MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3b6f6f58e9df22dda93da3c41997e4c36b48b4e8e851a217c572a0b78ce4b83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b3b6f6f58e9df22dda93da3c41997e4c36b48b4e8e851a217c572a0b78ce4b83
SHA3-384 hash: b2a09e7a6f0fe4c57c98bf735f1e733b81339808ae110ad74bfb8f4abf3b836aa03ba47836ddfe45cd4189b71b75b6ad
SHA1 hash: 90145f41391e049d2b1a66017c23480ec6b5a621
MD5 hash: 0a0bdbc0ca35148497f489d4354dad2c
humanhash: skylark-finch-lemon-lactose
File name:SecuriteInfo.com.Trojan.PackedNET.1197.7712.18516
Download: download sample
Signature Formbook
Create hunting rule
File size:734'208 bytes
First seen:2022-02-15 13:10:20 UTC
Last seen:2022-02-15 14:33:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'476 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:Qj5k+oJdrR+v2yU6xsd1jXywJCGfFqX/OAP7CjDElvXj7OpGKWwtlp/D:Ia1rrRo28x6BfEvOAP2jAlfePp
Threatray 11'112 similar samples on MalwareBazaar
TLSH T1EBF4010077B36A94D43207FA54E59A811BB9654DA937D67ECE9230CD0C237C1DE3AA3B
File icon (PE):PE icon
dhash icon 0012360d4d1e8606 (19 x AgentTesla, 12 x Formbook, 4 x SnakeKeylogger)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/241611/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1197.7712.18516.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/620ba66b875593a3ccd028cc/reports/f7dcab9f-9be9-4279-a589-284b88e118f1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/20727a38-6466-47fa-90b6-78cf9953d235
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/940091
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b3b6f6f58e9df22dda93da3c41997e4c36b48b4e8e851a217c572a0b78ce4b83/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-15 13:11:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wo3pn5motxzc3wut3i6edgl6jq3ljc2or2cruil4k4vaw6gojobq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
280a181eae2d790e6992653b19b216b9407a948f42d32db3ad78e81660ff1f8c
Formbook
2fd3db9eb65d7a120e24e7245a73e4e88d4b2a7998d82986e8b2e2f20af1d932
Formbook
503afb59d8192f6adb3e67db043eeb6459e8ec3fc117ef8e2f6690d5f0c4a12b
Formbook
640ac0fcf97c0474f805fdf150d7c539650a833e1cbb47393e188da5a1f5f5c3
Formbook
950ead10061a0d06ae1314f85d90925ed519d91ff8360236960e9abf68a99b7c
Formbook
9bceb9680d39094087add5289a7e19aa93168faf9c5f2465700b117d59e8d841
Formbook
ccf47d9fd0a0ddce06c265b87f0e2377bb58107c18659ac908b7e3a5731ad081
Formbook
d6a113f33599b8c821531df91dc5cd29501cab9fa911b8844a3447d0991e7362
Formbook
fa3b721595b9e5571bcfd42767aa563f6e363a3fff9e9cdbfb525d0f28e62eb7
Formbook
+ 11'102 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:rmpc loader rat
Link:
https://tria.ge/reports/220215-qex5xagecj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
f78780e73536894b81b641dd13bb07a695d4db252660ea0eb05eac4c0c0791ac
MD5 hash:
127f40bd49e98c99917ca783c4f9a043
SHA1 hash:
68844b38e9c16af99c05f81a202ae93e9866e3e9
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/8fc54a68-e0d9-4d7b-aaf7-a62ec61ea18b/
Parent samples :
44d74d198ab05ed038d6ca78530988c46fc81911a5e22bdc286049e70563d208
b3b6f6f58e9df22dda93da3c41997e4c36b48b4e8e851a217c572a0b78ce4b83
d53c0ce4893779afc24b84d79e926ba6684b2dbc549b85e8213137e2a8358ab2
555948e64ed4825dea5e57865e80d764aab3dbf4b973a223f7590ee9b72d23f5
3446a9d1fcd21b6e219220379f6b82cccf3cb967b9af1f9e91fa511e90eab639
125c8338e7cdf610f8aa3cc58db3e350997597a525f85ef6e81c38cc155a62da
04ee371bea0863aab03ca6cec8c5512522c4082654ada54991c483610df7a249
fd8161addee5162327eb1bff7dead0d9f2d8c2b6041bf2edaab964e2c38a78a0
9b4ea9f90dc0bd79331fb576e8e11bfcd1aaca5d89eed706bba28e23d81819e6
6c7bc2a0288450e984898339f779daa67583a202427e894fcb55a8c4238daae0
5c291b48b03f7208a95902a735edb8ff29b7fb241d7451b1ed0fbe49f537f3d7
40ca831a495e2c76c2de5e94c2a65fdbc91a6a59e5a5be2c86a2381166365459
43d06e86f98619000a7cc9600f95da73794070c1a541cb5cec13835600631a06
1b6f19244c3917f5c492d60071b20ec6627ca7cba830d16b8e1e45008de6823b
ebc4b771993d4f5850dcb26b20ba7f36cadd67b0f4ee05c691bddff94a6f5ee0
96a0dffa7387628ad30a6d44608812c3b79f6fd07cd8b144ce9bdd8fb4824187
fe7f81cde71cd5b66042ed13b89d0be7529cd5478f0d768181547d9bde21d519
e1754d3bb2df3b1c3c8b6448afd0e7e03b65e4d4a9fa331df40acc0acc38a408
12a79c59a47c99e0fc5ecf626e45e5b4d1abef887f00214096d18e4813757234
7ac201d7a13b441e0e7ec03787bb6570dbb7e88ebc68f021c34f2704793e1675
de3a3c103b66a98978a8d6467d81865c78c4df0448c69c4d7c68d87dc17f7e4a
8d4069f952ab15494c3be7c5cdf0fa161641dcc5fe3a1aab978726ea585f0076
0482134079f147f5535027b2a9e3b0f0c5c841d8d1f38d59ff3e3fdc89f18b7d
d0f3311ded7e19f8d94535b66c9eb741c5d3b4eebbffe924e8c3f2982f266647
d674ad918b0c38a26ec796220f99d14147297ddc01dd8e09c9b9b0dec8998cf2
cba32f8a548cbcab4798e55a6d9c5773ae980932d021126e295a03d05f644f22
de9a953b4f1570485b65622d0255625244e10746d5d2be0384505b60b743a11e
1eb8af23658c91ba76fe9516d0a7f8a678d0122454cb837183326c5a7fb95850
293e285042ed8b51e4166782005c54d1b3c20ba5f148f90b318f3c788115e892
083e99f9a493e14a03ae5c6270873363f0da35583615ef348ea83493a8dc0efa
537d8486471b326e32f04ca8c3c3fbef3955e25722b3e271022b03d8a82f0af2
84d399a3116d4038d5730fdbae6857142c0141f042dbba9a42e8a21e1ce6448b
be51d1c2d8a30045b3fa84863ef8f5073f8ebcdac3bbdbfd483ff61365a9a2c5
fd2f3e46722baeada38453fb8307d78a6a7e590fac0bc7ac36e52e1c95747dfb
06ff0d7203bc986c93f29bba10687aaa29880e3698810b9bea8a5ac04b5ba7a3
c4f73dd9b20be2611e4947816fc9a432b8ae654c84e3e33380543ecfe3323ca1
625c5bcad021d0e8c8f0478d2bec573db81fbf5957e5f9323a481b7d1756f66e
be173845e18d050a20b0dcb71293a32651bc804afe4298225189987d45f4550b
4ac7bddd4fe25bfcc91a63d1fb9a5563af110b5485cd8d00a277938da210a2ca
873b9d986cfc2bbb91df471b4d80bfbfd40f304d7a7fab5260d3ddacd34346a6
SH256 hash:
63b6403c6ea1378c0ff49f069597b45496dba6c0161d240e64885ab6f0806d04
MD5 hash:
72b143fd989c37772556bf302ac33be1
SHA1 hash:
ee377db4778e70261d34f8210208069df41a12ef
Link:
https://www.unpac.me/results/8fc54a68-e0d9-4d7b-aaf7-a62ec61ea18b/
SH256 hash:
4e66f71efef459388cafbd18858cf751266d56a7af695d5bb0cd78b0d80f6795
MD5 hash:
5fcccb899f6e1aac2891d7eb31b5e459
SHA1 hash:
4959dadd6109ae7c9096d0066c077e3cd9ca4367
Link:
https://www.unpac.me/results/8fc54a68-e0d9-4d7b-aaf7-a62ec61ea18b/
SH256 hash:
8b6a614832ac3c34c67cb0a60efe050712bee4973f64aedb2203a1fb4df74126
MD5 hash:
caabd716cb3c06e84f2e930dce6d0a3e
SHA1 hash:
3f7e85d360df31982df348d88f22ab048ed43f69
Link:
https://www.unpac.me/results/8fc54a68-e0d9-4d7b-aaf7-a62ec61ea18b/
SH256 hash:
b3b6f6f58e9df22dda93da3c41997e4c36b48b4e8e851a217c572a0b78ce4b83
MD5 hash:
0a0bdbc0ca35148497f489d4354dad2c
SHA1 hash:
90145f41391e049d2b1a66017c23480ec6b5a621
Link:
https://www.unpac.me/results/8fc54a68-e0d9-4d7b-aaf7-a62ec61ea18b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/b3b6f6f58e9df22dda93da3c41997e4c36b48b4e8e851a217c572a0b78ce4b83

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/241611/

Comments