MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af3da7cad17a62ffd55dff83580e4f63697bf6e73faec62269c6f6b80fd8516c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 4 File information Comments

SHA256 hash:	af3da7cad17a62ffd55dff83580e4f63697bf6e73faec62269c6f6b80fd8516c
SHA3-384 hash:	2189e6155c53ea65829a46022b4f563a5fa3afc20e7d03497ba898aaa8b39a96befa8be1e0e781a7359afa6188de8aec
SHA1 hash:	3cdced6525c139f9780c86d9cc009909dc8f6340
MD5 hash:	8816ae2569502ee59b42b30f1f63c5bf
humanhash:	sixteen-missouri-lamp-asparagus
File name:	8816ae2569502ee59b42b30f1f63c5bf.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	606'720 bytes
First seen:	2023-10-17 10:50:40 UTC
Last seen:	2023-10-17 11:48:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:2zfqBuHyLZf5yAT+RkTd0ZRZch3ibZk8SzyBFzCac:2T6fRZ+RkTd0ZRnbaXSc
Threatray	87 similar samples on MalwareBazaar
TLSH	T1FCD4129902C4DB5EEEB60BF99422D604CBF278066230D7BC1D4658CF4BA97BC5484FA7
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

309

Origin country :

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/455281/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/652e671a5da218a42f52509d/reports/ca04e45b-6106-461b-b4b1-bd5af55b3ccf/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/af3da7cad17a62ffd55dff83580e4f63697bf6e73faec62269c6f6b80fd8516c

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/cd5d45e1-5483-4752-8735-83738f719704

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1327197

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Snort IDS alert for network traffic

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/af3da7cad17a62ffd55dff83580e4f63697bf6e73faec62269c6f6b80fd8516c

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/af3da7cad17a62ffd55dff83580e4f63697bf6e73faec62269c6f6b80fd8516c/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-10-16 13:14:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 35 (57.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=v462pswrpjrp7vk576bvqdspmnuxx5xhh6xmmitjy33lqd6ykfwa._file

Verdict:

malicious

Label(s):

formbook

agenttesla

Formbook

15426243aa8d60c8592a759e72f42ee2b1d9f2cbf96018c565ce70fd6778ca33

Formbook

3e1c698228509853ff20630c605525450e37d2741f7137b3784a21d4e5d7a998

Formbook

4aab06d62b7be6864a2844428af16f335fee3713ef63ebf637540275f40ffd3e

Formbook

4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875

Formbook

55080fee4ee4ead649f0e1e4f4fed140e91dbe7b372adc0ff110994655d956cf

Formbook

6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60

Formbook

89bcf1ff783e9986332cd6debe5fe5f424439518b7638f56b8322541a460f596

Formbook

b8e44f4a0d92297c5bb5b217c121f0d032850b38749044face2b0014e789adfb

Formbook

+ 77 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:btrd rat spyware stealer trojan

Link:

https://tria.ge/reports/231017-mxtzesbc61/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook payload

Formbook

Unpacked files

SH256 hash:

dc1640a58e9fea5bfa7f6345a1c4c30b240225cc63f34fdb389af6ece1c5a007

MD5 hash:

b80e4dff0fc7c0b2fc2455aee3273485

SHA1 hash:

2e8ecd4015704c7fa7cd039accf3dd4c6547ca63

Detections:

FormBook

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/d5e07823-a080-465e-a221-16d37b27edec/

Parent samples :

87d3bbd8edcab168832890e4d362542e2be35fe286ce9a2ebeeb8216d08cca0f
896d0711b287b0914d88b93ff8d06623c60f45b405e12cbc34a406e09942a577
10e1fd083fbaa700f1580863bc6bdc928fff23f2edc479c6a8d4e3d7ff57926c
df810d99cd1588f21a80f27dc691efb44083567f1385978dad10611858bad134
c643ce9cf3045a605b3ed588dc7e992de791468c841013fcdb310e751b237ad3
2799249b9775bcf4a66a5f7fc52a40959815b1bb4b2b882b4f1e57d5dec406c1
a79e68bc2d8643ff603ce0333efb343924760abc43edcc450c124fe4b9142c75
79d20833e8b6c58ece93da20c2c927565e26198e5a6c802cbf5b559429eb4a94
caa1bdc19a635529512712883d67b0de6ff62f71f880e7527f38a4590a238b36
42f2f917ae48fc7239e19745dadfc47fa16537798f75b11a21ba9a604fbb4631
28c3fe7155927cb7482afbe59c25193a1a34856caa296cec11f9a3404df33d7c
7428f76122fbba77322e7338dafb21a613cbcc104f5af85c026b350c2d426f23
41ab6054625f7a03d1a0af44403ac248ca880ddc0141f61e41755b6f2263e42a
fbaea63cf0928cdd548719ce257ea3813b92a8765f561bbe7e8842e7d830b87e
5710572191f804e2f5f91ec37236187038467ef22922976630028ea45d340807
b28c7e4510175a83aa87b5511c73319de27fc894ffc28d561d4689c3ca27d1f9
99bb71c925f112035797c13df8af4106c78c305aecea027583007145fce87de7
01b671890aaefc4af8c91936da19e526f9b104c0a0db0b82734b3328359da0cb
0e0c5ba817a732585fb0e4100c7c7fe60e35b389b941c1b6a975aeebff2c809b
15426243aa8d60c8592a759e72f42ee2b1d9f2cbf96018c565ce70fd6778ca33
af3da7cad17a62ffd55dff83580e4f63697bf6e73faec62269c6f6b80fd8516c
1e053c6bce5db98306f6795783016d7d94aaac748c80798210d7932e0c248d61
321409ee266700ca2cac296c34e8c77358c43503b2376df20a613445ef5b23af
f29177a4cfd69578f868616ce53b974ee5c362b2d43e70a17277ac18bbe4d125
f4b495bc964bbf91246a27e1e0bb242c0e7cb80729a97ae8bd8be53c3c91ef4c

SH256 hash:

b1270dc9ec3f22c6fd2296239426ac7c48589589580d4a1b3da8188920b22a63

MD5 hash:

5c904da8528cfb1b87b15a6aa7c059cd

SHA1 hash:

f0a192969485d1bc34bf52adf37d9c20176d6b85

Link:

https://www.unpac.me/results/d5e07823-a080-465e-a221-16d37b27edec/

SH256 hash:

be4b62dde8ea819da76e898b0e64a7858be2e5f598233ed0d5474e0996db52b1

MD5 hash:

9aa83a0233f21419a96f5a1201adb4aa

SHA1 hash:

7fa0fe91070505550da96f11698259749ba824db

Link:

https://www.unpac.me/results/d5e07823-a080-465e-a221-16d37b27edec/

SH256 hash:

9e7f6d15089f79c2cc50020c67234cd2c73785c5ebfb33656d9d388c5e99e623

MD5 hash:

fa5fcde77c11fe32607a28b7c0735ad1

SHA1 hash:

64df7e7089ab6937f51c25e89b8614c11370f36f

Link:

https://www.unpac.me/results/d5e07823-a080-465e-a221-16d37b27edec/

SH256 hash:

af3da7cad17a62ffd55dff83580e4f63697bf6e73faec62269c6f6b80fd8516c

MD5 hash:

8816ae2569502ee59b42b30f1f63c5bf

SHA1 hash:

3cdced6525c139f9780c86d9cc009909dc8f6340

Link:

https://www.unpac.me/results/d5e07823-a080-465e-a221-16d37b27edec/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/af3da7cad17a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/af3da7cad17a62ffd55dff83580e4f63697bf6e73faec62269c6f6b80fd8516c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe af3da7cad17a62ffd55dff83580e4f63697bf6e73faec62269c6f6b80fd8516c

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2718521/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/455281/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample