MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ff8da989c0463e0eca88964ea38876e1b9e1e3dfe7cbab96297feadff54713b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 2 File information Comments

SHA256 hash:	3ff8da989c0463e0eca88964ea38876e1b9e1e3dfe7cbab96297feadff54713b
SHA3-384 hash:	2750efa2486329be6e9e47c388053e1282ecc8e0e5aa88dd609bee92bd22495e29f726ab729c5196d1bcd54d2a85cd23
SHA1 hash:	dad77adf617f58164646ef4c2b1ca2cb304eb906
MD5 hash:	30a0fea5d5bbd50ec74273d50b87f973
humanhash:	north-montana-coffee-five
File name:	Request for Proposal (RFQ) LA62023087.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	768'512 bytes
First seen:	2023-04-11 04:53:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	12288:yEdW2iNWx01eukUUqYMbRicgiw9HHsaTP7/8m9Y2MqphsX6uVD:/W1A0aU8MbOvHsa//r9Pphs
Threatray	2'642 similar samples on MalwareBazaar
TLSH	T1EAF46B520C6642D5C8BA0FA854783A485B799C938FD4903E7C82797FCFFAB4B54893D2
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	Anonymous
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

243

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

Request for Proposal (RFQ) LA62023087.exe

Verdict:

Malicious activity

Analysis date:

2023-04-11 04:56:14 UTC

Tags:

formbook xloader

Link:

https://app.any.run/tasks/9b6e6940-e060-459d-b1ec-3967070e6ffa

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/381302/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching the process to change network settings

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

formbook packed

Link:

https://www.filescan.io/uploads/6434e7eb40ffb6ba5fad20de/reports/8140832c-534c-44f0-9a41-8a57ec9bdf88/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/3ff8da989c0463e0eca88964ea38876e1b9e1e3dfe7cbab96297feadff54713b

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/7fb74de5-35b1-49bb-b115-e167fe948da5

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1211435

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3ff8da989c0463e0eca88964ea38876e1b9e1e3dfe7cbab96297feadff54713b/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-04-06 14:38:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 37 (56.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=h74nvge4arr6b3firfsouoehnynz4hr57z6lvolcs77k372uoe5q._file

Verdict:

malicious

Label(s):

formbook

Formbook

4f285ae8e4b4fc0bc50cb639a413412a276f7d187770da6fb5e089eeeff9145e

Formbook

94dab2dcd48fb66d3a0836a2711083a5ee738603de0b47fecfed4e23711def16

Formbook

a1f1dfe6d2c7d5010bd2d3eef64f83695307f83e12f05aa89762113fd13a9456

Formbook

b284d003b3fe69db7b293a9ec8d080952f6190026bbd28f2e0ab22273197a080

Formbook

c3c4281831f463d7ee622d35ea584b893b99400c0dc7dda327557d48f10ec564

Formbook

ca0e3813c0c1155a09e9fb2f0e9133fd61c8438d875a3ed797b9bdf3ad79c5fb

Formbook

dc8ac0ea14e9f418a35bd58f5f495282c9eb6a0e5331c197daf21f69f6d29222

Formbook

f0eef09d45e8b0edf907f9fa6f9bd84a33327f62359fef4b92508a413d68c1b3

Formbook

facf2fbbac21edd7550d00e6f6916f9ee598f9c3bdc2ca0feb288c139d687672

Formbook

+ 2'632 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:cx01 rat spyware stealer trojan

Link:

https://tria.ge/reports/230411-fjjg7sae27/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Formbook payload

Formbook

Unpacked files

SH256 hash:

65532eced8f8afb2148aae4fea0cf6764349256c0b5a3a89a6875b6bed2a6a09

MD5 hash:

e979886dd03a38f4ea730b97f421196f

SHA1 hash:

6a0f676c2735a5afaea258ee5ab12b9d5299aba4

Detections:

FormBook

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/be06a0bf-164e-4891-9054-5a4bc44e1479/

Parent samples :

c3c4281831f463d7ee622d35ea584b893b99400c0dc7dda327557d48f10ec564
f0eef09d45e8b0edf907f9fa6f9bd84a33327f62359fef4b92508a413d68c1b3
3ff8da989c0463e0eca88964ea38876e1b9e1e3dfe7cbab96297feadff54713b
f0ce6536bd8f80c0ee0ff1a246fd8447514906a38d4d24ec0d373c814180f9fb
319ed15753e7ce1ff182e1bd2e4900de9c76300f30cb645c01b57324de50face
c233b5359370a026201a1648489a3f1f91fd11cadb41e87ce45c60ea3a15f8f1
07ad0c61940072d3f26c6706e550f970c2e3ee59d1b0a519515ebf16e013b11c
c89bf6380445a49127491a4c68b77bc9ff8ba9b8fa016846ed6cc2274b6133d0
4dce4459e53e569a20c892efadb0424a4698bf5f67d16e7b73668dc2e172663e
3b0069e420ccfba9dff2e274d714fe3f62a6b9f3b5630e0fd28a89f579ebadcd
9c0a4fbfc6a9ee19747c3bd56699ad195ef95f65752476a208f7ef7fc2dd27f8
e30d41df0b3384eb57a607989bdfe40191b4e81df96327c1974f6d05a3a3d83f
880b7f96797851986e0dfb579afb707a7529f1adf9cce67efb7534d4003b8aa7

SH256 hash:

7b018d831e5a135868fc7e507c2e4360b7fb5890554e689a7817759528a29b85

MD5 hash:

a4ef8d0a55cbfe334ef8e92dfa18d8ca

SHA1 hash:

b22515298982a3bc17a127e49a4f7afd5b8e69fa

Link:

https://www.unpac.me/results/be06a0bf-164e-4891-9054-5a4bc44e1479/

SH256 hash:

6ed5754774ca845ea9082b30abb01d1db00078035c800d347212d21778ae5b72

MD5 hash:

656856ebecb29670e0e8fa56046e5eb4

SHA1 hash:

954b5a1bca5190305e1245b041dddcd487e28924

Link:

https://www.unpac.me/results/be06a0bf-164e-4891-9054-5a4bc44e1479/

SH256 hash:

b1a878c4c21cbaec45b252f36f222fc3eeb419c096ba3c18d81205d5d434fc0b

MD5 hash:

b9767a7581199ca6ad098a6f525cc9da

SHA1 hash:

8b53f9553ccc0e2ddefebfc57e58943e3260957d

Link:

https://www.unpac.me/results/be06a0bf-164e-4891-9054-5a4bc44e1479/

SH256 hash:

281a1ee136483fdfa9a499d547074800684c50a55160585e0d614d291daff4e1

MD5 hash:

75bb1e6021f6383df604be3f6634d0a0

SHA1 hash:

7f8926129d27a05925d863204cd94d804e471226

Link:

https://www.unpac.me/results/be06a0bf-164e-4891-9054-5a4bc44e1479/

SH256 hash:

3c507afadbb1c31a9ebdd24baac5739d47576159e01c5e84f973c951885100aa

MD5 hash:

e79bf0e7e9d52d398e0b23b352394c68

SHA1 hash:

682325763a0ec77e0fd475ea3a4021b4651eceac

Link:

https://www.unpac.me/results/be06a0bf-164e-4891-9054-5a4bc44e1479/

SH256 hash:

3ff8da989c0463e0eca88964ea38876e1b9e1e3dfe7cbab96297feadff54713b

MD5 hash:

30a0fea5d5bbd50ec74273d50b87f973

SHA1 hash:

dad77adf617f58164646ef4c2b1ca2cb304eb906

Link:

https://www.unpac.me/results/be06a0bf-164e-4891-9054-5a4bc44e1479/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3ff8da989c04/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.61

Link:

https://yomi.yoroi.company/submissions/3ff8da989c0463e0eca88964ea38876e1b9e1e3dfe7cbab96297feadff54713b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 3ff8da989c0463e0eca88964ea38876e1b9e1e3dfe7cbab96297feadff54713b

(this sample)

Dropped by

formbook

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/381302/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample