MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a3722866259ff0b2d2578842e1b1667e17f597c274544bb6e02f24b91cb4dbd4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a3722866259ff0b2d2578842e1b1667e17f597c274544bb6e02f24b91cb4dbd4
SHA3-384 hash: 89d2d5fa5cb6a1b5765409e88f8dd82db020c3f1d6037cb29e4e80043e2bc6e32072209985d31df57bbea3e4f21ac38d
SHA1 hash: 50e3e95a0823484c7729fc42250e310342335551
MD5 hash: dcedadc9e7ab6c8b55aba9a69f0ad589
humanhash: island-april-jig-william
File name:factura kts 770417.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:311'758 bytes
First seen:2022-03-18 16:39:00 UTC
Last seen:2022-03-18 18:45:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:rGi23KgtTpc/5nbm7vtEcpvCzS910Z6Z6NHYhbMBmJW3KX:KagtlE5bwvtEqvCi0m6NHs4cAW
Threatray 11'556 similar samples on MalwareBazaar
TLSH T13064225259C086ABD2E10D3039FA6ABCE3BDE7C945AB3F274F109F296134546817D24A
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter GovCERT_CH
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
2
# of downloads :
282
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/252707/
Detection(s):
SecuriteInfo.com.Variant.Jaik.52748.12418.10825.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6234b5ab0cd58dbd92b7be03/reports/65e68bab-5f79-4c02-a6a2-ad1c3b97fbf1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/27c62de9-e545-4f25-94ed-fe83606be5b6
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/959716
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a3722866259ff0b2d2578842e1b1667e17f597c274544bb6e02f24b91cb4dbd4/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-03-18 16:39:12 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=unzcqzrft7ylfusxrbbodmlgpyl7lf6corkexnxaf4slshfu3pka._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
05af1ccc6696a83c58e46a5347b40959329af79869e9747399befbe97c85104b
Formbook
13d4188437fd7caf662393052ef82808bf70cdb5e31fcc2f162ad2dffad377aa
Formbook
29e7d7eec0c8b07eac1b67b2875c1942104495e5e37f8b08fd788d4157376b1b
Formbook
3d9b01acd650801e9f3ff8b3c0676b00d7c58efcfa53ab922cd1642b4a963d96
Formbook
736e922d451686797ec76431a5c40aab65da4cc9de49fc8a898c013f44caf2ce
Formbook
92ab8821f6c4eedc8bec6abee96520514061e32b772831dc3ecb8e71f8f7bcb3
Formbook
9de751536a55984df4e0686ff47bbe5553906d4b2e2559d7afc019fcb7d4eb4a
Formbook
b6766af1afb815c61741089760278a15e9089ae7b14a3537faa4ca6e4ebfdffc
Formbook
deac58296321ec67026dc3de7275137fbdf1775e28fbd9e4d3bf528be7bc95ff
Formbook
+ 11'546 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220318-t5y2nscaa9/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
1567ab36505b9c27f54c4cedfc4ff1e120118a0396f8edbebf1ea106be2b2344
MD5 hash:
17b73b2f3fd26ce31ddba6ac2c6e3976
SHA1 hash:
692b368f33515353371c8299dca256b0cabc35fa
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/2e54c27b-2a9c-43a1-b0cb-27ef7861714f/
Parent samples :
a65fa640ac023cb2207b4707ca53b54ac80fab579b1ab598637850a003b4f2e4
a3722866259ff0b2d2578842e1b1667e17f597c274544bb6e02f24b91cb4dbd4
f2b30831e93ef719ecc6b3d7fa88509a1b77d35068d4d6ab2728d9938c8a7859
7889cc6835fa2dad91efec45745239704b8d8ca2932ade574e92b9c28bf348c1
264709538c4d306bfbf521a73d87b5753f38952b09f597ad405c934139a1082c
27331403cd4e737d09c723eaa8ad57607f4a243a1fcde752443af581b9141092
c0d6833e7ba34a1a05310005fa4e09ad5e1e2b60edf8fe62fc42b7610913496c
50a9cc4decaf32975996710740956b5a9c4985c50ded5a2bb8611945263af65a
SH256 hash:
53c40a63a034380446ebecad653e782f35f19cc2276fce686b473ae778d2fdd0
MD5 hash:
6575c02b436220dd5bafbc0f046a8342
SHA1 hash:
dc2eac427a3b80b4aff4d46dcf4c11be2e1a0abb
Link:
https://www.unpac.me/results/2e54c27b-2a9c-43a1-b0cb-27ef7861714f/
SH256 hash:
a3722866259ff0b2d2578842e1b1667e17f597c274544bb6e02f24b91cb4dbd4
MD5 hash:
dcedadc9e7ab6c8b55aba9a69f0ad589
SHA1 hash:
50e3e95a0823484c7729fc42250e310342335551
Link:
https://www.unpac.me/results/2e54c27b-2a9c-43a1-b0cb-27ef7861714f/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a3722866259f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.18
Link:
https://yomi.yoroi.company/submissions/a3722866259ff0b2d2578842e1b1667e17f597c274544bb6e02f24b91cb4dbd4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe a3722866259ff0b2d2578842e1b1667e17f597c274544bb6e02f24b91cb4dbd4

(this sample)

  
Dropped by
xloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/252707/

Comments