MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f4e8eda03283329f391e111c756f7b6ece4a9bc0d41672af8c1f09baf2b1cec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f4e8eda03283329f391e111c756f7b6ece4a9bc0d41672af8c1f09baf2b1cec
SHA3-384 hash: 3dfd66a4a1face5bddb69c14fee5071501746745b3ae2621125c89033e196bfc2f9e91d572764d5770cc49c4223bb7cf
SHA1 hash: 16b4fc729dc5b66381e710717acd7a226f0c631f
MD5 hash: 0f23b3dede5773a4da6e3f6869da28ad
humanhash: berlin-fanta-burger-chicken
File name:Purchase order _SIP008.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'209'791 bytes
First seen:2022-09-28 07:32:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:iAOcZXp03RQgAgCkLOMhc2e+Q+3mG2k1ny76RPGQFV0aBTjWFqwA5:ojRAgCk3clDmtGQFV9jWG
Threatray 18'278 similar samples on MalwareBazaar
TLSH T19E452242F6E16473D5B219314B27AE31ADB93C605FA0D35F63D49B78EA310909226FB3
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 80a4a6a6a6a68081 (11 x Formbook)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
271
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/314264/
Detection(s):
Win.Dropper.Nanocore-9971395-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Sending a custom TCP request
Creating a file
Adding an access-denied ACE
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Forced shutdown of a system process
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/39675/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/6333f8afd089a0c15dd2876f/reports/069a3af4-8abb-4613-9433-75d6d59de25a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c765fcb4-fc91-46de-9f33-4d7689e030eb
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1079014
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Drops PE files with a suspicious file extension
Found API chain indicative of debugger detection
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected AntiVM autoit script
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 711580 Sample: Purchase order _SIP008.exe Startdate: 28/09/2022 Architecture: WINDOWS Score: 100 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus detection for URL or domain 2->55 57 Antivirus / Scanner detection for submitted sample 2->57 59 6 other signatures 2->59 10 Purchase order _SIP008.exe 29 2->10         started        process3 file4 35 C:\Users\user\AppData\Local\...\gdvvbotbw.pif, PE32 10->35 dropped 13 gdvvbotbw.pif 2 10->13         started        process5 signatures6 71 Antivirus detection for dropped file 13->71 73 Multi AV Scanner detection for dropped file 13->73 75 Found API chain indicative of debugger detection 13->75 77 5 other signatures 13->77 16 RegSvcs.exe 13->16         started        19 RegSvcs.exe 13->19         started        process7 signatures8 43 Modifies the context of a thread in another process (thread injection) 16->43 45 Maps a DLL or memory area into another process 16->45 47 Sample uses process hollowing technique 16->47 49 Queues an APC in another process (thread injection) 16->49 21 rundll32.exe 16->21         started        24 explorer.exe 16->24 injected 51 Tries to detect virtualization through RDTSC time measurements 19->51 process9 dnsIp10 61 Modifies the context of a thread in another process (thread injection) 21->61 63 Maps a DLL or memory area into another process 21->63 65 Tries to detect virtualization through RDTSC time measurements 21->65 27 cmd.exe 1 21->27         started        37 www.comgmaik.com 103.224.182.210, 49698, 80 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 24->37 39 onstatic-fr.setupdns.net 81.88.57.68, 49700, 80 REGISTER-ASIT Italy 24->39 41 6 other IPs or domains 24->41 67 System process connects to network (likely due to code injection or exploit) 24->67 69 Performs DNS queries to domains with low reputation 24->69 29 autofmt.exe 24->29         started        31 autofmt.exe 24->31         started        signatures11 process12 process13 33 conhost.exe 27->33         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3f4e8eda03283329f391e111c756f7b6ece4a9bc0d41672af8c1f09baf2b1cec/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2022-09-22 11:24:38 UTC
File Type:
PE (Exe)
Extracted files:
81
AV detection:
29 of 41 (70.73%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=h5hi5wqdfazst44r4ei4ovxxw3wojkn4bvawokxyyhyjxlzldtwa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
419a1f7877dff457794f7d38aff4a90c3cf261c846545bbf644d8871f764d81a
Formbook
652d40bb88df43cc5c2c71b746bca9594198c1e0bea923e717e093c04284cdcf
Formbook
a96ccfc5b5b64660b986d22b9bcc96cb5e178d3d506893bd24a959a5338a4a32
Formbook
aa005608adb8e7e3c775383f20f2608164056713bcbb92d0ec5c99994d8af750
Formbook
aa9c86a823e654e20b42edc829a890f08b0ffffaaa4054ca0033e0b4fae5765b
Formbook
b3a3645cf2d804bebd0d8049b70c95ae545ff06ca2acc9f85721a1d1f3c9b5b8
Formbook
d8487ecaafff72cace4e090aba52aa5c20b18a1627b1abf96f3591de054eb887
Formbook
fb958fde2068ea3f3cb5df440bd6f8cac47afef36ab98024153138ca9a982a5e
Formbook
+ 18'268 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:mh76 rat spyware stealer trojan
Link:
https://tria.ge/reports/220928-jdh62afcf9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Formbook payload
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8841393d-4264-4660-b3e9-aabb5ad970a0
Unpacked files
SH256 hash:
7a51903ae0e79eed1bfa29e36ea357d2ee255dec218016e91c5e287b55ae58e4
MD5 hash:
dd063f1b073b45bc3a4fe25c5a859eeb
SHA1 hash:
b2ea62711693c89ac6376c2075f951de302a779e
Detections:
FormBook
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/e8e0edf7-e73b-4d9e-8b4b-36e23e357b8e/
Parent samples :
76381a94a940a4d2b7f4ecf9ab6e507eb1ab9dfb1deb27ef852b632ed069865e
b185a143f0152879be32508681282a6bf45d12f0d4d9525ac95f026990d82c87
24ef19db63cfcc0cebad5f54758de38284812b707ed53e9f404be03780451d39
d675408e7dcc87922c9d654a5c4f387f70d4a06ad99bad187753d90ee6381a87
1c6a3fdbe07eca91bb067a9ba1c90bd87df0d94a0f8c9d870c792baa4a040c45
1d040cec4469439a6c402ec04abf157a02b202fe4ddafe280d96b937b7eadce4
75563869f37196a473d163e40a4f393ba74b4c5feac4e178c83f670da5dd2762
25c9de9dfbbf115f5809dbbf9e246bebfa8b1925e99f070fa6233ad62ee22b9e
165f7a262d388cf63fc7f360cd1e2f1b7a6370586c8cbfce04e458800aca1d7a
bdb2cd093592b1e41acbf2e35565f0639628b86da36b1e6d49dcf1f81b751832
c767db1d9bb5f369f3a2d395412c98f71de29cf829800a2494a2c0dec8e4a57f
78c8c0aa6b6c7368ce2e9a6edb76db71162d7335c6da4f8489b276cd742f768b
a328bc2d66baa94dc748b1a450a0ede9601ff9ccec5ff2cfd043e669383ba295
43aaf13fbc49a0763cc55dfdf174892b76cc0b74a8698886d9376a4954e00818
a1eb3ccf50d23e3e49d659d55ca85c70d02e9c22a16b6e9f5270793a8487aa27
2d1a6fc2908bac0f7870588ab6f35467ea691f17ba2cb130b62fae506d630046
84b0888a5a6938795c26a681435c52a25c16fe2d1e6230112df171024c8767df
419127a78f8b1a361cab37011662b2ce411af7f4ad59d0f35ce5ca98eca1b92a
22f45817bd8b33de74fe1cc7db5569bd6af759b8fa1bd632ec37d4c7c822cfe1
ec77a02fcb9c5b393ed013b267010cf06e75550e8d977cb054d8e3fe681d8e6b
20abbef0a386be20828344f159293e55cfcf89942c3b26c21acc7b052fbe896d
6de2ff8d01687f6c88e2bc2c19407be670e1ece621227503eacac934739e67c7
82edebd73b6b366121ccf9b066f1a4d140aed527ce9058866fddfa1b7f884466
3702b6cfa76e492d56bd9da5f99f7ff805e32c16b3840ee66bb13a812f5d3155
8f8813e3ed0cdb3ac92de8e6003bc83c0ec859fc717748cab6a45f56a98a9201
b3a3645cf2d804bebd0d8049b70c95ae545ff06ca2acc9f85721a1d1f3c9b5b8
aa9c86a823e654e20b42edc829a890f08b0ffffaaa4054ca0033e0b4fae5765b
87fdf41f3af47dc20348fe21148546a943111c455ffb9a8cd73b1beb77513ce4
3f4e8eda03283329f391e111c756f7b6ece4a9bc0d41672af8c1f09baf2b1cec
b4be0d5867f091bff8f48d03dfdde04ff2e4189170c4168745568a1b20ed1c9a
b1f692dd52aae8317db7cfd262a4bcc053cf721fc7a00bf66f4acc7cb5cc6cbc
67e6fd61e128d5649045a4fc55fc6c287722b5c92e65eef35ce0838d6210d901
SH256 hash:
34474ec702481c58312e4446dfee0b5ea1129cdaab51e80f6b99673a9a48a869
MD5 hash:
b74ac5c7dfb612d94b79823212e5b1aa
SHA1 hash:
2ad285abd49bb026727e9eadcfbc6ed41afb06b1
Link:
https://www.unpac.me/results/e8e0edf7-e73b-4d9e-8b4b-36e23e357b8e/
SH256 hash:
3f4e8eda03283329f391e111c756f7b6ece4a9bc0d41672af8c1f09baf2b1cec
MD5 hash:
0f23b3dede5773a4da6e3f6869da28ad
SHA1 hash:
16b4fc729dc5b66381e710717acd7a226f0c631f
Link:
https://www.unpac.me/results/e8e0edf7-e73b-4d9e-8b4b-36e23e357b8e/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3f4e8eda0328/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3f4e8eda03283329f391e111c756f7b6ece4a9bc0d41672af8c1f09baf2b1cec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_Formbook_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest5
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest7
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:sfx_pdb_winrar_restrict
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 3f4e8eda03283329f391e111c756f7b6ece4a9bc0d41672af8c1f09baf2b1cec

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/314264/

Comments