MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3711d873d5b39de6ddd958a2418f6823b21808678797a397dc0495e5c419db1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d3711d873d5b39de6ddd958a2418f6823b21808678797a397dc0495e5c419db1
SHA3-384 hash: 4f305329da9a65e8c57f6553c33a3a1030e615ebe4ff73e036fde46207e527f2305c400945cd68185c3b44b89f402005
SHA1 hash: 8f6ef972e28a2136768351a9edeb75d5118f4a7a
MD5 hash: 2dc3c8ab000b9ec286329582fcbf72b3
humanhash: river-uniform-hot-nine
File name:RFQ# 2201040.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:448'512 bytes
First seen:2022-02-02 07:26:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:zVO7J4kiPQaGrHSNQzFkidypgi2aNv6Io:zVOV2PQDTSfiUgIcI
Threatray 13'050 similar samples on MalwareBazaar
TLSH T148949DB4A0A78691F10BC974257CFAA502B331E3A9CA0D3917693645CFEDE543F84A4F
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/229805/
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61fa32106d25ac9e79faa378/reports/d4073b29-bd8d-4eb9-9977-dfa2d399d5ec/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ab51c2c9-23ad-4fd3-b7ec-7bd66eab85b0
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/933045
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 565525 Sample: RFQ# 2201040.exe Startdate: 03/02/2022 Architecture: WINDOWS Score: 100 31 www.jingtailan-china.com 2->31 33 www.gobgamon.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 7 other signatures 2->47 11 RFQ# 2201040.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\...\RFQ# 2201040.exe.log, ASCII 11->29 dropped 59 Injects a PE file into a foreign processes 11->59 15 RFQ# 2201040.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 18 explorer.exe 15->18 injected process9 dnsIp10 35 label34.group 37.97.254.27, 49830, 80 TRANSIP-ASAmsterdamtheNetherlandsNL Netherlands 18->35 37 www.phsenterprises.com 18->37 39 3 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 colorcpl.exe 18->22         started        signatures11 process12 signatures13 51 Self deletion via cmd delete 22->51 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d3711d873d5b39de6ddd958a2418f6823b21808678797a397dc0495e5c419db1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-02 03:02:44 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2nyr3bz5lm4543o5swfcighwqi5sdaegpb4xuol5ybev4xcbtwyq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
12876a9ad6e0bd4cf0d4fd1edbc14eedf3bcc96bee95391bad387893bb07fa8c
Formbook
194eecb866b404241cc14abfccf3ece512927dafff1e64248e1b1fb4e4acbd26
Formbook
387508d9f7c0d79b09bde31b037d1c43ceb1ce799a0cc94a77a20226477b47f7
Formbook
3e317e0e4e62e0842ba4d1d52f8bd3e45a1b7a8e01e784771803d722dbfaf3a8
Formbook
3f277a6819833eb0c7feab4e952301b4bac883e38ec8bd266093b6757d1920e8
Formbook
64c00be3d0bc5f000ee6d2d6d49e72c9e9f36090f19b7f9620ff0993a0e84025
Formbook
695b006f3b83048d47ea1fcae9d7cbacac8f82b4f3d2908ca20f06788e8b3b92
Formbook
bfb63f78c88894c097832d1073716db0d322456da3a2bccc15e57eac15fa903d
Formbook
dc6726c9222c4d86d9d1167ab0a6bea35dfa47f17963aa8e9f15c4fb855069b9
Formbook
+ 13'040 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:gab7 loader rat suricata
Link:
https://tria.ge/reports/220202-h9jxrshddq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
15c200196e9af13c1ebdd9483440bf0900607002a0b64b66b0e917c06556964e
MD5 hash:
b976c95e8ec96253b2c48e4a34c6dac7
SHA1 hash:
2a21ff1adccd95ec4c44b753d1200febca892873
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/1f25aea0-2064-4df8-98ad-bd970a704858/
Parent samples :
194eecb866b404241cc14abfccf3ece512927dafff1e64248e1b1fb4e4acbd26
3f277a6819833eb0c7feab4e952301b4bac883e38ec8bd266093b6757d1920e8
d3711d873d5b39de6ddd958a2418f6823b21808678797a397dc0495e5c419db1
SH256 hash:
1db1553c7207321c1f2c71151f49dcb716fbb19662b1e12e17c5b008302c52a0
MD5 hash:
2e98e1befacd259d64ffdd5715bb5756
SHA1 hash:
f9b25afb3a77fd614d3e2103616a06c57851eead
Link:
https://www.unpac.me/results/1f25aea0-2064-4df8-98ad-bd970a704858/
SH256 hash:
6f1b89bc3013177c101fe4448340c48c0dd08d19017a798bd11c2d0f76be1fbc
MD5 hash:
60a604887b3616e3ed86d81fab0a9ebb
SHA1 hash:
8db84f5f4c569c86c69aff464b2ffc4ce3dafa20
Link:
https://www.unpac.me/results/1f25aea0-2064-4df8-98ad-bd970a704858/
SH256 hash:
d3711d873d5b39de6ddd958a2418f6823b21808678797a397dc0495e5c419db1
MD5 hash:
2dc3c8ab000b9ec286329582fcbf72b3
SHA1 hash:
8f6ef972e28a2136768351a9edeb75d5118f4a7a
Link:
https://www.unpac.me/results/1f25aea0-2064-4df8-98ad-bd970a704858/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d3711d873d5b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/d3711d873d5b39de6ddd958a2418f6823b21808678797a397dc0495e5c419db1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe d3711d873d5b39de6ddd958a2418f6823b21808678797a397dc0495e5c419db1

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/229805/

Comments