MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3b29ad97ad10528eed8dcedaf95dcb25b11fd860b6c2eb7999f924953bf5ae8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c3b29ad97ad10528eed8dcedaf95dcb25b11fd860b6c2eb7999f924953bf5ae8
SHA3-384 hash: eeec011fab2a0bf69a52583057551977936465bbfe39a407b4d7c42ea52d7e0c562107c077e05f00ab3177bfd543c9f3
SHA1 hash: 32359c51e0b9910faf81ff954008fe2c19ae9774
MD5 hash: 332a4f9683f295364dad6fa1274f9247
humanhash: purple-georgia-south-march
File name:우리의 새로운 주문 AE1179 확인,pdf.bat
Download: download sample
Signature Formbook
Create hunting rule
File size:436'224 bytes
First seen:2021-12-22 15:11:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'604 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:wrhmFcCBaOzHUZHROIC2U6YDfS2zMorm8Q:WmFcwa40ZHROt2pYrPt9Q
Threatray 10'051 similar samples on MalwareBazaar
TLSH T1EC94020975FC9B22E97E4BFA14B302514371A527B424E34D1DCAB0EB2635B418B62FB7
Reporter malwarelabnet
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
우리의 새로운 주문 AE1179 확인,pdf.bat
Verdict:
Suspicious activity
Analysis date:
2021-12-22 15:20:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/75dc3ffc-f238-4e4d-bd66-cf46f5b956cb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/215806/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
greyware obfuscated packed
Link:
https://www.filescan.io/uploads/61c34045ec6c6c14a9ea428b/reports/37dd777a-dea7-4853-920e-d4be0099c62f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e0dbd57c-61dd-419c-8466-a7e007ad67ab
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/911592
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 544070 Sample: #Uc6b0#Ub9ac#Uc758 #Uc0c8#U... Startdate: 22/12/2021 Architecture: WINDOWS Score: 100 31 www.likepotolki.site 2->31 33 likepotolki.site 2->33 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 10 other signatures 2->45 11 #Uc6b0#Ub9ac#Uc758 #Uc0c8#Ub85c#Uc6b4 #Uc8fc#Ubb38 AE1179 #Ud655#Uc778,pdf.exe 3 2->11         started        signatures3 process4 file5 29 #Uc6b0#Ub9ac#Uc758...5#Uc778,pdf.exe.log, ASCII 11->29 dropped 57 Injects a PE file into a foreign processes 11->57 15 #Uc6b0#Ub9ac#Uc758 #Uc0c8#Ub85c#Uc6b4 #Uc8fc#Ubb38 AE1179 #Ud655#Uc778,pdf.exe 11->15         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 65 Queues an APC in another process (thread injection) 15->65 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.kotakanjogja.com 217.61.104.232, 49829, 80 XANDMAIL-ASNDE Italy 18->35 37 www.svatebni-servis.com 45.39.151.140, 49821, 80 EGIHOSTINGUS United States 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 cmd.exe 18->22         started        signatures11 process12 signatures13 49 Self deletion via cmd delete 22->49 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c3b29ad97ad10528eed8dcedaf95dcb25b11fd860b6c2eb7999f924953bf5ae8/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-12-22 08:14:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
17 of 27 (62.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yozjvwl22ecsr3wy3tw27fo4wjnrd7mgbnwc5n4zt6jesu57llua._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
26b24cfe3b0bb84b26fc83ce689b74728ac61f32391772dcc76eab04cc7042b5
Formbook
30c4d8cc68cc16af698b521cf9e31a8540f0c5cce8e2d66e874fc62a87dae393
Formbook
55faafc17f8c9896d17513ab815243548d8e130a48adc36f402a39fc974ea7e5
Formbook
62f75c04145584721209a0d160d0f6b374e6b9465a759aba8e3f6c89ae67938f
Formbook
6d6b50ac34692e324b25147855ff3a075b1d5505f7fd550e405bca20ad94879a
Formbook
8b47208af9a6ddc6cbba36c03495fb4308c64b18bd455925502c9e39326e693e
Formbook
a68cb3bf1d9d41e29fcf2e4391e827591e58783cea5a13fe95403fb6b3429b5d
Formbook
ace8d85c2f02bd3d531cd8d609d23c6d35588ecce52f40a8d129b39a6b1d7723
Formbook
ae1c03af5639fe2515edf78971c8e322e4f5c271944da757583a2f2c372a4231
Formbook
fedeb19031bcc0941b0943dd3ed45ee6095b8c489c072c85e513b414abf8acf5
Formbook
+ 10'041 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/211222-sk614sgchq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
a27bbcad1f4792bb3cb1d4cc9ae42cb0b50962d164e62e659330cceec56b3bde
MD5 hash:
cff28f8f742682070ff58147dfd185cb
SHA1 hash:
cdbc32275815ddf8deba764358c076619024906d
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/12da7cf1-d6c8-45ab-b3c5-cb0225e4b00e/
Parent samples :
da8104e0d2273e9e8b1596e84a4e3671727e395b8790b2c1bec21d998bbda070
c3b29ad97ad10528eed8dcedaf95dcb25b11fd860b6c2eb7999f924953bf5ae8
SH256 hash:
0b6b9dcff1296f010873d690803d2bb2a00a1e1764e06f0aa002d6db1d174440
MD5 hash:
395a43fc91020bccebf5068e5f01e243
SHA1 hash:
ea261ff754379877ed88a1572507200a9f9b3b67
Link:
https://www.unpac.me/results/12da7cf1-d6c8-45ab-b3c5-cb0225e4b00e/
SH256 hash:
55535d7416e19740ddca81496bcfb9ea7f4ec52735e01d43880f6359f92b63be
MD5 hash:
42c16475606875decc737cb31dfb2cbb
SHA1 hash:
28db67a9058bbebedbd28819bce871cdeb62f968
Link:
https://www.unpac.me/results/12da7cf1-d6c8-45ab-b3c5-cb0225e4b00e/
SH256 hash:
c3b29ad97ad10528eed8dcedaf95dcb25b11fd860b6c2eb7999f924953bf5ae8
MD5 hash:
332a4f9683f295364dad6fa1274f9247
SHA1 hash:
32359c51e0b9910faf81ff954008fe2c19ae9774
Link:
https://www.unpac.me/results/12da7cf1-d6c8-45ab-b3c5-cb0225e4b00e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/c3b29ad97ad10528eed8dcedaf95dcb25b11fd860b6c2eb7999f924953bf5ae8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/215806/

Comments