MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b3f833631b3860414b58ee9ac16688de84dc35ce0915dd6430ff34b5d063066. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b3f833631b3860414b58ee9ac16688de84dc35ce0915dd6430ff34b5d063066
SHA3-384 hash: b90e96023374622d3651545b2c5bdf1a94cbb577ee0127c6f52643f8d1258a0199dcb64a51ce7b50d233540d6c35e72f
SHA1 hash: e32dd46e64fd1026dd5421399f80ebe8e83f9151
MD5 hash: 04a418e28eaedb2b687933fcc85f79c3
humanhash: alabama-network-saturn-wolfram
File name:8b3f833631b3860414b58ee9ac16688de84dc35ce0915dd6430ff34b5d063066
Download: download sample
Signature FormBook
Create hunting rule
File size:812'032 bytes
First seen:2022-10-07 12:40:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:WCu+tziaBCBx8p7Y7xVQcd59SU54E8XnqiGepgtbdwSQsiLu:S+9/CBy5SVlNENg5OsiLu
Threatray 16'592 similar samples on MalwareBazaar
TLSH T10305CF241B65C90BC869A538DCD1F3711DAC1EE5936FC24B48DC7CBBF63A2986C913A1
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 30381636361c3930 (3 x Formbook, 2 x AgentTesla)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
239
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/317633/
Detection(s):
Win.Dropper.Nanocore-9970955-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/63401e5ed089a0c15dd5b967/reports/d4d4d9a8-bc50-4785-8512-5c49136d5a03/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/60d85f49-0d45-44a1-8921-ac43bf616852
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1085729
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Detected FormBook malware
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Steal Google chrome login data
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 718291 Sample: md9gej4nn5.exe Startdate: 07/10/2022 Architecture: WINDOWS Score: 100 65 www.1yes.store 2->65 77 Malicious sample detected (through community Yara rule) 2->77 79 Sigma detected: Scheduled temp file as task from temp location 2->79 81 Multi AV Scanner detection for submitted file 2->81 83 8 other signatures 2->83 11 md9gej4nn5.exe 7 2->11         started        15 aShcUQbSifqhGh.exe 5 2->15         started        signatures3 process4 file5 55 C:\Users\user\AppData\...\aShcUQbSifqhGh.exe, PE32 11->55 dropped 57 C:\...\aShcUQbSifqhGh.exe:Zone.Identifier, ASCII 11->57 dropped 59 C:\Users\user\AppData\Local\Temp\tmp766.tmp, XML 11->59 dropped 61 C:\Users\user\AppData\...\md9gej4nn5.exe.log, ASCII 11->61 dropped 93 Uses schtasks.exe or at.exe to add and modify task schedules 11->93 95 Adds a directory exclusion to Windows Defender 11->95 97 Tries to detect virtualization through RDTSC time measurements 11->97 17 md9gej4nn5.exe 11->17         started        20 powershell.exe 21 11->20         started        22 schtasks.exe 1 11->22         started        99 Multi AV Scanner detection for dropped file 15->99 101 Machine Learning detection for dropped file 15->101 103 Injects a PE file into a foreign processes 15->103 24 aShcUQbSifqhGh.exe 15->24         started        26 schtasks.exe 1 15->26         started        28 aShcUQbSifqhGh.exe 15->28         started        signatures6 process7 signatures8 69 Modifies the context of a thread in another process (thread injection) 17->69 71 Maps a DLL or memory area into another process 17->71 73 Sample uses process hollowing technique 17->73 75 Queues an APC in another process (thread injection) 17->75 30 explorer.exe 17->30 injected 32 WWAHost.exe 17->32         started        35 conhost.exe 20->35         started        37 conhost.exe 22->37         started        39 conhost.exe 26->39         started        process9 signatures10 41 systray.exe 18 30->41         started        67 Tries to detect virtualization through RDTSC time measurements 32->67 process11 file12 51 C:\Users\user\AppData\...\21Ologrv.ini, data 41->51 dropped 53 C:\Users\user\AppData\...\21Ologri.ini, data 41->53 dropped 85 Detected FormBook malware 41->85 87 Tries to steal Mail credentials (via file / registry access) 41->87 89 Tries to harvest and steal browser information (history, passwords, etc) 41->89 91 3 other signatures 41->91 45 cmd.exe 2 41->45         started        signatures13 process14 file15 63 C:\Users\user\AppData\Local\Temp\DB1, SQLite 45->63 dropped 105 Tries to harvest and steal browser information (history, passwords, etc) 45->105 49 conhost.exe 45->49         started        signatures16 process17
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8b3f833631b3860414b58ee9ac16688de84dc35ce0915dd6430ff34b5d063066/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-09-19 07:14:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rm7ygnrrwodaiffvr3u2yftirxue3q244civ3vsdb7zuwxiggbta._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
22ddbee8b6beef1e5e438920b314ee4189ae3c2e71c05af0c21551dbef095bf0
FormBook
270500c5521140994311eb56049807f33541472e66e3aefc8101fc2767c4fea6
FormBook
70d121cfabbbf118335b8ae4f6a3a072f09ce2f11bd73c711120fa9070d608e3
FormBook
85ad89d8d4f234a0ebde2dc31384489fc0b2e06bab9f3ac779dd5636bdfd6bbe
FormBook
c0b433e9f4a2438b5647e9e2e236747cc55e931e46da8e52531b1c70786467d2
FormBook
c79bd4c69c806e1516f6cf2160ffa1172e074fbe652bd3793f661aaa39cccab9
FormBook
def1e379f4f24a71f326af79054273cdc59833058d729e946ed8f0ed4ee0b882
FormBook
e8911ed914364aaa1dbffcfe55c53e2932e9f38ea490523a8bcaf8e13633187a
FormBook
+ 16'582 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:s92n rat spyware stealer trojan
Link:
https://tria.ge/reports/221007-pwrh1scea8/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook payload
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3d1d20dc-5203-4b1d-b29a-b5b9120c5c35
Unpacked files
SH256 hash:
244f58fb8f6fdf5e2d24c7892bc96760b28be3af800f3e1b8e3bda04bc6976f8
MD5 hash:
e5497328b8695bfcc1a240eb8651d62c
SHA1 hash:
8d006cf38cfd902abfe2dc65923e7eb84f7e11c9
Detections:
FormBook
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/73ee9a0d-d88a-4443-a726-42e2cdae4989/
Parent samples :
52a12469debda778b4def88717f2e12641ecdbb7cd10e61669423e0b645c5854
68ecb3a0784bbfd4ac9f3d1c76cfc09cff02b4298839e2e1b293e9ef8833b265
5ed5d89c1712647161555baaee7e2a1e45e9aa5207f78dd338ac27d492966e2d
f29cbe65a3306988ba4e1945bce656ade7ce94fd178e354300bcd698d86fcb5e
8b3f833631b3860414b58ee9ac16688de84dc35ce0915dd6430ff34b5d063066
SH256 hash:
346e577c5dec79815e2cbb7611317d72840a0435da395715873b48f86db26a3a
MD5 hash:
247aea7a88fd8b1113bebff48a554678
SHA1 hash:
cfcc0ba10a7e2da7d0e56fb01e4ac20b3c52a6fc
Link:
https://www.unpac.me/results/73ee9a0d-d88a-4443-a726-42e2cdae4989/
SH256 hash:
f0129d0412e67112a5a1b47eba89d520a7bc3ebb3a377dcbcd89666174743660
MD5 hash:
ba90d6acb8cc6e58f76d729b175827dd
SHA1 hash:
552681d5037aa4dcba8e69226b41da2e00275257
Link:
https://www.unpac.me/results/73ee9a0d-d88a-4443-a726-42e2cdae4989/
SH256 hash:
44c50087cbd9a86677ff5b898c1ad52abf5f25297179a174edcc8b81dec967fc
MD5 hash:
d012ba9057bf67c7f29871326f2af919
SHA1 hash:
1d5b8b512b37f0e1900496b578117082929654c7
Link:
https://www.unpac.me/results/73ee9a0d-d88a-4443-a726-42e2cdae4989/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/73ee9a0d-d88a-4443-a726-42e2cdae4989/
SH256 hash:
8b3f833631b3860414b58ee9ac16688de84dc35ce0915dd6430ff34b5d063066
MD5 hash:
04a418e28eaedb2b687933fcc85f79c3
SHA1 hash:
e32dd46e64fd1026dd5421399f80ebe8e83f9151
Link:
https://www.unpac.me/results/73ee9a0d-d88a-4443-a726-42e2cdae4989/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8b3f833631b3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8b3f833631b3860414b58ee9ac16688de84dc35ce0915dd6430ff34b5d063066

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/317633/

Comments