MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f4dc309be69548972299cb0517c884bcb5a472fbf9693ff3d07776c9464af1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f4dc309be69548972299cb0517c884bcb5a472fbf9693ff3d07776c9464af1c
SHA3-384 hash: 4961b85501539e2a33c314e0c2e4ccba66f90bb48ced52f3d62ed253cd1ac2c17614daf3b69c22872d699b71ff8c0eba
SHA1 hash: 52d386445e50600a920f16692bbf30829d08932c
MD5 hash: d394a8c0a37bcdaf432b2882714c6eba
humanhash: potato-network-romeo-illinois
File name:Inquiry_10_05_2021,pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:551'936 bytes
First seen:2021-05-10 07:14:28 UTC
Last seen:2021-05-10 08:07:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:OHFMw7Y9MA59CyMAn0pGZVkfK6Jaei3kqh6PehkHFRAomlTx:OH+w09tVSKLkqh6P3lRAoqTx
Threatray 71 similar samples on MalwareBazaar
TLSH F1C4E040E90DACD5E7D9E4B3B13A8B100575BEDB92B881AF2666331452F37C331B6D0A
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/153796/
Detection(s):
SecuriteInfo.com.Mal.Generic-S.28644.29292.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/779459
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 411852 Sample: Inquiry_10_05_2021,pdf.exe Startdate: 12/05/2021 Architecture: WINDOWS Score: 100 34 www.thevillaflora.com 2->34 36 www.thenewyorker.computer 2->36 38 2 other IPs or domains 2->38 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 4 other signatures 2->56 10 Inquiry_10_05_2021,pdf.exe 5 2->10         started        signatures3 process4 file5 28 C:\Users\user\...\Inquiry_10_05_2021,pdf.exe, PE32 10->28 dropped 30 Inquiry_10_05_2021...exe:Zone.Identifier, ASCII 10->30 dropped 32 C:\Users\...\Inquiry_10_05_2021,pdf.exe.log, ASCII 10->32 dropped 13 Inquiry_10_05_2021,pdf.exe 10->13         started        process6 signatures7 58 Multi AV Scanner detection for dropped file 13->58 60 Machine Learning detection for dropped file 13->60 62 Modifies the context of a thread in another process (thread injection) 13->62 64 4 other signatures 13->64 16 cmmon32.exe 13->16         started        19 explorer.exe 13->19 injected process8 dnsIp9 42 Modifies the context of a thread in another process (thread injection) 16->42 44 Maps a DLL or memory area into another process 16->44 46 Tries to detect virtualization through RDTSC time measurements 16->46 22 cmd.exe 1 16->22         started        40 www.qiqihao.site 19->40 48 System process connects to network (likely due to code injection or exploit) 19->48 24 autochk.exe 19->24         started        signatures10 process11 process12 26 conhost.exe 22->26         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3f4dc309be69548972299cb0517c884bcb5a472fbf9693ff3d07776c9464af1c/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-05-10 03:50:51 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h5g4gcn6nfkis4rjtsyfc7eijpfvurzpx6ljh7z5a53wzfdev4oa._file
Verdict:
unknown
Similar samples:
02ec84d0b711866766513ad2b97752fe246e00e665e4518afe36260e5fa7b844
Formbook
0dcebcbff7b84930e0796b27a4f795480423a122d6d201e45073678832b0961f
Formbook
1f247163023db8b4c9ab82b36befc81bbbd58483bc6d00fafcac9a3a34c9a97d
Formbook
9c5f7b56a45f41ab3d9f7cbdff363a4d738c59679f073af932ac8e1b483075f0
Formbook
b4f95e4d9620a26624a59ba027823fa47cfb1cc562613d51c7305ab5f0fcea56
Formbook
be7af0c2f9356ba016baa597e558df431fa2c5fbd4ac2fbf8d86a24662dcd464
Formbook
c9c5b4b76ac69632d5f5931198adb5d21d214c72d8524ffc60d7d6bbcd44cf03
Formbook
d3cf3dd42d45a2a4066e2102230b94a085649757a06da3fdeef2bf0eb56855ef
Formbook
d4e42f2ff9f01dc12e8549c8ce17832971a927f2c826c32daa3d4e375fd21815
Formbook
e9636453620b1cbeb4674bd9cbec694e0c155fd78354cad48e4c5bb7e33b7fd9
Formbook
+ 61 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210510-ypvrh8xjts/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.werealestatephotography.com/hw6d/
Unpacked files
SH256 hash:
0c3765e44e17c1047aafc8a1808de537f17beee95b5e2edeed6baad97bdbf1d6
MD5 hash:
cdb066d3293eeb17856cf876267aa34a
SHA1 hash:
30dcd46f41dc6b182e981a16d1bf7b88603b52a6
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/f687999c-f4a7-4d91-a29a-a1e115130b51/
SH256 hash:
a2d0e4b945aa6affd37ab9174ebc17e6610e595a6c7b81f39ef8a541bfb0c1d3
MD5 hash:
8ce29709bd9aa28a746982a52d04ca48
SHA1 hash:
f7ce1c829041c39b65f543012b449dd19cbde417
Link:
https://www.unpac.me/results/f687999c-f4a7-4d91-a29a-a1e115130b51/
SH256 hash:
d7905d39e709aca36904aef82ac2b7a9db5a0e453eee9f7d7a18b17ffeb09f5b
MD5 hash:
dc4128d7e330b3d7a6c986900ad1d39a
SHA1 hash:
b01ed0c07291079c20335c836ea0f49b33a19f3a
Link:
https://www.unpac.me/results/f687999c-f4a7-4d91-a29a-a1e115130b51/
SH256 hash:
3f4dc309be69548972299cb0517c884bcb5a472fbf9693ff3d07776c9464af1c
MD5 hash:
d394a8c0a37bcdaf432b2882714c6eba
SHA1 hash:
52d386445e50600a920f16692bbf30829d08932c
Link:
https://www.unpac.me/results/f687999c-f4a7-4d91-a29a-a1e115130b51/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3f4dc309be69548972299cb0517c884bcb5a472fbf9693ff3d07776c9464af1c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/153796/

Comments