MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3a43716e23c04e5c2630c2e7f8e6911443fe4faa38e38ee1e5e60a8ecc24869. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c3a43716e23c04e5c2630c2e7f8e6911443fe4faa38e38ee1e5e60a8ecc24869
SHA3-384 hash: 6c1156d03b29234a8e1d9c8e9ca2f96d11da20c1d4dfc0e42f1e38e6b700a38a20b51e1d5b0083737618e5f41cbf7bf0
SHA1 hash: ed6e079eb0d668647afc8655d2354f186f38ee71
MD5 hash: dfe9b6dd5405746b4af428b022f11c68
humanhash: lima-artist-north-may
File name:dfe9b6dd5405746b4af428b022f11c68.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:557'056 bytes
First seen:2023-04-12 13:08:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:Ez9vdOBcVz1RtGJxDyX+pJ9dcASjs8ANzW93NwE/t/vtyOELIpaYS5N7BxeGsFX7:6LOBc1178Vy8TS4kR1/vAOExDNCbbVu
Threatray 2'613 similar samples on MalwareBazaar
TLSH T110C4123E1335DB62F20D2B7474558C023224E254D1B4A92898E3E7DBCBBBED551A83E6
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
254
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dfe9b6dd5405746b4af428b022f11c68.exe
Verdict:
No threats detected
Analysis date:
2023-04-12 13:15:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2641ed64-4fa7-4db1-bfbf-a41ca538de87

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/381825/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker comodo darkkomet packed
Link:
https://www.filescan.io/uploads/6436ad70e90389fc714b3dbc/reports/947abe67-e381-4a60-9c3a-0f7498f2a416/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c3a43716e23c04e5c2630c2e7f8e6911443fe4faa38e38ee1e5e60a8ecc24869
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f414dae7-6aa9-40b0-afd7-ee0113382430
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1212595
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 845514 Sample: A1kpH1n9TO.exe Startdate: 12/04/2023 Architecture: WINDOWS Score: 76 18 Malicious sample detected (through community Yara rule) 2->18 20 Multi AV Scanner detection for submitted file 2->20 22 Yara detected FormBook 2->22 24 2 other signatures 2->24 6 A1kpH1n9TO.exe 3 2->6         started        process3 file4 16 C:\Users\user\AppData\...\A1kpH1n9TO.exe.log, ASCII 6->16 dropped 26 Injects a PE file into a foreign processes 6->26 10 A1kpH1n9TO.exe 6->10         started        12 A1kpH1n9TO.exe 6->12         started        14 A1kpH1n9TO.exe 6->14         started        signatures5 process6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c3a43716e23c04e5c2630c2e7f8e6911443fe4faa38e38ee1e5e60a8ecc24869/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yosdofxchqcolqtdbqxh7dtjcfcd7zh2uohdr3q6lzqkr3gcjbuq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
17310a407cf725a962dffd7d620f9bc625331a3b82f4588f882ceffd859ba13e
Formbook
180284f76be1f524875609de4bb4e02cb30a969a438bd871198830ec393afe0f
Formbook
35dc865c22873093d1417a28a5782b40e96ac3a890b51cb57dd89bedb23f1bfb
Formbook
375023474e1cf7831eae2918f7dd925a8fbc310986a063a00d91a31a07f15f7c
Formbook
456571cb765187fa0c2e5d5e95545614a3f41f82f502fde9a386b7cb8f7190c7
Formbook
7ae47693c2140e42e5a9ef4a8bea41417ac6090e8bf2d8cd8f8e14ad02a3d275
Formbook
82d448cb2461440d0ab1777690a41e228118c36961d8ee506ce94a9622b8af5d
Formbook
a9e8c821bdf65ec3bf80857646168be279506f299cc85b44c1f87864757e6a43
Formbook
c7720dcabf680a642e1b2301d938f0be590669238878109b7ca8f55e13e26a4b
Formbook
d5c9eb88e84d396ab177225746e25d5a0ea92424e2225371145c2ccddff01934
Formbook
+ 2'603 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230412-qds5kadh71/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
7f0becc3402c74aa7ffefea133dd54fc093d471b913877e8c4e756dccf6fb82d
MD5 hash:
e31ec0d2aa543ebc66c1e4df989437f4
SHA1 hash:
adf1135d64e92b51d62cff47a567f81fb08b261e
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/5e1858f0-d4ca-43f0-8ca9-32a1c303d262/
Parent samples :
c3a43716e23c04e5c2630c2e7f8e6911443fe4faa38e38ee1e5e60a8ecc24869
49daade32a02cad550a909add48d98aac63ac1cccf729758d7099975ad25ca82
d744371010d5b494046c105db860eacdacd4b639408c7543407ab426f5bf4808
898d893d7c46d0c70d498f0323b24175c4d49df99b88f57d30aef08cb3e3edca
a3225cdecee4f51aef9815859cdbaa70d5ce3b5e97d52518a5e0c5e2ac5deb12
61abb254011d46a438c4e736cef97d8a2a51483f9fe6903f693479cd7df643bf
SH256 hash:
3f386183a3404f5946c68d418d6c42327e9677859531a10dcb5f5b5753c1eb52
MD5 hash:
1289d074a7dff19b5913e8a8ab2a4397
SHA1 hash:
cf3920ef03251ab39e0208ebd08aa6a526c112c3
Link:
https://www.unpac.me/results/5e1858f0-d4ca-43f0-8ca9-32a1c303d262/
SH256 hash:
086bdb300ac6fbb12835c4bbeae7740d342322168a1d95d2de3b84424b97125e
MD5 hash:
2416d3a216eecb38aa3b25d91e663704
SHA1 hash:
a9b875bcbeb706243564f88b37740d32825b7145
Link:
https://www.unpac.me/results/5e1858f0-d4ca-43f0-8ca9-32a1c303d262/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/5e1858f0-d4ca-43f0-8ca9-32a1c303d262/
SH256 hash:
f7ff2bd458d4742c6a393da7237e76429c53b78108181eb8cd819e19b379dae4
MD5 hash:
0bbc371fb29d57759c2d60c55c5942f9
SHA1 hash:
84e09c893ec027712feffde683dcbe84624448be
Link:
https://www.unpac.me/results/5e1858f0-d4ca-43f0-8ca9-32a1c303d262/
SH256 hash:
6413c60502ba771163bb96527a5b8fdf5d765cd19f89bca13c6442bbd8bdb4bd
MD5 hash:
d52609f7faa0c91840a49a848a476000
SHA1 hash:
268d289f07cd7f58d0c4db7d785fa350a3ed431a
Link:
https://www.unpac.me/results/5e1858f0-d4ca-43f0-8ca9-32a1c303d262/
SH256 hash:
c3a43716e23c04e5c2630c2e7f8e6911443fe4faa38e38ee1e5e60a8ecc24869
MD5 hash:
dfe9b6dd5405746b4af428b022f11c68
SHA1 hash:
ed6e079eb0d668647afc8655d2354f186f38ee71
Link:
https://www.unpac.me/results/5e1858f0-d4ca-43f0-8ca9-32a1c303d262/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c3a43716e23c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c3a43716e23c04e5c2630c2e7f8e6911443fe4faa38e38ee1e5e60a8ecc24869

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe c3a43716e23c04e5c2630c2e7f8e6911443fe4faa38e38ee1e5e60a8ecc24869

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2298641/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/381825/

Comments