MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f72928d0f49086a7a5f96d15e5e3eb0dac7a7927da3717bc6d90d576877c88e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 22 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f72928d0f49086a7a5f96d15e5e3eb0dac7a7927da3717bc6d90d576877c88e
SHA3-384 hash: d00770412fdaea2213aa110c31acdf34300ecbf578dfdb3c0e89d7992d1fe5a55d9893b98ff32a2092f81749671b2d3f
SHA1 hash: 61bc2dffa9ed8d6d23768996f10625769659444a
MD5 hash: 1c808f1d1595115996f6abc5e855ae35
humanhash: lamp-vermont-yankee-burger
File name:e-dekont.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:961'024 bytes
First seen:2024-01-08 08:10:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:h85rryO3vT8NrsBYj/Ghvn4LrTMRziamZcUswhBYC1C9ivI3UJB2gTc603:C5rG8vT8ddJLSziamyUfhf1CInrc603
Threatray 753 similar samples on MalwareBazaar
TLSH T135156DD1F15088DAED6B09F1BD2BA53024A37E9D54A4810C569EBB1B76F3342209FE1F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
dhash icon eeacac8cb6e2ba86 (561 x SnakeKeylogger, 142 x AgentTesla, 40 x Formbook)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
323
Origin country :
DE DE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/469842/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/659bae1994d1aebfb2938a50/reports/ba2b01f7-6031-45f0-88cf-20578bba1638/overview
Verdict:
Malicious
Labled as:
Ransom.Loki.Generic
Link:
https://www.hybrid-analysis.com/sample/3f72928d0f49086a7a5f96d15e5e3eb0dac7a7927da3717bc6d90d576877c88e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MSIL Injector
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b88523a9-92bc-4974-a05e-bdf5a53be2dc
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1371099
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1371099 Sample: e-dekont.exe Startdate: 08/01/2024 Architecture: WINDOWS Score: 100 26 Malicious sample detected (through community Yara rule) 2->26 28 Antivirus / Scanner detection for submitted sample 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 5 other signatures 2->32 8 e-dekont.exe 3 2->8         started        process3 signatures4 34 Injects a PE file into a foreign processes 8->34 11 e-dekont.exe 8->11         started        14 e-dekont.exe 8->14         started        16 e-dekont.exe 8->16         started        process5 signatures6 36 Maps a DLL or memory area into another process 11->36 18 WofYrRuznLEQa.exe 11->18 injected 20 WofYrRuznLEQa.exe 11->20 injected process7 process8 22 WerFault.exe 21 18->22         started        24 WerFault.exe 4 21 20->24         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3f72928d0f49086a7a5f96d15e5e3eb0dac7a7927da3717bc6d90d576877c88e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3f72928d0f49086a7a5f96d15e5e3eb0dac7a7927da3717bc6d90d576877c88e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-01-08 06:31:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
27
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=h5zjfdipjeegu6s7s3iv4xr6wdnmpj4spwrxc66g3egvo2dxzcha._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
4a34fe65ddd4931b016c6cdc7aee772f7184258c34ddbe04e71d374c7efddf04
Formbook
5aa5ec51141a6523be4a53ad96c02b1371bc7558326ac4e924ca1849db4feeea
Formbook
71cabc7f66e840c073f576ee3051b7e4eb355bc28065a10eb06e5ec737d08221
Formbook
9829382c100af443239c2823f7db79049221f5d1ccffe06620b8cd3ed1fcaf07
Formbook
af40728c6916a1018b6ac0a6639eb8d357f1253d5ca073b8aebc18dffdb9fac6
Formbook
d0c0f885cba76d7fe0c438ce7c3dbada5c8a46cd47e0f61b5f1258cf5cd3b53f
Formbook
da49519a5670d282de449cee9f55bfdfb034d4fd011e7420152ed3e841a00372
Formbook
e37b7ab55a181fa8e716b4694e85736075ce0d67b7b3aa024d7fcc7f65f1e0fb
Formbook
+ 743 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240108-j29nwseahr/
Behaviour
Enumerates processes with tasklist
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
a99197a2e3f477d15802a9b2250a01f7cd2be8ed435141a4e280307f2a7f2b7a
MD5 hash:
9ac50796df27f8b3977d71000d15927c
SHA1 hash:
dcf769debf4522b0800188ab9cbef26d1dbe8aed
Link:
https://www.unpac.me/results/89475c4c-2ea6-48cf-874a-454bbd53a24d/
SH256 hash:
51ccf9ff3f4ea342554e5a0b4db5c5bccba9b7a086362a1c174fb0f74ed5243c
MD5 hash:
8f839ac07ff940a0a047ad4171208bcc
SHA1 hash:
9a05b4cac1c0354172cffd9e123e119a06d2af80
Link:
https://www.unpac.me/results/89475c4c-2ea6-48cf-874a-454bbd53a24d/
SH256 hash:
21afe82a0b71ee589c26f32dc88e0a6e22817f21194b2a83f1807c6cecc8c818
MD5 hash:
440bb4db146ccb1161ac2bcf365d7676
SHA1 hash:
506eda511b46df6e95d86861e70fda81307f8623
Link:
https://www.unpac.me/results/89475c4c-2ea6-48cf-874a-454bbd53a24d/
SH256 hash:
7f3ef4658a1b5cff1d0964a68f69d36821f8eacb079cd2f43d007897eb7ab0cb
MD5 hash:
3801a4e3937b0b8ab1f2cd8ca16e478c
SHA1 hash:
31bb63eff712380866c11e5591756df45f9965d7
Link:
https://www.unpac.me/results/89475c4c-2ea6-48cf-874a-454bbd53a24d/
SH256 hash:
bbc9c9a0f33392a681a3a8cc850828df124e47234937b50b0ead6e4432ec3d98
MD5 hash:
089cc927873897a2d8bd8ba713c3c887
SHA1 hash:
e3d722a40e60fcb512ead7df13c7202076785d12
Link:
https://www.unpac.me/results/89475c4c-2ea6-48cf-874a-454bbd53a24d/
SH256 hash:
129494b6561a3e325d686a245e30f4edefcbb15c131441fee9f7d6f79f971214
MD5 hash:
a86bf900ae611f508e7d8fe1b42b0cb4
SHA1 hash:
a17a1fc24925b6cb22f4850567ef6721f99830b1
Link:
https://www.unpac.me/results/89475c4c-2ea6-48cf-874a-454bbd53a24d/
SH256 hash:
1687af9656023db0706f8162153cc4c82fbf06d0efd17f4183e308ffe8a092f7
MD5 hash:
b6cd68505a6a78db1aea7025c5f854e8
SHA1 hash:
4e4cddb69808481271dc26b2a410e89543c3a012
Link:
https://www.unpac.me/results/89475c4c-2ea6-48cf-874a-454bbd53a24d/
SH256 hash:
87859b111770da8d0a2dd1ac96bf80a145f20ceb2c9f03ada59ba913706ea04a
MD5 hash:
cc52f54da33c277d7d2442f818a1e8bf
SHA1 hash:
4a26e73fdeea422102933ac9e74b809ff7755d05
Link:
https://www.unpac.me/results/89475c4c-2ea6-48cf-874a-454bbd53a24d/
SH256 hash:
dafa98c218126916a84d168f45ba4977119878c42d12431cf65907014d508b74
MD5 hash:
b088121b14d4da2a264295f2f61a5db5
SHA1 hash:
48811e783e68ca301a7f64ab7051e179e8931812
Link:
https://www.unpac.me/results/89475c4c-2ea6-48cf-874a-454bbd53a24d/
SH256 hash:
b8212f4e3c6eeb07547647c4a8992750dc6d6208a303af0e74be3eb5adf530a0
MD5 hash:
b96ff4941d541bdb91ff28ce65e111b6
SHA1 hash:
235536bb5ca51ed50b0bb42ed5fb382d7d6f6c89
Link:
https://www.unpac.me/results/89475c4c-2ea6-48cf-874a-454bbd53a24d/
SH256 hash:
3f72928d0f49086a7a5f96d15e5e3eb0dac7a7927da3717bc6d90d576877c88e
MD5 hash:
1c808f1d1595115996f6abc5e855ae35
SHA1 hash:
61bc2dffa9ed8d6d23768996f10625769659444a
Link:
https://www.unpac.me/results/89475c4c-2ea6-48cf-874a-454bbd53a24d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3f72928d0f49/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3f72928d0f49086a7a5f96d15e5e3eb0dac7a7927da3717bc6d90d576877c88e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Formbook
Create hunting rule
Author:kevoreilly
Description:Formbook Payload
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 3f72928d0f49086a7a5f96d15e5e3eb0dac7a7927da3717bc6d90d576877c88e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/469842/

Comments