MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f98f70b03b079fcf00f40d8819a849513f391eca65c7a3424687138924c60a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f98f70b03b079fcf00f40d8819a849513f391eca65c7a3424687138924c60a9
SHA3-384 hash: 2d16fbdec9690584717c6f07bf4187e8879eadbb91bd8e12dd97293fe532ac557678fac7e56772d5c47c02fff8f70d6e
SHA1 hash: bc58aec34578c6779ba8678c9ef1111a3c7ff783
MD5 hash: 7ba74cfbbbc79617ebe934f3ca7bea83
humanhash: july-july-cold-batman
File name:FedEx_AWB#501209127413.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:658'432 bytes
First seen:2023-10-25 11:40:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:iHfWF9Ak06aHmvkacuu+ZN3YPH9U9i5rje4AXms/LW3TJjj34E2rUOIa4:QWFmk06kmvkaFR+dtu4emeMfr2rfr
Threatray 11 similar samples on MalwareBazaar
TLSH T1A3E4128A3AB45B73C9E467FD916221120B73D3AA61B6E79CADC351CD4C13F80C914B5B
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c0c4ccb4a8e27634 (11 x AgentTesla, 2 x Formbook, 2 x SnakeKeylogger)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
344
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
FedEx_AWB#501209127413.exe
Verdict:
Malicious activity
Analysis date:
2023-10-25 11:45:14 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/969b3724-421a-4b44-802b-e413c31383ca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/456261/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Sanesecurity.Rogue.0hr.20231025-0336.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/6538fed0e0fdb6ce729bb892/reports/92ef4afc-44df-4af3-a568-618388fa9888/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/3f98f70b03b079fcf00f40d8819a849513f391eca65c7a3424687138924c60a9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7a1121a2-f0f3-4146-8d82-b18a3d0948e8
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1331838
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses nslookup.exe to query domains
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1331838 Sample: FedEx_AWB#501209127413.exe Startdate: 25/10/2023 Architecture: WINDOWS Score: 100 27 www.myeuropesmartmove.com 2->27 29 www.lifeiextension.com 2->29 31 14 other IPs or domains 2->31 41 Multi AV Scanner detection for domain / URL 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus detection for URL or domain 2->45 47 6 other signatures 2->47 10 FedEx_AWB#501209127413.exe 3 2->10         started        signatures3 process4 signatures5 57 Injects a PE file into a foreign processes 10->57 13 FedEx_AWB#501209127413.exe 10->13         started        process6 signatures7 59 Maps a DLL or memory area into another process 13->59 16 vhivZPAwFbWdeYfVOqXOiIGCYubDu.exe 13->16 injected process8 signatures9 39 Uses nslookup.exe to query domains 16->39 19 nslookup.exe 13 16->19         started        process10 signatures11 49 Tries to steal Mail credentials (via file / registry access) 19->49 51 Tries to harvest and steal browser information (history, passwords, etc) 19->51 53 Writes to foreign memory regions 19->53 55 3 other signatures 19->55 22 vhivZPAwFbWdeYfVOqXOiIGCYubDu.exe 19->22 injected 25 firefox.exe 19->25         started        process12 dnsIp13 33 www.ceravolt.life 203.161.53.83, 80 VNPT-AS-VNVNPTCorpVN Malaysia 22->33 35 www.purelyunorthodox.com 154.204.19.73, 49745, 80 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 22->35 37 5 other IPs or domains 22->37
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3f98f70b03b079fcf00f40d8819a849513f391eca65c7a3424687138924c60a9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3f98f70b03b079fcf00f40d8819a849513f391eca65c7a3424687138924c60a9/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-10-25 01:21:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
22 of 37 (59.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h6mpocydwb47z4apidmidguesuj7hepmuzohunbenbytresmmcuq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
009db41ad28b09fb48d62e80d806db54b28ecefe0e5ef4478a4f52b081dbc9f5
Formbook
050f0fbbc19c40f149db0911f66129612e699e934681c2f3cffe5d27c2381e1c
Formbook
073bd91e3126ffb49e91e35f401d096e6bc474b973d432f001e9df2fb62d7a42
Formbook
43b7ea48e498c9cdc60b986d1f8b1d64ef2cadcc57a1f247cb24b212ab9da08d
Formbook
47ac55851c62e30f0553a5d32f2b6a128f532b9904fbf5e100b53895ec8a86ca
Formbook
8f05551c8ddd819665aef513ec44d4f0d3f905fe9d8eca05e2d7857606f132f4
Formbook
8f86841c7f89a8fe2995492a8bb71e09bed896c812126a4c0f8bb72c146ab4ae
Formbook
989acc1c32f6dab02d1d29f18483f94d98b0708ddb057ce7404c348cb2b073f7
Formbook
d79a768e106b5c09d20e48704aeb15f5accea32c5e05d1693ff26f0d3a45374d
Formbook
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231025-ntewrsgc46/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Unpacked files
SH256 hash:
c8f9c3385d64a970f7df88314135683a49498349305832bbe82e34d38d2d7324
MD5 hash:
46d9ee8f5276edf2717401b6a50970cb
SHA1 hash:
39c80b49ef97189e8931797f06e3179667fd88c6
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/5cb10831-9552-45ef-a119-526d32166b48/
Parent samples :
3f98f70b03b079fcf00f40d8819a849513f391eca65c7a3424687138924c60a9
1cc327be5ca8d7bd4cd244e9cd90454611559df4e971c3bd6649682413582c1e
b907644a3bb4a1b9c09a952057ab8c9bcc7111e2e918115cdff09735181ea6a3
98960970f0139ec424e7fca3946aaa1bcfaf853996d1ee9eb72966f750a81136
c17b3e778d12a1b353c665515c1de44df04d6172f0448b62c9cf6dd9e44bb6ca
220d35d385349e3abbaece7585c05e1caa1a7bf9117aafae75c72b94e116ceab
SH256 hash:
d05893b7f6f8e80de00ec14432669d61fcc0e3e84d1a8235e6c9207a2fecc650
MD5 hash:
5fbe5d27b6cbcb98066b83b977bcf634
SHA1 hash:
bfe5828699cc8d7b30f878dfbc3c3d803b9ef138
Link:
https://www.unpac.me/results/5cb10831-9552-45ef-a119-526d32166b48/
SH256 hash:
1f8a20b96c62ffc5bd01ea563610cdc77e5b9f2083d9fd72b6ec61ee56536bcf
MD5 hash:
8afb6fc354a6265be6fa2bfee5d57724
SHA1 hash:
f5e0bebeab740bee76d6b42f4c8696dd49f87d50
Link:
https://www.unpac.me/results/5cb10831-9552-45ef-a119-526d32166b48/
SH256 hash:
d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5
MD5 hash:
579197d4f760148a9482d1ebde113259
SHA1 hash:
cf6924eb360c7e5a117323bebcb6ee02d2aec86d
Link:
https://www.unpac.me/results/5cb10831-9552-45ef-a119-526d32166b48/
SH256 hash:
74ffd41cc2b0b72c1dd2a0fa8a7f92df1f435a81421ffd8bc4a85f5e12b492d3
MD5 hash:
ea4c0319e06df549962c0c45da23ffab
SHA1 hash:
901d9165695d2eb3d0b632862e560f3dd5326012
Link:
https://www.unpac.me/results/5cb10831-9552-45ef-a119-526d32166b48/
SH256 hash:
5346d6ee4283f1cf6c816afeb1d51b02b8c04ded447c6bdc04c7fee358ade915
MD5 hash:
e05dd6c8fff1476975c9616aa45f0b48
SHA1 hash:
fd2d3d0d8889185639eb781ab15f2e258ae18bf9
Link:
https://www.unpac.me/results/5cb10831-9552-45ef-a119-526d32166b48/
SH256 hash:
e0a1eac95f6c589a61e9b0bf8a135279320b3b0b51fddf8fc0be24613daaf694
MD5 hash:
c1641dbe54fab4d86e1e473ee623eccd
SHA1 hash:
f5a6bbff97126f71a87fead8571accb4e73d01d2
Link:
https://www.unpac.me/results/5cb10831-9552-45ef-a119-526d32166b48/
SH256 hash:
f7075a007f0754d002e08e0b44860673b72a7b52af6333c44ee7c50e753e9f03
MD5 hash:
dd77e6575df866f84560f29b44e60e9f
SHA1 hash:
710898c40d62998240ec9b7d6499eec5f3512e9b
Link:
https://www.unpac.me/results/5cb10831-9552-45ef-a119-526d32166b48/
SH256 hash:
9e87b2fafac7d21141f3d9ec59b71c5fb5c4408dd98be0d753dd9ca0a60446cc
MD5 hash:
b7da76b6f8930d855acddbe2b3c67947
SHA1 hash:
392dce235877d88f73f0c2aabaac6a3dc7043b4f
Link:
https://www.unpac.me/results/5cb10831-9552-45ef-a119-526d32166b48/
SH256 hash:
67b9428b30376f00b13407833d1e1d49fce6e09af2387a462283b7f43a672b80
MD5 hash:
aab64a8e8067bf2883e5994f4f1b56f3
SHA1 hash:
3569a1d821c56aaf9a8eec7e034b3654ffc28ce8
Link:
https://www.unpac.me/results/5cb10831-9552-45ef-a119-526d32166b48/
SH256 hash:
8a54d01ca4d36e2ba0f4cf9c7b0080f141aa67473cddcc8119f41f53fcbff41f
MD5 hash:
a17249d406e35816f19650e56b5eef6b
SHA1 hash:
26a5374d2607ba6df5f3f355157fa49d0a4c938e
Link:
https://www.unpac.me/results/5cb10831-9552-45ef-a119-526d32166b48/
SH256 hash:
3f98f70b03b079fcf00f40d8819a849513f391eca65c7a3424687138924c60a9
MD5 hash:
7ba74cfbbbc79617ebe934f3ca7bea83
SHA1 hash:
bc58aec34578c6779ba8678c9ef1111a3c7ff783
Link:
https://www.unpac.me/results/5cb10831-9552-45ef-a119-526d32166b48/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3f98f70b03b079fcf00f40d8819a849513f391eca65c7a3424687138924c60a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 3f98f70b03b079fcf00f40d8819a849513f391eca65c7a3424687138924c60a9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/456261/

Comments