MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a3e03018e2dba7a61cd424c3b09864decf28815e7a3d84187f68ebaa395de908. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	a3e03018e2dba7a61cd424c3b09864decf28815e7a3d84187f68ebaa395de908
SHA3-384 hash:	53ff25561675c408e5d66626a4bdbd80d6285e66f6b009589481cb4909fbf932783af57094bc15057738567835ad9f2d
SHA1 hash:	1fffedef360d3314d86252ab60756f6474703262
MD5 hash:	9e585f302a6f5d840249254fe3e1a4a9
humanhash:	georgia-rugby-twenty-stairway
File name:	INVOIC_78354_10_2_2023.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	402'168 bytes
First seen:	2023-10-03 13:19:46 UTC
Last seen:	2023-10-03 13:35:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9dda1a1d1f8a1d13ae0297b47046b26e (64 x Formbook, 40 x GuLoader, 25 x RemcosRAT)
ssdeep	12288:BnPdw+Kj8e9dJPmdvchG5UTs4kvmbAAjGEJ2ZubUN:9Pdw+KgeD0v+G5cPkv+RzuIUN
Threatray	10 similar samples on MalwareBazaar
TLSH	T105842364ABD3F2BBC221CD350775D6213793E2120596090F2388DA1DF972698F96FB87
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

300

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.Loader.1550.2856.3624.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Creating a window

Creating a process from a recently created file

Sending a custom TCP request

Сreating synchronization primitives

DNS request

Launching a process

Unauthorized injection to a recently created process by context flags manipulation

Gathering data

Verdict:

Likely Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control lolbin overlay packed remcos shell32 threat virus

Link:

https://www.filescan.io/uploads/651c15031e07d7e1e9ac0624/reports/6fce4f4a-7ea0-451e-86c0-09189fa18539/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/a3e03018e2dba7a61cd424c3b09864decf28815e7a3d84187f68ebaa395de908

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/db3886dc-5b57-41fc-b5a6-45f10ed741ac

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a3e03018e2dba7a61cd424c3b09864decf28815e7a3d84187f68ebaa395de908/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2023-10-03 00:55:43 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 38 (57.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=upqdaghc3ot2mhguetb3bgde33hsrak6pi6yigd7ndv2uok55eea._file

Verdict:

malicious

Label(s):

formbook

Formbook

3365f0fe697d468a8589961b708d9b05dd34a43f3c5d58356a83530c27d919f0

Formbook

53f8211db510203634da93d5f2616ead5784031d1fd9d1ad245e25719fa974a9

Formbook

731884023aba6003836d2d19d064cb991b9e9cfe3c494fdb708ad30d32c4857b

Formbook

738716f118a29c164740d59ca19da16459eef1c2de1758d9ffed42434c0b364a

Formbook

7b798cee09b1e65922731c0ac1ddc080ce0560fe68a01c70e19bcc1bb59cd047

Formbook

88005c410d3a18867eefc7ce9d13242fb12d72f1ba53204363d552782ba6b5fa

Formbook

c275d87e329c16226557c0ff240d0e9503417f51da02f33a3dae9eb7bc089515

Formbook

f34fd6bbeea3da4838e068cb7aa4f867b3d4d8c435dcc8926895d1c033bd7622

Formbook

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/231003-qk3mksah5y/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Blocklisted process makes network request

Unpacked files

SH256 hash:

6c9159b4e00b645d08eb242eb1bb228d05d2bac1715a9a9a74aa302fcb6e5610

MD5 hash:

33e61bb23c6ec5770885f7b659a06e63

SHA1 hash:

87bdb346d953e43ae4ed510c0c187f0b130249fa

Link:

https://www.unpac.me/results/2b760ae1-efa8-425b-b97a-57cae5ad07cc/

SH256 hash:

a3e03018e2dba7a61cd424c3b09864decf28815e7a3d84187f68ebaa395de908

MD5 hash:

9e585f302a6f5d840249254fe3e1a4a9

SHA1 hash:

1fffedef360d3314d86252ab60756f6474703262

Link:

https://www.unpac.me/results/2b760ae1-efa8-425b-b97a-57cae5ad07cc/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a3e03018e2db/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a3e03018e2dba7a61cd424c3b09864decf28815e7a3d84187f68ebaa395de908

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample

MalwareBazaar Database

Database Entry

Intelligence

File Origin

Vendor Threat Intelligence

Result

Behaviour

Result

Details

Result

Signature

Behaviour

Result

Behaviour

Unpacked files

File information

Comments

Login required