MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3fc36542d2b13579f4a8eba47c1c8b35dd5cb98c60708214850032e34db68bc3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3fc36542d2b13579f4a8eba47c1c8b35dd5cb98c60708214850032e34db68bc3
SHA3-384 hash: 293a748707fe45ad63d0a44ffa641b7fb10f8b108dbcdb464d754ebcdb9b533d89c1821d6d513e71f2e50d79a3dbc316
SHA1 hash: 10fc69377065bc6f63d54ff64beca9cc1583731c
MD5 hash: d6f122d6e9d823056a7149dd2c71bd34
humanhash: white-sodium-delta-uniform
File name:3fc36542d2b13579f4a8eba47c1c8b35dd5cb98c60708214850032e34db68bc3
Download: download sample
Signature Formbook
Create hunting rule
File size:1'226'752 bytes
First seen:2022-11-09 11:02:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'598 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:XJofAUFw3v7Fs07o92iNaf/f0Ntvyo6LJud8tJnwlO1Aqzb4s7OWBj/rI6vVyQWJ:Xe4N3DyGo91icGotuLw0bJOWBjv0
Threatray 17'722 similar samples on MalwareBazaar
TLSH T161455B683645AB4FC487CE359860DCB096516CBA571FD743D4C72DFBB90E2AA9E0C0A3
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
192
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3fc36542d2b13579f4a8eba47c1c8b35dd5cb98c60708214850032e34db68bc3
Verdict:
Suspicious activity
Analysis date:
2022-11-09 11:01:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c7a5b9b1-90e7-4457-8228-91ce0027f6d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/331146/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/636b88e737a53af3a7f53f0f/reports/b17397a1-dd2c-4cf3-ad90-5eba72539d7d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b4fca444-c04b-4c22-92ce-f48a7e961d85
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1109189
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netstat to query active network connections and open ports
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 741867 Sample: JycDeJKDak.exe Startdate: 09/11/2022 Architecture: WINDOWS Score: 100 34 Malicious sample detected (through community Yara rule) 2->34 36 Antivirus detection for URL or domain 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 5 other signatures 2->40 8 JycDeJKDak.exe 3 2->8         started        process3 file4 22 C:\Users\user\AppData\...\JycDeJKDak.exe.log, ASCII 8->22 dropped 50 Detected unpacking (changes PE section rights) 8->50 52 Detected unpacking (overwrites its own PE header) 8->52 54 Injects a PE file into a foreign processes 8->54 12 JycDeJKDak.exe 8->12         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 12->56 58 Maps a DLL or memory area into another process 12->58 60 Sample uses process hollowing technique 12->60 62 Queues an APC in another process (thread injection) 12->62 15 explorer.exe 12->15 injected process8 dnsIp9 24 www.xdawo.com 122.10.111.182, 49719, 49721, 80 ULAN-NETWORK-LIMITEDULanNetworkLimitedHK Hong Kong 15->24 26 www.paulmontecalvo.com 108.186.209.199, 49716, 80 PEGTECHINCUS United States 15->26 28 2 other IPs or domains 15->28 30 System process connects to network (likely due to code injection or exploit) 15->30 32 Uses netstat to query active network connections and open ports 15->32 19 NETSTAT.EXE 13 15->19         started        signatures10 process11 signatures12 42 Tries to steal Mail credentials (via file / registry access) 19->42 44 Tries to harvest and steal browser information (history, passwords, etc) 19->44 46 Deletes itself after installation 19->46 48 2 other signatures 19->48
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3fc36542d2b13579f4a8eba47c1c8b35dd5cb98c60708214850032e34db68bc3/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2022-10-26 08:25:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
40
AV detection:
24 of 41 (58.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h7bwkqwswe2xt5fi5oshyhelgxovzommmbyiefefaazogtnwrpbq._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
formbook
Create hunting rule
Similar samples:
3e009acd38030d424c0d722d0a4849f20012b201f20b97e83e698cd3d308303f
Formbook
4514fc2a757de12c765ce8886024f9e88a24e8c716001b911fab3fa693fcbdb1
Formbook
4c3d925669944dbdec6649638901b8ccb110c2ff971d8cf558ef05f9980ecf69
Formbook
685d62ac47d37b18c403cc1d1923183bc78c11f4c1b18a95efe17521e704e96a
Formbook
6d62d493cae6daf08828e14fc36c0dba18e7eb7f75ca390ec5d21ae0b3d2c9a3
Formbook
74c8f048e222c311b86c2455d0208b2610c56407475ded6b5428c30f6febc63f
Formbook
7b00599838c328e0b0f684cf8afb33a2e60be3a7e470151541e5ca9cce64d2ee
Formbook
8a93dabd3dda5548c792f3064979a25a5770e5870a8d9989a0b16b5f2cc56204
Formbook
9de05e3460e7b565c614eddca75b9b08b697f9b21c3b4da6fd88e8d7b2d11a90
Formbook
ed575e87b8ddb54cdd3f247dc89ac394081bbd503cbd6b29d1a4592d60aa07a6
Formbook
+ 17'712 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:8hj6 rat spyware stealer trojan
Link:
https://tria.ge/reports/221109-m5pdxagcd8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook
Unpacked files
SH256 hash:
a1b65beefedca26b6f04612bb62bb9e5709e541a4b887d4195fa0b4d5fb67f1f
MD5 hash:
fa1ac0c3545f6fa8200e7be995bff6b5
SHA1 hash:
9fa221a9213f0d7e234cfa54f9159d3b059697d7
Detections:
XLoader
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/84ac840b-6631-4f78-987f-59779fac4e0d/
Parent samples :
654c3d7a696310e211f48fce1ad23229bf2fe0597060bf4c55ec0cdc131e3f3c
74c8f048e222c311b86c2455d0208b2610c56407475ded6b5428c30f6febc63f
3fc36542d2b13579f4a8eba47c1c8b35dd5cb98c60708214850032e34db68bc3
df240dd59b12cc79fd1afcbae82d36ba57cff186f18991a69fd42d1ef4639208
SH256 hash:
906c07fa2b6b75b2a1eb2fc1e3711a5ef7b05f2ec4eaec8f1562fe6596f96c70
MD5 hash:
b96c37744cde4e7b7e58080f7eca6531
SHA1 hash:
5a6d4bf35f13b2529821e89f3465c43f520ee17c
Link:
https://www.unpac.me/results/84ac840b-6631-4f78-987f-59779fac4e0d/
SH256 hash:
c3b2169ba55768d7bf943d3d587a7c9fb0c685146937c4e0809f8ec61f012e60
MD5 hash:
044d3b1558893b3dc6c263fcb42467b4
SHA1 hash:
fdb4d839a69287b0b8c6e78d0d49d87531be7699
Link:
https://www.unpac.me/results/84ac840b-6631-4f78-987f-59779fac4e0d/
SH256 hash:
952cc50f9de7b8a921575af93c526b76b1c850dd61b4047cb15c64fdec6770e8
MD5 hash:
f93cbfbbdf836ced90975cfd71f901f8
SHA1 hash:
d04074cce2c2c765c6d73aa53ad7360c2043d6c6
Link:
https://www.unpac.me/results/84ac840b-6631-4f78-987f-59779fac4e0d/
SH256 hash:
adcbe03bcd3181d9f0594516964d74596d8fda6f306564d3b92046c4b52dd7ea
MD5 hash:
04e580ce58056121ccbf02fd313105df
SHA1 hash:
bd6b5b69e2f3c98a29d3aed56bdb7e4975be94eb
Link:
https://www.unpac.me/results/84ac840b-6631-4f78-987f-59779fac4e0d/
SH256 hash:
bc444c4ec803b91da7af06cb0eb233fe69f565067f89544bf750fc17a9ede6dd
MD5 hash:
b52058082749f08bbcb7036b0d4189e8
SHA1 hash:
90365baf6b18ff3139da00cd5caf30660643110e
Link:
https://www.unpac.me/results/84ac840b-6631-4f78-987f-59779fac4e0d/
SH256 hash:
3fc36542d2b13579f4a8eba47c1c8b35dd5cb98c60708214850032e34db68bc3
MD5 hash:
d6f122d6e9d823056a7149dd2c71bd34
SHA1 hash:
10fc69377065bc6f63d54ff64beca9cc1583731c
Link:
https://www.unpac.me/results/84ac840b-6631-4f78-987f-59779fac4e0d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3fc36542d2b13579f4a8eba47c1c8b35dd5cb98c60708214850032e34db68bc3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/331146/

Comments