MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 d0f3311ded7e19f8d94535b66c9eb741c5d3b4eebbffe924e8c3f2982f266647. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Formbook
Vendor detections: 14
| SHA256 hash: | d0f3311ded7e19f8d94535b66c9eb741c5d3b4eebbffe924e8c3f2982f266647 |
|---|---|
| SHA3-384 hash: | 86133153a4a98bbde0ee201751c59ece14598ea8278d956ff4fd1a644a5a5b61fe7fe453ba4324b9b5c35690b5ba91f4 |
| SHA1 hash: | dd5e1cba858336bf2cf60f02d652aec1662faf67 |
| MD5 hash: | 7fe8132e76bf8d046484eef749b31a66 |
| humanhash: | louisiana-bulldog-sierra-jersey |
| File name: | dqt50IOto7KOVsJ.exe |
| Download: | download sample |
| Signature | Formbook |
| File size: | 1'163'776 bytes |
| First seen: | 2022-03-16 20:41:42 UTC |
| Last seen: | 2022-03-16 22:57:50 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'208 x SnakeKeylogger) |
| ssdeep | 24576:4v7wOdu0cMYSLp/lg4/s2aNLh/xCk6un4rEoC4HIe6:k7fcGYSLjaNLhZCkn4HCo6 |
| Threatray | 11'711 similar samples on MalwareBazaar |
| TLSH | T17A35021372994E11C15B023281EB8DE407B9EEC15923DA45FDC5FF9F52832B3EE1A299 |
| File icon (PE): |  |
| dhash icon | ee5636aeea35a5e9 (11 x Formbook, 7 x AgentTesla, 3 x AsyncRAT) |
| Reporter |  GovCERT_CH |
| Tags: | exe FormBook xloader |
Intelligence
File Origin
# of uploads :
2
# of downloads :
231
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
ID:
1
File name:
dqt50IOto7KOVsJ.exe
Verdict:
Malicious activity
Analysis date:
2022-03-16 20:46:10 UTC
Tags:
trojan formbook stealer
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Verdict:
Malicious
Result
Threat name:
FormBook
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Detection:
xloader
Threat name:
ByteCode-MSIL.Trojan.FormBook
Status:
Malicious
First seen:
2022-03-16 18:42:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
23 of 42 (54.76%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
formbook
Similar samples:
+ 11'701 additional samples on MalwareBazaar
Result
Malware family:
xloader
Score:
10/10
Tags:
family:xloader campaign:rmpc loader rat
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
f78780e73536894b81b641dd13bb07a695d4db252660ea0eb05eac4c0c0791ac
MD5 hash:
127f40bd49e98c99917ca783c4f9a043
SHA1 hash:
68844b38e9c16af99c05f81a202ae93e9866e3e9
Detections:
win_formbook_g0
win_formbook_auto
Parent samples :
44d74d198ab05ed038d6ca78530988c46fc81911a5e22bdc286049e70563d208
b3b6f6f58e9df22dda93da3c41997e4c36b48b4e8e851a217c572a0b78ce4b83
d53c0ce4893779afc24b84d79e926ba6684b2dbc549b85e8213137e2a8358ab2
555948e64ed4825dea5e57865e80d764aab3dbf4b973a223f7590ee9b72d23f5
3446a9d1fcd21b6e219220379f6b82cccf3cb967b9af1f9e91fa511e90eab639
125c8338e7cdf610f8aa3cc58db3e350997597a525f85ef6e81c38cc155a62da
04ee371bea0863aab03ca6cec8c5512522c4082654ada54991c483610df7a249
fd8161addee5162327eb1bff7dead0d9f2d8c2b6041bf2edaab964e2c38a78a0
9b4ea9f90dc0bd79331fb576e8e11bfcd1aaca5d89eed706bba28e23d81819e6
6c7bc2a0288450e984898339f779daa67583a202427e894fcb55a8c4238daae0
5c291b48b03f7208a95902a735edb8ff29b7fb241d7451b1ed0fbe49f537f3d7
40ca831a495e2c76c2de5e94c2a65fdbc91a6a59e5a5be2c86a2381166365459
43d06e86f98619000a7cc9600f95da73794070c1a541cb5cec13835600631a06
1b6f19244c3917f5c492d60071b20ec6627ca7cba830d16b8e1e45008de6823b
ebc4b771993d4f5850dcb26b20ba7f36cadd67b0f4ee05c691bddff94a6f5ee0
96a0dffa7387628ad30a6d44608812c3b79f6fd07cd8b144ce9bdd8fb4824187
fe7f81cde71cd5b66042ed13b89d0be7529cd5478f0d768181547d9bde21d519
e1754d3bb2df3b1c3c8b6448afd0e7e03b65e4d4a9fa331df40acc0acc38a408
12a79c59a47c99e0fc5ecf626e45e5b4d1abef887f00214096d18e4813757234
7ac201d7a13b441e0e7ec03787bb6570dbb7e88ebc68f021c34f2704793e1675
de3a3c103b66a98978a8d6467d81865c78c4df0448c69c4d7c68d87dc17f7e4a
8d4069f952ab15494c3be7c5cdf0fa161641dcc5fe3a1aab978726ea585f0076
0482134079f147f5535027b2a9e3b0f0c5c841d8d1f38d59ff3e3fdc89f18b7d
d0f3311ded7e19f8d94535b66c9eb741c5d3b4eebbffe924e8c3f2982f266647
d674ad918b0c38a26ec796220f99d14147297ddc01dd8e09c9b9b0dec8998cf2
cba32f8a548cbcab4798e55a6d9c5773ae980932d021126e295a03d05f644f22
de9a953b4f1570485b65622d0255625244e10746d5d2be0384505b60b743a11e
1eb8af23658c91ba76fe9516d0a7f8a678d0122454cb837183326c5a7fb95850
293e285042ed8b51e4166782005c54d1b3c20ba5f148f90b318f3c788115e892
083e99f9a493e14a03ae5c6270873363f0da35583615ef348ea83493a8dc0efa
537d8486471b326e32f04ca8c3c3fbef3955e25722b3e271022b03d8a82f0af2
84d399a3116d4038d5730fdbae6857142c0141f042dbba9a42e8a21e1ce6448b
be51d1c2d8a30045b3fa84863ef8f5073f8ebcdac3bbdbfd483ff61365a9a2c5
fd2f3e46722baeada38453fb8307d78a6a7e590fac0bc7ac36e52e1c95747dfb
06ff0d7203bc986c93f29bba10687aaa29880e3698810b9bea8a5ac04b5ba7a3
c4f73dd9b20be2611e4947816fc9a432b8ae654c84e3e33380543ecfe3323ca1
625c5bcad021d0e8c8f0478d2bec573db81fbf5957e5f9323a481b7d1756f66e
be173845e18d050a20b0dcb71293a32651bc804afe4298225189987d45f4550b
4ac7bddd4fe25bfcc91a63d1fb9a5563af110b5485cd8d00a277938da210a2ca
873b9d986cfc2bbb91df471b4d80bfbfd40f304d7a7fab5260d3ddacd34346a6
b3b6f6f58e9df22dda93da3c41997e4c36b48b4e8e851a217c572a0b78ce4b83
d53c0ce4893779afc24b84d79e926ba6684b2dbc549b85e8213137e2a8358ab2
555948e64ed4825dea5e57865e80d764aab3dbf4b973a223f7590ee9b72d23f5
3446a9d1fcd21b6e219220379f6b82cccf3cb967b9af1f9e91fa511e90eab639
125c8338e7cdf610f8aa3cc58db3e350997597a525f85ef6e81c38cc155a62da
04ee371bea0863aab03ca6cec8c5512522c4082654ada54991c483610df7a249
fd8161addee5162327eb1bff7dead0d9f2d8c2b6041bf2edaab964e2c38a78a0
9b4ea9f90dc0bd79331fb576e8e11bfcd1aaca5d89eed706bba28e23d81819e6
6c7bc2a0288450e984898339f779daa67583a202427e894fcb55a8c4238daae0
5c291b48b03f7208a95902a735edb8ff29b7fb241d7451b1ed0fbe49f537f3d7
40ca831a495e2c76c2de5e94c2a65fdbc91a6a59e5a5be2c86a2381166365459
43d06e86f98619000a7cc9600f95da73794070c1a541cb5cec13835600631a06
1b6f19244c3917f5c492d60071b20ec6627ca7cba830d16b8e1e45008de6823b
ebc4b771993d4f5850dcb26b20ba7f36cadd67b0f4ee05c691bddff94a6f5ee0
96a0dffa7387628ad30a6d44608812c3b79f6fd07cd8b144ce9bdd8fb4824187
fe7f81cde71cd5b66042ed13b89d0be7529cd5478f0d768181547d9bde21d519
e1754d3bb2df3b1c3c8b6448afd0e7e03b65e4d4a9fa331df40acc0acc38a408
12a79c59a47c99e0fc5ecf626e45e5b4d1abef887f00214096d18e4813757234
7ac201d7a13b441e0e7ec03787bb6570dbb7e88ebc68f021c34f2704793e1675
de3a3c103b66a98978a8d6467d81865c78c4df0448c69c4d7c68d87dc17f7e4a
8d4069f952ab15494c3be7c5cdf0fa161641dcc5fe3a1aab978726ea585f0076
0482134079f147f5535027b2a9e3b0f0c5c841d8d1f38d59ff3e3fdc89f18b7d
d0f3311ded7e19f8d94535b66c9eb741c5d3b4eebbffe924e8c3f2982f266647
d674ad918b0c38a26ec796220f99d14147297ddc01dd8e09c9b9b0dec8998cf2
cba32f8a548cbcab4798e55a6d9c5773ae980932d021126e295a03d05f644f22
de9a953b4f1570485b65622d0255625244e10746d5d2be0384505b60b743a11e
1eb8af23658c91ba76fe9516d0a7f8a678d0122454cb837183326c5a7fb95850
293e285042ed8b51e4166782005c54d1b3c20ba5f148f90b318f3c788115e892
083e99f9a493e14a03ae5c6270873363f0da35583615ef348ea83493a8dc0efa
537d8486471b326e32f04ca8c3c3fbef3955e25722b3e271022b03d8a82f0af2
84d399a3116d4038d5730fdbae6857142c0141f042dbba9a42e8a21e1ce6448b
be51d1c2d8a30045b3fa84863ef8f5073f8ebcdac3bbdbfd483ff61365a9a2c5
fd2f3e46722baeada38453fb8307d78a6a7e590fac0bc7ac36e52e1c95747dfb
06ff0d7203bc986c93f29bba10687aaa29880e3698810b9bea8a5ac04b5ba7a3
c4f73dd9b20be2611e4947816fc9a432b8ae654c84e3e33380543ecfe3323ca1
625c5bcad021d0e8c8f0478d2bec573db81fbf5957e5f9323a481b7d1756f66e
be173845e18d050a20b0dcb71293a32651bc804afe4298225189987d45f4550b
4ac7bddd4fe25bfcc91a63d1fb9a5563af110b5485cd8d00a277938da210a2ca
873b9d986cfc2bbb91df471b4d80bfbfd40f304d7a7fab5260d3ddacd34346a6
SH256 hash:
3e7ee660273aa3a4c11906fdeb5dee2bf95111d6393972d75b7519194bf07e8d
MD5 hash:
f04ae46eea58c731864f3eb8628ae0a3
SHA1 hash:
e3266414a7b21387b35b4289658113f4d2049c32
SH256 hash:
4ffb59b76867dc3ee5df8b1476a82043c8bbfa9679aa90a2e4b937292b3722b8
MD5 hash:
fc6d91ff314356715f5c76ba61240c9f
SHA1 hash:
aac8291f9af1c2e18b8302550ee4d1c96120949a
SH256 hash:
1c1499900edd9347b8e3603310055fc42dd28dd322411fc2d5559da1390f0d15
MD5 hash:
cd8f6a30d3861801d359270f3f6aefa4
SHA1 hash:
a1cdad9c1259fc440ebdc991c1dd89b10ac80631
SH256 hash:
d0f3311ded7e19f8d94535b66c9eb741c5d3b4eebbffe924e8c3f2982f266647
MD5 hash:
7fe8132e76bf8d046484eef749b31a66
SHA1 hash:
dd5e1cba858336bf2cf60f02d652aec1662faf67
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | pe_imphash |
|---|
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Dropped by
xloader
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.