MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3c471545f3477bc81b3e69d656691b67d9a6ec26c85e66bcf332f5b9d29cec4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 13 File information Comments

SHA256 hash:	b3c471545f3477bc81b3e69d656691b67d9a6ec26c85e66bcf332f5b9d29cec4
SHA3-384 hash:	125680d3e307987b187a7c3aaa44cfd5c7e50a03558301b332109cba3efbe2365296179adca42324d1ed7c92b23c0a75
SHA1 hash:	2c8361dafbb0e62cf6931fd2e22fcbb86442a1ef
MD5 hash:	83b136e56255ec4ed9cc8e44cb1e864a
humanhash:	west-july-dakota-early
File name:	Confused.bin
Download:	download sample
Signature	Formbook Create hunting rule
File size:	354'304 bytes
First seen:	2023-02-28 05:27:08 UTC
Last seen:	2023-03-09 04:50:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	3072:S3PnAKH05EVZDgaj5hppyNpXndxMhuruCbnIj2GL:S3vAK0WVZfppyXIhiBbIb
Threatray	1'011 similar samples on MalwareBazaar
TLSH	T1DC7417833B05DE42C93686F9596AD8B4B7666DD82811C3831CF2FD2BF1F34261DD9A84
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	60ee9654200ec420 (1 x Formbook)
Reporter	petikvx
Tags:	FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Confused.exe

Verdict:

Malicious activity

Analysis date:

2023-02-26 06:27:13 UTC

Tags:

evasion ransomware

Link:

https://app.any.run/tasks/8c3f5fa6-3aa1-46b8-98c1-e922b70b0557

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/370502/

Detection(s):

SecuriteInfo.com.W32.MSIL_Agent.BUD.gen.Eldorado.7495.2842.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

DNS request

Sending an HTTP GET request

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63fd90e4bfec0852a68dc27f/reports/6d0310fa-8d35-4f5c-90f8-eeba54818b60/overview

Verdict:

Malicious

Labled as:

MSIL.Benin.Generic

Link:

https://www.hybrid-analysis.com/sample/b3c471545f3477bc81b3e69d656691b67d9a6ec26c85e66bcf332f5b9d29cec4

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0784f657-39b3-443a-a77c-463db6e52d98

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1183889

Signature

Antivirus / Scanner detection for submitted sample

Binary or sample is protected by dotNetProtector

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b3c471545f3477bc81b3e69d656691b67d9a6ec26c85e66bcf332f5b9d29cec4/

Threat name:

ByteCode-MSIL.Trojan.Benin

Status:

Malicious

First seen:

2023-02-28 05:28:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 25 (88.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wpchcvc7gr33zant42owkzurwz6zu3wcnsc6m26pgmxvxhjjz3ca._file

Verdict:

malicious

Formbook

49cff73125bdbed98cdda85572228372cecaedc8fa98fd48706fd23e6ad1ad4b

Formbook

4ee95ee6271482c7939ce3b9db210ffb7a73ceebb6500b978fa3e6fe1d6ea168

Formbook

61f0d8f4844eb358096d86cf0dda1d02e6056f5dda28e14851e4d5f84ef429e6

Formbook

b3be7cf75ded8a3dec4a78a9dcf32ff433ac5fa5743d5c27b77dd67f9d6a427b

Formbook

b586e6e1dd405982901351980cf6d32f9ff3702887508d253101136b325622d6

Formbook

c2dd89a5116214f44214380e06bb86158f67b8148ae1cdfb4dddefe444badbb0

Formbook

+ 1'001 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://tria.ge/reports/230228-f51cvahg69/

Behaviour

Suspicious use of AdjustPrivilegeToken

Program crash

Looks up external IP address via web service

Unpacked files

SH256 hash:

5fef2acf0b0289500ddfcbcbe45c95973c37d30eecdb2f5f20894a5f5b43ef31

MD5 hash:

f6d05f1f65b85eb1228f6524bb3773e8

SHA1 hash:

2c1a3b5de5d9e34e20fcf39671b4359abd38507c

Link:

https://www.unpac.me/results/0d7a048f-efd7-4541-b7fe-0c994edff394/

SH256 hash:

c99877a67ca19a09ce8a54daafca4e36f16e10aa9314ce9023161dbb6ea791c2

MD5 hash:

b88f7a0f5ae476293b3291323c24b6a4

SHA1 hash:

a5973c4a7a076e45c3443c92d7666952692fa927

Link:

https://www.unpac.me/results/0d7a048f-efd7-4541-b7fe-0c994edff394/

SH256 hash:

70e80f20b13f8b7ab19c9fd6037ae58bcb9541b5c64bb4fdd0b72f920d8796ac

MD5 hash:

881ddb5d47fa1714843d09221b4a198d

SHA1 hash:

69e8ea9b5a9ff554ae084e04f34f7e4ab773fef4

Detections:

win_neshta_auto

win_neshta_g0

Link:

https://www.unpac.me/results/0d7a048f-efd7-4541-b7fe-0c994edff394/

SH256 hash:

b3c471545f3477bc81b3e69d656691b67d9a6ec26c85e66bcf332f5b9d29cec4

MD5 hash:

83b136e56255ec4ed9cc8e44cb1e864a

SHA1 hash:

2c8361dafbb0e62cf6931fd2e22fcbb86442a1ef

Link:

https://www.unpac.me/results/0d7a048f-efd7-4541-b7fe-0c994edff394/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b3c471545f34/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b3c471545f3477bc81b3e69d656691b67d9a6ec26c85e66bcf332f5b9d29cec4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Destructive_Ransomware_Gen1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects destructive malware
Reference:	http://blog.talosintelligence.com/2018/02/olympic-destroyer.html

Rule name:	Destructive_Ransomware_Gen1_RID31CB Create hunting rule
Author:	Florian Roth
Description:	Detects destructive malware
Reference:	http://blog.talosintelligence.com/2018/02/olympic-destroyer.html

Rule name:	INDICATOR_EXE_Packed_Babel Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Babel

Rule name:	INDICATOR_EXE_Packed_Dotfuscator Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Dotfuscator

Rule name:	INDICATOR_EXE_Packed_dotNetProtector Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with dotNetProtector

Rule name:	INDICATOR_EXE_Packed_Goliath Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Goliath

Rule name:	INDICATOR_SUSPICIOUS_GENRansomware Create hunting rule
Author:	ditekSHen
Description:	detects command variations typically used by ransomware

Rule name:	MALWARE_Win_LockDown Create hunting rule
Author:	ditekSHen
Description:	Detects Lockdown / cantopen ransomware

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_RANSOMWARE_Indicator_Jul20 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects ransomware indicator
Reference:	https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/

Rule name:	SUSP_RANSOMWARE_Indicator_Jul20_RID31A2 Create hunting rule
Author:	Florian Roth
Description:	Detects ransomware indicator
Reference:	https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/370502/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample