MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf3656cb6efbbc781ba5c11b9772fbf0fb0245ee08149ea66f880bdf5693907d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	bf3656cb6efbbc781ba5c11b9772fbf0fb0245ee08149ea66f880bdf5693907d
SHA3-384 hash:	07fe30f203fa83cc6ef9c5d443746c0279d72f1558931fb1df6b10d07969a4ee9eae20b556b540a343c938a0aaef2e28
SHA1 hash:	713e36d462c6d8ab30a422b6ecbad3ababd2f659
MD5 hash:	bb00f55c52b18bfccd705d6160dc0c60
humanhash:	finch-mike-lamp-bulldog
File name:	SecuriteInfo.com.Win32.MalwareX-gen.18870.13019
Download:	download sample
Signature	Formbook Create hunting rule
File size:	629'760 bytes
First seen:	2023-09-12 04:35:41 UTC
Last seen:	2023-09-12 07:03:48 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:8yEYyVFn7IzJE9Ba1VvqKqZAZUGwz+3LJw+2mjhMyCBGy:JV+Fn7rna1VvqKqaZjbJfdhMN9
Threatray	122 similar samples on MalwareBazaar
TLSH	T1CFD4224A43FC77A1C1BE1BB150B56214A331E0172823E3665EC8D2F7AB67BC49B55B83
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

372

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Win32.MalwareX-gen.18870.13019

Verdict:

No threats detected

Analysis date:

2023-09-12 04:36:16 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/47449431-240b-4940-8c67-279e8994a7b0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/448048/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

SecuriteInfo.com.Win32.MalwareX-gen.18870.13019.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/64ffeab37aa68bd3a1f7560d/reports/ff70a44a-5afa-4326-9b58-1ec57e0a4385/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/bf3656cb6efbbc781ba5c11b9772fbf0fb0245ee08149ea66f880bdf5693907d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4363034d-5e8b-4910-a147-ccd44c1756c2

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1307651

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample tries to kill multiple processes (SIGKILL)

Uses known network protocols on non-standard ports

Yara detected AntiVM3

Yara detected FormBook

Yara detected Mirai

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bf3656cb6efbbc781ba5c11b9772fbf0fb0245ee08149ea66f880bdf5693907d/

Threat name:

ByteCode-MSIL.Backdoor.Androm

Status:

Malicious

First seen:

2023-09-12 02:30:35 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 38 (55.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=x43fns3o7o6hqg5fyenzo4x36d5qerpobakj5jtpraf56vutsb6q._file

Verdict:

malicious

Label(s):

formbook

Formbook

2fe9bc1096b9cc12a5f2eb7db53fae2d396b870008b7283c35c87b84626ab509

Formbook

59da9f40387363fb12e59349fa8f47535f80abe5ac07d87e20f42c547e176864

Formbook

8e06e30fe6a9c4f64a09da567c0a6d2f01b49622f535122736d1dd7177b7f9be

Formbook

94f494962805c4cae1a0295d20db44ac8a42f4a6447a5856f17716c8f146844c

Formbook

9ab21141018bf9b7884f4dba96fcd4d184bc1fb913f38e8267decba39f78b376

Formbook

ccc8ed7866ebf89380c45861e50f095db3acf900fa4cf797e1a5de78cf6051aa

Formbook

fc563ce0d3583e88222493534f0f02d94ca9dab17c906c5deacf7132852b51b4

Formbook

fd82749104473f4be5f7498f2a751f4090f999c50ae63e114ea49067c2b16185

Formbook

+ 112 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/230912-e78xbsdg47/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

e809957293bfb4e8a4da8c2ebc5ebfeedcab917026c1e524fc85aec2c39fa4e9

MD5 hash:

f4187c0079292072954c58bf35cfa44f

SHA1 hash:

bdee2aeb7d154497134c02dd9ec1ac1d98712c4d

Detections:

win_formbook_w0

win_formbook_g0

Link:

https://www.unpac.me/results/2bace77c-b090-40c4-b32e-26d8a818861b/

Parent samples :

9ab21141018bf9b7884f4dba96fcd4d184bc1fb913f38e8267decba39f78b376
ed332a896cc71afb913bed903fa5259149985d3d3659487f4dc876293e0f7a03
bf3656cb6efbbc781ba5c11b9772fbf0fb0245ee08149ea66f880bdf5693907d
ab38780451a464e6a292bedd185cfebae8032e19437f01a1e877f87e33bf4ac7
07eb84ab44d23516c584c1682f5d417c56ec00eb40e04ed2b4469ba2260b6338
d47ffa12778a36d3282598931fbd4614b0215ba1643a59dfdb7e80d8fffa5ead
50413921860a4f9db3c3ab95c68154e9ffd12726c64a4a46d141499fcf448288

SH256 hash:

e5fae65a388edb0bfa180b540509fb868e3423a981f1bd147f1de93344e16de5

MD5 hash:

eb195c27cf2ed30f122789c32078da64

SHA1 hash:

d6774a2cb44e19ac2e20d5b098d43d373bb73dde

Link:

https://www.unpac.me/results/2bace77c-b090-40c4-b32e-26d8a818861b/

SH256 hash:

464e6df4bd49f1a347ae820bf5bf9b5ce4a1192d832ec63127482758d6608dff

MD5 hash:

09861dcab88a8af5f332417b1460a92c

SHA1 hash:

d07ad2a29e2f6d4ce2498dee7a18e69770891c10

Link:

https://www.unpac.me/results/2bace77c-b090-40c4-b32e-26d8a818861b/

SH256 hash:

da39539913fe90eda76d49cc7193f52461e2282265bf2910f08b24658411f5a2

MD5 hash:

6b730b219ad00f76afd584e236c955e7

SHA1 hash:

aeb6e83aaa47e9a1b47ad66abb4bb9ff7e6caca1

Link:

https://www.unpac.me/results/2bace77c-b090-40c4-b32e-26d8a818861b/

SH256 hash:

0630b864e828fff2d66f33ab7d00fad231df4c00fc0bbad313ee0d12ca503198

MD5 hash:

f559a9abbd849eb977d262d597d6e4fd

SHA1 hash:

0a8769b40b026852690c89b913c2812817ef43c8

Link:

https://www.unpac.me/results/2bace77c-b090-40c4-b32e-26d8a818861b/

SH256 hash:

bf3656cb6efbbc781ba5c11b9772fbf0fb0245ee08149ea66f880bdf5693907d

MD5 hash:

bb00f55c52b18bfccd705d6160dc0c60

SHA1 hash:

713e36d462c6d8ab30a422b6ecbad3ababd2f659

Link:

https://www.unpac.me/results/2bace77c-b090-40c4-b32e-26d8a818861b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bf3656cb6efbbc781ba5c11b9772fbf0fb0245ee08149ea66f880bdf5693907d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/448048/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample