MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a3159a3432f7655c72a5189f65dac42733dba6d39955aabd16e395b50f6ffaa3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a3159a3432f7655c72a5189f65dac42733dba6d39955aabd16e395b50f6ffaa3
SHA3-384 hash: 1a45a0c95515b98aff71e75c2ff9efadf9b88980941c41b6a5a418c046f1fd0dc3d71f0cc971aea95312fbe8e29e5ba4
SHA1 hash: a424f03f17c60ad350dfa339e259bf4e2d154397
MD5 hash: db0f79a32d40391e30785165ca81c008
humanhash: two-aspen-fish-vermont
File name:RE WO NO 23085EGYTVR GROUP LTD.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:832'512 bytes
First seen:2023-04-03 05:55:25 UTC
Last seen:2023-04-03 06:34:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:zPiKdJVZz5dl97jd/XtKso1dBl3pZeUe6mhST75mEgBFFXNxbe1srfjSd:7FVZ9t7j9DG3Zl+y75mEgtXNZrfjSd
Threatray 2'432 similar samples on MalwareBazaar
TLSH T13D051255F6946121DB3987F845A08D04C3BCA2D317A3EB49ED0C61E36EF53D40A2FA6B
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
232
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RE WO NO 23085EGYTVR GROUP LTD.exe
Verdict:
Suspicious activity
Analysis date:
2023-04-03 05:57:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/df2e6f00-d2fa-47c6-a422-0ec6dca0a86f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/379506/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo formbook packed remcos
Link:
https://www.filescan.io/uploads/642a6a8411c9ca757ef482d7/reports/2161466b-c2c5-465a-801b-4f96ada7fc92/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a3159a3432f7655c72a5189f65dac42733dba6d39955aabd16e395b50f6ffaa3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3acb3c10-d12a-43de-a883-a90ad944e386
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1206920
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 839836 Sample: RE_WO_NO_23085EGYTVR_GROUP_... Startdate: 03/04/2023 Architecture: WINDOWS Score: 100 27 www.fashiontwin.info 2->27 35 Malicious sample detected (through community Yara rule) 2->35 37 Antivirus detection for URL or domain 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 3 other signatures 2->41 9 RE_WO_NO_23085EGYTVR_GROUP_LTD.exe 3 2->9         started        signatures3 process4 file5 25 C:\...\RE_WO_NO_23085EGYTVR_GROUP_LTD.exe.log, ASCII 9->25 dropped 55 Writes to foreign memory regions 9->55 57 Injects a PE file into a foreign processes 9->57 13 RegSvcs.exe 9->13         started        16 RegSvcs.exe 9->16         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 13->59 61 Maps a DLL or memory area into another process 13->61 63 Sample uses process hollowing technique 13->63 65 Queues an APC in another process (thread injection) 13->65 18 explorer.exe 2 1 13->18 injected process9 dnsIp10 29 www.registemob.live 185.137.133.211, 49709, 49710, 80 SOFT-DREAMS-ASIenachitaVacarescunr18RO Romania 18->29 31 www.fj-sec.com 151.80.185.245, 49701, 49702, 80 OVHFR Italy 18->31 33 12 other IPs or domains 18->33 43 System process connects to network (likely due to code injection or exploit) 18->43 45 Performs DNS queries to domains with low reputation 18->45 22 cmmon32.exe 13 18->22         started        signatures11 process12 signatures13 47 Tries to steal Mail credentials (via file / registry access) 22->47 49 Tries to harvest and steal browser information (history, passwords, etc) 22->49 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a3159a3432f7655c72a5189f65dac42733dba6d39955aabd16e395b50f6ffaa3/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-03-28 03:32:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
21 of 37 (56.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=umkzunbs65svy4vfdcpwlwwee4z5xjwttfk2vpiw4ok3kd3p7krq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0dd1d1a74f49a15f9b7dcfc7890060807198b74b835cb17f60886a0f2c9c1376
Formbook
1546e632cb3cd6abb0497a1e941d7c1afefd3d1bc7582b63f49d948241406b80
Formbook
28ca1fe12d85075d947b1bc3292c14cba784ed1e22287e56819d9a1d86b2f7e4
Formbook
3e924b372c019c41e9995a276ce5c1b1487d14ceb9fbc8d606a09a83df5989b8
Formbook
5a2e7eb559e1d587d537ff0033d00fb27f7e17bf0c2a5db6bb3842b9e2fa9972
Formbook
9518bbb8733188879069262811a90b041d800479edbb1b0be4a7526deb47bbed
Formbook
bf71631457bec8633d10c816bfa914ef51bee4acda9a37c2613697976a21decb
Formbook
d99fdee30a323b0ed4cfbd9c4661530f45b368f829869604fb9a83debfff7a32
Formbook
f4716cf29a2fa3ff5650ff6a4d35a26a5a534658fe7518fdf2c08554158db841
Formbook
ff3949d2a8e0d6b08d2b8b643cdfc6a26f44352da217b4a537e9c16d96ed7198
Formbook
+ 2'422 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230403-gm2zdsda97/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Unpacked files
SH256 hash:
524f87a66be4679c591a5d3b822f7ab19f42049f6471d8e80c5229b1a0cfa308
MD5 hash:
fab4a8db9b8e2cedc894b9d0d2461e79
SHA1 hash:
3845700497ac915cf72ce8392ad3c73977294b21
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/509b2f13-7c0b-48b1-a0b5-9f7d9bb9760b/
Parent samples :
9518bbb8733188879069262811a90b041d800479edbb1b0be4a7526deb47bbed
a3159a3432f7655c72a5189f65dac42733dba6d39955aabd16e395b50f6ffaa3
SH256 hash:
3caff88ee4a8a36d480afcf7ee7366a649a8b00042dd7366ad724bda91d9ef67
MD5 hash:
d68bf934bfaee5b27f2b6e032f0d84b3
SHA1 hash:
94a9b105b238eccd9a23c890f1843495a356a2fe
Link:
https://www.unpac.me/results/509b2f13-7c0b-48b1-a0b5-9f7d9bb9760b/
SH256 hash:
1960afae34adb7ad4455991d0dc7ac53bc889d25545a38df4db73d5c1037a484
MD5 hash:
a256b408c7185357d8ca7629be60bfe1
SHA1 hash:
eb01b7e4c648d52c2b39b4f81cf2c884da467ae6
Link:
https://www.unpac.me/results/509b2f13-7c0b-48b1-a0b5-9f7d9bb9760b/
SH256 hash:
b4b190818a658f0b64f5aa6d39e901e9d731bf1f58fa072b4c73120a96489bdb
MD5 hash:
3c6f8b2e78f5ebf58c4f170b30c04607
SHA1 hash:
c0ee09a1a9d1c673ad7eadabab7de44ebe0ff765
Link:
https://www.unpac.me/results/509b2f13-7c0b-48b1-a0b5-9f7d9bb9760b/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/509b2f13-7c0b-48b1-a0b5-9f7d9bb9760b/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
5f9d6a953f1f2815374dc4ad4d4f743a9566e78ef761e73d9f671ce663d4ec57
MD5 hash:
ec1a1bfdb0033f4c4fb0e952590bd279
SHA1 hash:
313b8004123098283088224802805ec71ea5188c
Link:
https://www.unpac.me/results/509b2f13-7c0b-48b1-a0b5-9f7d9bb9760b/
SH256 hash:
a3159a3432f7655c72a5189f65dac42733dba6d39955aabd16e395b50f6ffaa3
MD5 hash:
db0f79a32d40391e30785165ca81c008
SHA1 hash:
a424f03f17c60ad350dfa339e259bf4e2d154397
Link:
https://www.unpac.me/results/509b2f13-7c0b-48b1-a0b5-9f7d9bb9760b/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a3159a3432f7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe a3159a3432f7655c72a5189f65dac42733dba6d39955aabd16e395b50f6ffaa3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/379506/

Comments