f0c02a6aba9a637ccbc0e9f3ba35e50ef50d89827d804c163a77fa4e027b583
SHA3-384 hash: 9cffe0610d7e332fc5db42f6d1476243ad7e6ccdfaca67eb64eb6ab325a9f2426eb699f1fb21ba103e55302476ff1e3d
SHA1 hash: 24e1a669e01e63071d425539b2aac4207a4a7f69
MD5 hash: 8215fb520e6fd4cdd51e1c63c8d0fd38
humanhash: alpha-lemon-sierra-video
File name:04797_AL.EXE
Download: download sample
Signature Formbook
Create hunting rule
File size:857'600 bytes
First seen:2023-03-07 07:54:00 UTC
Last seen:2023-03-07 09:28:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:EXKjX+rzknTP8pO4G0OIecssiQz34O0t3MxzfWAAIO6:OKL+roEpThzzIO0t34rWAd
Threatray 2'175 similar samples on MalwareBazaar
TLSH T16505AFE42F5D7267FB86A1F3180526A7DB9CB95D2527C0081EE2108FC1CDE3C5652EAE
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 2892cc7092280000 (4 x AgentTesla, 3 x Formbook, 2 x Loki)
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
04797_AL.EXE
Verdict:
Malicious activity
Analysis date:
2023-03-07 07:54:35 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/ec53e2c0-09db-4009-8d39-123d96ec136c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/372160/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6406eda8e96aa01651233da5/reports/41d7a999-ab9d-49a2-a6d1-5e4d3247505e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/3f0c02a6aba9a637ccbc0e9f3ba35e50ef50d89827d804c163a77fa4e027b583
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3acd4457-5a99-42ea-ab72-b5dbf85e296a
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1188404
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 821279 Sample: 04797_AL.EXE.exe Startdate: 07/03/2023 Architecture: WINDOWS Score: 100 68 Snort IDS alert for network traffic 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Antivirus / Scanner detection for submitted sample 2->72 74 6 other signatures 2->74 10 04797_AL.EXE.exe 7 2->10         started        14 DqgmCrtAmc.exe 5 2->14         started        process3 file4 46 C:\Users\user\AppData\...\DqgmCrtAmc.exe, PE32 10->46 dropped 48 C:\Users\...\DqgmCrtAmc.exe:Zone.Identifier, ASCII 10->48 dropped 50 C:\Users\user\AppData\Local\...\tmpED4A.tmp, XML 10->50 dropped 52 C:\Users\user\...\04797_AL.EXE.exe.log, CSV 10->52 dropped 82 Uses schtasks.exe or at.exe to add and modify task schedules 10->82 84 Adds a directory exclusion to Windows Defender 10->84 86 Tries to detect virtualization through RDTSC time measurements 10->86 16 04797_AL.EXE.exe 10->16         started        19 powershell.exe 19 10->19         started        21 schtasks.exe 1 10->21         started        88 Antivirus detection for dropped file 14->88 90 Multi AV Scanner detection for dropped file 14->90 92 Machine Learning detection for dropped file 14->92 23 DqgmCrtAmc.exe 14->23         started        25 schtasks.exe 1 14->25         started        signatures5 process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 16->60 62 Maps a DLL or memory area into another process 16->62 64 Sample uses process hollowing technique 16->64 66 Queues an APC in another process (thread injection) 16->66 27 explorer.exe 3 1 16->27 injected 31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        35 conhost.exe 25->35         started        process8 dnsIp9 54 coreinternationalbusiness.com 193.168.192.232, 49697, 80 AS-HOSTINGERLT Germany 27->54 56 www.tridentacquisition.info 27->56 58 2 other IPs or domains 27->58 94 System process connects to network (likely due to code injection or exploit) 27->94 96 Uses ipconfig to lookup or modify the Windows network settings 27->96 37 ipconfig.exe 27->37         started        40 wlanext.exe 27->40         started        signatures10 process11 signatures12 76 Modifies the context of a thread in another process (thread injection) 37->76 78 Maps a DLL or memory area into another process 37->78 80 Tries to detect virtualization through RDTSC time measurements 37->80 42 cmd.exe 1 37->42         started        process13 process14 44 conhost.exe 42->44         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3f0c02a6aba9a637ccbc0e9f3ba35e50ef50d89827d804c163a77fa4e027b583/
Threat name:
ByteCode-MSIL.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2023-03-07 06:25:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
12 of 25 (48.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h4gafjvlvgtdptf4b2ptxi26kdxvbweye7majqldu572jybhwwbq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3aec0a3b707390b1a000b0e7a6deb3bd7b8f84109b4335be6809694453fadc4c
Formbook
4baf37305afca03942dfd3f13c173cd45d587cd358adde2b6f1596fc761eaae2
Formbook
596582af66790eee7160b485c4fa5d060b3c820af83343fe4c12fa360043a09f
Formbook
609e38239c20a1b1a2a1d773e18e467fb8097dcb2f398580c8780fc27d1df443
Formbook
651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0
Formbook
8e0884e51a92a725d4d5da82ba69173c4402d7030421d0aa65f40245c2795485
Formbook
92f0746ddd0eeb0811fa39cf23258b669f3e9b422edc48057971ec94002fa9cb
Formbook
cc306bb2d4ff7a9b6a4526abfe0ee05610bc1f34f8c4b96f465c44412558516f
Formbook
ce902a74a974d8abadef885c3aa91a41ad495d0d22a187b0bb4c87645d3ae0a8
Formbook
ea2ae64afb2fe6c21176ec595cc4036a184e16c700c312aa8efa4280ab27c2c3
Formbook
+ 2'165 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:bpnw rat spyware stealer trojan
Link:
https://tria.ge/reports/230307-jrj1gsgf5w/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
fd78f3431f6f17eaf953c0d551df5beeaea5ded90208d9a1da069d205df47369
MD5 hash:
766a56e4810ef3e31cad700350964d54
SHA1 hash:
091387174081761dc5fe88fa5285f97f68705601
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/baa59882-548a-4b60-ba2a-897fb5dd5842/
Parent samples :
3f0c02a6aba9a637ccbc0e9f3ba35e50ef50d89827d804c163a77fa4e027b583
d5fe9ec3478dfc65a14ded1ca3e9ced361617a085ec6c3da1bd9b9cc0083511f
34c2526748f1214c70cbefa7e45e067e86e78c79759cafa9fdf1082795ed92bb
SH256 hash:
498c0460da26cfc2c4ec95b9b394bbd3db719ba08ccbd5964a533bc9006dcf8f
MD5 hash:
f4e7e91d4fdda2d3feb401b5b1d53abf
SHA1 hash:
cf9e76e6418850ac853bd9c6ce82a0be7920fc1d
Link:
https://www.unpac.me/results/baa59882-548a-4b60-ba2a-897fb5dd5842/
SH256 hash:
552fc1dff12bb534b3465b26b81da5da8abb7a7800b701d5ed9f008c55c644ec
MD5 hash:
486602eacc76288bf9b65df141e0d3fe
SHA1 hash:
2b0a789f323c638ddef6e4c908396ca301d85b05
Link:
https://www.unpac.me/results/baa59882-548a-4b60-ba2a-897fb5dd5842/
SH256 hash:
ca46d4c468eb9dbddda36239540203af95419cb6b95da1f5c70932eb000a1551
MD5 hash:
bead3172f5fd84f36202c28a4fc39322
SHA1 hash:
17f169e20097cf278942072bff5e2afd0cd37697
Link:
https://www.unpac.me/results/baa59882-548a-4b60-ba2a-897fb5dd5842/
SH256 hash:
8f0c7e3047346b8d6477ff6d4639fd6157602c7ebc840f3432b99263f1cb415c
MD5 hash:
e5b073b30db1b058298f5df032164e4d
SHA1 hash:
15d3ada4e7ac01b766615b9b66785e7e2ae9b0ca
Link:
https://www.unpac.me/results/baa59882-548a-4b60-ba2a-897fb5dd5842/
SH256 hash:
3f0c02a6aba9a637ccbc0e9f3ba35e50ef50d89827d804c163a77fa4e027b583
MD5 hash:
8215fb520e6fd4cdd51e1c63c8d0fd38
SHA1 hash:
24e1a669e01e63071d425539b2aac4207a4a7f69
Link:
https://www.unpac.me/results/baa59882-548a-4b60-ba2a-897fb5dd5842/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3f0c02a6aba9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3f0c02a6aba9a637ccbc0e9f3ba35e50ef50d89827d804c163a77fa4e027b583

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

img 28e9f55bb7840a2296170dba587b8a81be3ab860b3aaab8186ea9a01b288c1b0

Formbook

Executable exe 3f0c02a6aba9a637ccbc0e9f3ba35e50ef50d89827d804c163a77fa4e027b583

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 28e9f55bb7840a2296170dba587b8a81be3ab860b3aaab8186ea9a01b288c1b0
Cape
Cape
https://www.capesandbox.com/analysis/372160/
  
Dropped by
MD5 52c9052e18499512603e25a1a3a1cd8c

Comments