MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f95e7795f8c0b70983561a48425e735ef7832603543980f460b1356403ec622. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f95e7795f8c0b70983561a48425e735ef7832603543980f460b1356403ec622
SHA3-384 hash: efe291e3be43493098d439b4a0246ca9774b66c629be52e2922045773784d9dc4d69f9aa65aa333421257ca10485e691
SHA1 hash: 3ea04975f148b98734e9d962d714851af449836c
MD5 hash: d6eee4d764d2c79132ff4dee0ec08c8a
humanhash: nineteen-bulldog-ceiling-montana
File name:ORDEN DE COMPRA-34002174,pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:245'248 bytes
First seen:2021-10-18 15:46:02 UTC
Last seen:2021-10-18 17:18:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:3xbvvUAVfUfcbk6VdJ1OgvHi40mMFDuj3EQ3Qpt13Q3aJ:BbvcmUfcbk6VdJEeC4NMFD0EQ3g4
Threatray 10'704 similar samples on MalwareBazaar
TLSH T11E34AD5C72B0917BC5BE9B313969C37C06323E143DBE914E31847B6E1BF26A28D5A316
File icon (PE):PE icon
dhash icon 7cfcc8d8f8b8f8e0 (2 x SnakeKeylogger, 2 x Formbook)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/198266/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.FVA.genEldorado.6779.7814.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a service
Creating a window
Connection attempt to an infection source
Sending a TCP request to an infection source
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Query of malicious DNS domain
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/616d96bddb358dd15ebff633/reports/2667b4b2-7ff9-4b56-8649-0ec561d0134d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Avalon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/66aa9d7e-eace-46a6-bca5-e715574db4fd
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/872436
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 504858 Sample: ORDEN DE COMPRA-34002174,pdf.exe Startdate: 18/10/2021 Architecture: WINDOWS Score: 100 33 www.estide.com 2->33 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 6 other signatures 2->53 10 ORDEN DE COMPRA-34002174,pdf.exe 15 5 2->10         started        signatures3 process4 dnsIp5 35 store2.gofile.io 31.14.69.10, 443, 49755 LINKER-ASFR Virgin Islands (BRITISH) 10->35 37 192.168.2.1 unknown unknown 10->37 27 C:\Users\...\ORDEN DE COMPRA-34002174,pdf.exe, PE32 10->27 dropped 29 ORDEN DE COMPRA-34...exe:Zone.Identifier, ASCII 10->29 dropped 31 C:\...\ORDEN DE COMPRA-34002174,pdf.exe.log, ASCII 10->31 dropped 55 Writes to foreign memory regions 10->55 57 Allocates memory in foreign processes 10->57 59 Injects a PE file into a foreign processes 10->59 15 ORDEN DE COMPRA-34002174,pdf.exe 10->15         started        file6 signatures7 process8 signatures9 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 18 WWAHost.exe 15->18         started        21 explorer.exe 15->21 injected process10 signatures11 39 Self deletion via cmd delete 18->39 41 Modifies the context of a thread in another process (thread injection) 18->41 43 Maps a DLL or memory area into another process 18->43 45 Tries to detect virtualization through RDTSC time measurements 18->45 23 cmd.exe 1 18->23         started        process12 process13 25 conhost.exe 23->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3f95e7795f8c0b70983561a48425e735ef7832603543980f460b1356403ec622/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-10-18 15:46:06 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h6k6o6k7rqfxbgbvmgsiijphgxxxqmtagvbzqd2gbmjvmqb6yyra._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0c22acaa973cbb781aea92dc1fb5a8c7cc1fd2abd403f2a6b9703f8f1e1c8657
Formbook
16129df384053888782272720ec796ed1e0947d6122bd32823b3ccd03e892664
Formbook
21350c749a15b06efda33cae533086eab02ef83685d539556407633676de94bb
Formbook
26506e7d3f4821066fc1989a5c79afb4d1a316aa428f9e4a920644d93a80b495
Formbook
5852e0b1479d914e16a2f1cf21d61ff4e1f3d35b6fa5dbcf0055cfc2c9a89936
Formbook
ae55ee08f18b57a38a47ed9bc161b7833e35c31b014e8579ae904a2d4d7c63e3
Formbook
fa73563a8ccbea57411fb4b9a5c713c1be3771e7c765a0b8e1100d0f4584c634
Formbook
+ 10'694 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:g8ne loader rat suricata
Link:
https://tria.ge/reports/211018-s7mkzseghj/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.melindair.xyz/g8ne/
Unpacked files
SH256 hash:
3f95e7795f8c0b70983561a48425e735ef7832603543980f460b1356403ec622
MD5 hash:
d6eee4d764d2c79132ff4dee0ec08c8a
SHA1 hash:
3ea04975f148b98734e9d962d714851af449836c
Link:
https://www.unpac.me/results/5c20bb0f-aa17-4514-9902-40baf169133a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3f95e7795f8c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/3f95e7795f8c0b70983561a48425e735ef7832603543980f460b1356403ec622

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 3f95e7795f8c0b70983561a48425e735ef7832603543980f460b1356403ec622

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/198266/

Comments