MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3af074935c9d5761a8ab31f8be1f6e936ae112e760723219b8e8a6a1941152c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c3af074935c9d5761a8ab31f8be1f6e936ae112e760723219b8e8a6a1941152c
SHA3-384 hash: 5a2792eeaa7631b260c73206569695263a4c265cb1ae4e065b5ab85d6fa5aba5cac151d6ce6c1b3597737bc2f0d8f4a6
SHA1 hash: a70af7ddb08637be91e60cb9733874f5a0c16bff
MD5 hash: fa64622145097335d46c6d75d89bbcf5
humanhash: louisiana-floor-steak-mountain
File name:SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.7073.28215
Download: download sample
Signature Formbook
Create hunting rule
File size:247'800 bytes
First seen:2022-03-21 01:51:21 UTC
Last seen:2022-03-21 10:03:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:rGiL0NKuY2HxzX69FZC6j7IVxJ1lT5d8NwiCqx:H2H6T7IVxHlTEwiCqx
TLSH T18F341287B2F068F3CBC8897806B5F7A5DB7DA3F24D112A1B4B986F8D3571683450B684
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/253205/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.7073.28215.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Searching for synchronization primitives
Reading critical registry keys
Setting browser functions hooks
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6237da45b94fb38cb4be82c6/reports/88aec639-7c44-4025-bf7f-55688975c7a1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f58b33fa-7114-4993-91db-36837fb40a5e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/960375
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 592856 Sample: SecuriteInfo.com.Trojan.NSI... Startdate: 21/03/2022 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus detection for URL or domain 2->45 47 3 other signatures 2->47 11 SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.7073.exe 18 2->11         started        process3 file4 31 C:\Users\user\AppData\Local\...\efxxacx.exe, PE32 11->31 dropped 14 efxxacx.exe 11->14         started        process5 signatures6 55 Multi AV Scanner detection for dropped file 14->55 57 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 14->57 59 Tries to detect virtualization through RDTSC time measurements 14->59 61 Injects a PE file into a foreign processes 14->61 17 efxxacx.exe 14->17         started        process7 signatures8 33 Modifies the context of a thread in another process (thread injection) 17->33 35 Maps a DLL or memory area into another process 17->35 37 Sample uses process hollowing technique 17->37 39 Queues an APC in another process (thread injection) 17->39 20 explorer.exe 17->20 injected process9 process10 22 cmmon32.exe 20->22         started        signatures11 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        27 explorer.exe 1 152 22->27         started        process12 process13 29 conhost.exe 25->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c3af074935c9d5761a8ab31f8be1f6e936ae112e760723219b8e8a6a1941152c/
Threat name:
Win32.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2022-03-21 00:38:04 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
15 of 27 (55.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yoxqosjvzhkxmgukwmpyxypw5e3k4ejooydsgim3r2fgugkbcuwa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:j01s rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220321-caek4shafp/
Behaviour
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
3803476ffdd21386d20ea933b2dcd492faa6556b6f2957d333508afb5f7c4589
MD5 hash:
b18d0515c019160253fb1970403e06b7
SHA1 hash:
ccb558711728d17f5bf67fcdcf80c2a4918b83de
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/c42c7915-33c5-4306-bb83-71ede6112b50/
Parent samples :
c3af074935c9d5761a8ab31f8be1f6e936ae112e760723219b8e8a6a1941152c
4a0fe18ddc4a8fe8d8bbd7b6220c5fc55b51d7611e1996829e889cddf233c0a8
5b91196649a276f967087fca9bbf4898b38afd3da43294f68b0f934464edfaf1
SH256 hash:
563c116f6316bc0d37da9ac3e5977c1d1f3d56d278e86bb2e89555291bd14c6a
MD5 hash:
f89cc983a17113d4a7824f644926ae5f
SHA1 hash:
b8f3bd3ec9181827322097522f04a910b968f33e
Link:
https://www.unpac.me/results/c42c7915-33c5-4306-bb83-71ede6112b50/
SH256 hash:
c3af074935c9d5761a8ab31f8be1f6e936ae112e760723219b8e8a6a1941152c
MD5 hash:
fa64622145097335d46c6d75d89bbcf5
SHA1 hash:
a70af7ddb08637be91e60cb9733874f5a0c16bff
Link:
https://www.unpac.me/results/c42c7915-33c5-4306-bb83-71ede6112b50/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c3af074935c9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.18
Link:
https://yomi.yoroi.company/submissions/c3af074935c9d5761a8ab31f8be1f6e936ae112e760723219b8e8a6a1941152c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/253205/

Comments