MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3d586ea6f954e72cd9c39838dece4a7e019d7f1916f0984da816d107d03ffe3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b3d586ea6f954e72cd9c39838dece4a7e019d7f1916f0984da816d107d03ffe3
SHA3-384 hash: 015caa218f6fd403c3ea615123dde60bb511e430fd9cf9bd4ca9103984c8cd2b97397467d7b5177d8a145025ec7d2f39
SHA1 hash: 2c4cdf4e9e1db74145c1b48b655c127e7eb6c596
MD5 hash: 4d2317fa510cb2cb72330ea66c50ff4c
humanhash: social-sixteen-paris-fillet
File name:Shipping Documents.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:631'808 bytes
First seen:2022-04-26 07:59:01 UTC
Last seen:2022-04-26 08:46:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:GTGPc79oa3aEjqvWUU5FgFnrH8+66DLcQCOYjaRpiDGp:1c79ELvndnw+uQCdjaHl
Threatray 15'232 similar samples on MalwareBazaar
TLSH T1FED40207E250B216CCB80BF7509378A05AFB7D632932AB4E95CC7E29DA733D09653572
TrID 54.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
23.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.8% (.EXE) Win64 Executable (generic) (10523/12/4)
4.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.3% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
245
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/266679/
Detection(s):
SecuriteInfo.com.Artemis4D2317FA510C.4955.15737.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Searching for synchronization primitives
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit obfuscated packed
Link:
https://www.filescan.io/uploads/6267a647e1f182a52a5f221b/reports/3dd916fd-9f58-404b-92d7-b4e82cc39c91/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a68056f5-89aa-47b9-b9b3-601925ba7b73
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/983041
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 615525 Sample: Shipping Documents.exe Startdate: 26/04/2022 Architecture: WINDOWS Score: 100 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Multi AV Scanner detection for dropped file 2->52 54 11 other signatures 2->54 10 Shipping Documents.exe 7 2->10         started        process3 file4 36 C:\Users\user\AppData\Roaming\wJCOllNwD.exe, PE32 10->36 dropped 38 C:\Users\user\AppData\Local\...\tmp7BF4.tmp, XML 10->38 dropped 40 C:\Users\user\...\Shipping Documents.exe.log, ASCII 10->40 dropped 58 Adds a directory exclusion to Windows Defender 10->58 14 Shipping Documents.exe 10->14         started        17 powershell.exe 23 10->17         started        19 schtasks.exe 1 10->19         started        signatures5 process6 signatures7 68 Modifies the context of a thread in another process (thread injection) 14->68 70 Maps a DLL or memory area into another process 14->70 72 Sample uses process hollowing technique 14->72 74 Queues an APC in another process (thread injection) 14->74 21 explorer.exe 14->21 injected 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        process8 dnsIp9 42 www.wwcsv.com 166.88.136.248, 49756, 80 EGIHOSTINGUS United States 21->42 44 www.bigjakesque.com 21->44 46 bigjakesque.com 34.102.136.180, 49753, 80 GOOGLEUS United States 21->46 56 System process connects to network (likely due to code injection or exploit) 21->56 29 WWAHost.exe 21->29         started        signatures10 process11 signatures12 60 Self deletion via cmd delete 29->60 62 Modifies the context of a thread in another process (thread injection) 29->62 64 Maps a DLL or memory area into another process 29->64 66 Tries to detect virtualization through RDTSC time measurements 29->66 32 cmd.exe 1 29->32         started        process13 process14 34 conhost.exe 32->34         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b3d586ea6f954e72cd9c39838dece4a7e019d7f1916f0984da816d107d03ffe3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-26 02:30:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wpkyn2tpsvhhftm4hgby33heu7qbtv7rsfxqtbg2qfwra7id77rq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1bfc4e45067f4f1fc583289ac5f8ab3bba6403443f51d18c8546adf58de68501
Formbook
3859da72cd34fc9b4ebe2ff100a3d888845836f4945bf2bcdfb83d5d0d16508a
Formbook
4d5d803e91d5a07b32a19a06a8f722d3d4aead462bb2cab23470f2c2ad79b71a
Formbook
5c4b6b6b72e020bea0a32b9ca0542bd404e91eff6344648aae077ad332593744
Formbook
7b3be400d99b473afc9f2bdf46477b61736a71db20cd9d1137b0cab4d4aaeff9
Formbook
899615d89ed1fb1460cc0271763148d9fef6286e4714a4028bbdbadb6e6b9a30
Formbook
b0719b23f521e380ea76a06aaee77d34b506ef96890542072101950ccffeac32
Formbook
b5cde2a22949e65c3eb965bec3fe21cc3edd2d83e5a1631bd705ab8f649daff7
Formbook
e740634fa7cca3715fa9eb7fa30892467e31d044ed6f661ad25dae49298862d7
Formbook
+ 15'222 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:o18j rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220426-jvdymsffhn/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
81621c2cb0534047140e930dec3f56c8a82b4da0edbdd4735d7b2aac0f1cd0d9
MD5 hash:
30fc22115bbbad0a22eab88dec072c92
SHA1 hash:
afc7cee2d35fc21c0a8ae21009f0856309abc345
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/be0a1d7c-7733-4cd7-a078-f4ed8213718c/
Parent samples :
0052550949ab904c6378bf94738d19eaddf7a1f4f1c99d4d75789566f9e95440
b3d586ea6f954e72cd9c39838dece4a7e019d7f1916f0984da816d107d03ffe3
a580ab61d55ab77a9c8cc5cf6b548b3c0c7a0a7ad1dc081ec5e90f37066d1445
SH256 hash:
09cd3bc420c8982190990a9673b58c3ab01e933dff0881f1e521d3316f1b9a6b
MD5 hash:
6933707e111286a128ad0f7fa298153f
SHA1 hash:
d1121c8bed634e9684727e8c0aad3f597b0749ad
Link:
https://www.unpac.me/results/be0a1d7c-7733-4cd7-a078-f4ed8213718c/
SH256 hash:
bae0250b69ec60cd2d32fe15337a1782dabec82fc01e52f85b7046d4c4089de7
MD5 hash:
9e9fe77795a7fccf44e212afc97f37ff
SHA1 hash:
aaec8f3c9c68d17f8935b00ad2d81f03560f51f5
Link:
https://www.unpac.me/results/be0a1d7c-7733-4cd7-a078-f4ed8213718c/
SH256 hash:
475c868f339bd7458531279005f944015d755488c78fa56ece3409cd8a9c0851
MD5 hash:
a05aa3b8ac922036c872127863d0a079
SHA1 hash:
30c7649af0b421cb0be1bc38d58edfb05607290f
Link:
https://www.unpac.me/results/be0a1d7c-7733-4cd7-a078-f4ed8213718c/
SH256 hash:
b3d586ea6f954e72cd9c39838dece4a7e019d7f1916f0984da816d107d03ffe3
MD5 hash:
4d2317fa510cb2cb72330ea66c50ff4c
SHA1 hash:
2c4cdf4e9e1db74145c1b48b655c127e7eb6c596
Link:
https://www.unpac.me/results/be0a1d7c-7733-4cd7-a078-f4ed8213718c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b3d586ea6f954e72cd9c39838dece4a7e019d7f1916f0984da816d107d03ffe3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb2
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe b3d586ea6f954e72cd9c39838dece4a7e019d7f1916f0984da816d107d03ffe3

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/266679/

Comments