MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3f24911d00d121b1cbda0eb6b209a03f6bfe569e9a8cc99bc1c2c5bab1dcbe0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 24 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d3f24911d00d121b1cbda0eb6b209a03f6bfe569e9a8cc99bc1c2c5bab1dcbe0
SHA3-384 hash: 5d73e8cc93bc528e1f88ef035cf898254306e98d8ea96d1bee07acf21af7a8d4992dd05c051b01080749011bb721b709
SHA1 hash: 817b258461ee02edcbb93800542d53ac86ebb4a4
MD5 hash: 072755e355848b9b3e31e31dca456cb4
humanhash: pasta-east-speaker-florida
File name:Quotation MEW Tender 2024.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:919'560 bytes
First seen:2024-03-11 13:49:44 UTC
Last seen:2024-03-11 15:28:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:eM31uTMGUdLPpXpZuL9C+6A/I+QcRenYOFhLM9ERO4hbdBsWukA7H1QSkR:oUdLPlaemQWyYOFhLzOuWWukAhq
Threatray 3 similar samples on MalwareBazaar
TLSH T1601501F0F4A4B753C1A22BB55710D5115B723C7E54A6DB8DEAA47EACBCB6348060EE03
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon cadca4a0a8a9a9a9 (2 x Formbook)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
321
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
d3f24911d00d121b1cbda0eb6b209a03f6bfe569e9a8cc99bc1c2c5bab1dcbe0.exe
Verdict:
Malicious activity
Analysis date:
2024-03-11 14:51:29 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/2b18ebcb-3cc3-4616-8ac0-2f1847f71c94

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/478571/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2738.16131.8693.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Launching a process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/65ef0c14e07f4ff00d0eb147/reports/9597d459-40ed-4704-81e6-ae3f50c3b3c4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d3f24911d00d121b1cbda0eb6b209a03f6bfe569e9a8cc99bc1c2c5bab1dcbe0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MSIL Injector
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0caf586c-1ef7-4f3e-910c-06c445c9c515
Result
Threat name:
FormBook, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1406697
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Deletes itself after installation
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1406697 Sample: Quotation MEW Tender 2024.exe Startdate: 11/03/2024 Architecture: WINDOWS Score: 100 28 www.heolty.xyz 2->28 30 xn--s39ak4kmus.com 2->30 32 21 other IPs or domains 2->32 40 Snort IDS alert for network traffic 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for URL or domain 2->44 48 8 other signatures 2->48 10 Quotation MEW Tender 2024.exe 3 2->10         started        signatures3 46 Performs DNS queries to domains with low reputation 28->46 process4 signatures5 58 Injects a PE file into a foreign processes 10->58 13 Quotation MEW Tender 2024.exe 10->13         started        16 Quotation MEW Tender 2024.exe 10->16         started        process6 signatures7 60 Maps a DLL or memory area into another process 13->60 18 GwxRYFbuhsEAHDcxZvTw.exe 13->18 injected process8 process9 20 convert.exe 13 18->20         started        signatures10 50 Tries to steal Mail credentials (via file / registry access) 20->50 52 Tries to harvest and steal browser information (history, passwords, etc) 20->52 54 Deletes itself after installation 20->54 56 4 other signatures 20->56 23 GwxRYFbuhsEAHDcxZvTw.exe 20->23 injected 26 firefox.exe 20->26         started        process11 dnsIp12 34 deaddropphoto.com 50.87.186.52, 49757, 49758, 49759 UNIFIEDLAYER-AS-1US United States 23->34 36 www.drivemktg.co 193.108.130.23, 49761, 49762, 49763 SVK-ASCZ Russian Federation 23->36 38 12 other IPs or domains 23->38
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d3f24911d00d121b1cbda0eb6b209a03f6bfe569e9a8cc99bc1c2c5bab1dcbe0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d3f24911d00d121b1cbda0eb6b209a03f6bfe569e9a8cc99bc1c2c5bab1dcbe0/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2024-03-11 00:15:54 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2pzeseoqbujbwhf5udvwwie2ap3l7zlj5gumzgn4dqwfxky5zpqa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
614ae605266b9829b5577ebd8562f5fadb2ef82337597d32e54c8ace9f1ea25c
Formbook
df09e53e0571765247faf08a316fd75c13e84be01f4db61b294e0ec95aaf1b5e
Formbook
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240311-q49v1agd32/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
61947a9d284d74e332427d5d4f19975f1424bef13d4c52f4f7476b2f4474efc6
MD5 hash:
7d8af7090e2ce7294b543c9e678ea7ca
SHA1 hash:
02940e8af15d914f582b401a6097ea3b0b496c08
Link:
https://www.unpac.me/results/92bbea5e-bd3f-4a19-9bec-048b5b81d487/
SH256 hash:
0384a63c47590f571b1c3835e5ba0b6ea901194f7b3b63b67381f8ada9e33784
MD5 hash:
9d27573b92030658771618cfebd6b2f9
SHA1 hash:
901e5e797496efc56982829b542513909bad2c0e
Link:
https://www.unpac.me/results/92bbea5e-bd3f-4a19-9bec-048b5b81d487/
SH256 hash:
4e92a79586be1b916ede16b6fa27f7ec4ebf87caa76347c286bfa96bf5e518d2
MD5 hash:
688137d4090cde9cbd8b01069eb7fd2b
SHA1 hash:
8fe63f8dd576dff98c737b5e40a66962f3388664
Link:
https://www.unpac.me/results/92bbea5e-bd3f-4a19-9bec-048b5b81d487/
SH256 hash:
5421582a8d6d54982231fecb7b8975d29c0ccc8f9599d4102eceb4561f6d3d8c
MD5 hash:
9d070c2ba4bc19fc0fbdafa38a108e85
SHA1 hash:
4697878f9bb03aa67aa4f6bcc09ad9c69e10abfe
Link:
https://www.unpac.me/results/92bbea5e-bd3f-4a19-9bec-048b5b81d487/
SH256 hash:
22df37a9a4dba5d3719a89fbf3e0afe55e0ef715ed1ae88a41b2677820e512fb
MD5 hash:
6d7d286cff09ddce9d55dc7c58ba1b2e
SHA1 hash:
413132e34f4a1274c8015075ac4e5f6656973cc3
Link:
https://www.unpac.me/results/92bbea5e-bd3f-4a19-9bec-048b5b81d487/
SH256 hash:
d5802c98369acbb755014568ea0095cfb59355ec66dd31feb3e0c4063c824afa
MD5 hash:
312917a0f550555214fcd52837d3e652
SHA1 hash:
311184b748f1c2f79610017885f9dd9de3796c83
Link:
https://www.unpac.me/results/92bbea5e-bd3f-4a19-9bec-048b5b81d487/
SH256 hash:
407aa452ff5f12d7335508d789252b43c1aab52bf91aabc696be9923f0cae1db
MD5 hash:
9f3248e60fbb9d3c2b80316a012ee8fe
SHA1 hash:
140165352e67d38c46440836cd8e68eb728b7c89
Link:
https://www.unpac.me/results/92bbea5e-bd3f-4a19-9bec-048b5b81d487/
SH256 hash:
1357194afbdf402dc213e97f7bc2cd311617871da0803b7a03d7693bc5d8d31c
MD5 hash:
ccbebb43009addb378ff46573b5fee2d
SHA1 hash:
fd404c09c8fae92b8d201c1711385dadb3471ace
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/92bbea5e-bd3f-4a19-9bec-048b5b81d487/
Parent samples :
d3f24911d00d121b1cbda0eb6b209a03f6bfe569e9a8cc99bc1c2c5bab1dcbe0
60235490311c9eeb41327a7e151c465af9b8442ad93a98d270d8e50210b97199
SH256 hash:
f34485bc00f5fb74ac330a2c3c50b8bb9b53fdd8bd2bfd6f15ef9b87d331d22a
MD5 hash:
239524d154448260946f7057710889a3
SHA1 hash:
94b6a21b7ae6faaa663c83499968dfa6bf35a8b2
Link:
https://www.unpac.me/results/92bbea5e-bd3f-4a19-9bec-048b5b81d487/
SH256 hash:
06a1ae787e808d6287de314be8bec64ef2e0d3bc1bf2ea71ae268c7b8fb19e2d
MD5 hash:
91b39e533d48f5fa25ac604da90b3d8d
SHA1 hash:
f5dadf1e8fcbe64609e4cd78a27e2810f7a6e69e
Link:
https://www.unpac.me/results/92bbea5e-bd3f-4a19-9bec-048b5b81d487/
SH256 hash:
c8c1020fe926cc1851b73c1915ad32e2fc393dccb402782aca8f4ea6379ba84d
MD5 hash:
ef7cf89d9ec52b18a8f5b6ee49820f46
SHA1 hash:
dcf9cb9bb3f72ca4b3cc0c00b27bd9ce10b554bb
Link:
https://www.unpac.me/results/92bbea5e-bd3f-4a19-9bec-048b5b81d487/
SH256 hash:
7cf2411b90fb4cfdfc536cd9a3c9b99542c44bd6532402e0f6397b9dd62324fc
MD5 hash:
46a4bcdd677e3728cb22dbbe47c9b9aa
SHA1 hash:
4a03abaf22b192010b1636e1af8ee5c018028123
Link:
https://www.unpac.me/results/92bbea5e-bd3f-4a19-9bec-048b5b81d487/
SH256 hash:
d3f24911d00d121b1cbda0eb6b209a03f6bfe569e9a8cc99bc1c2c5bab1dcbe0
MD5 hash:
072755e355848b9b3e31e31dca456cb4
SHA1 hash:
817b258461ee02edcbb93800542d53ac86ebb4a4
Detections:
INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Link:
https://www.unpac.me/results/92bbea5e-bd3f-4a19-9bec-048b5b81d487/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d3f24911d00d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d3f24911d00d121b1cbda0eb6b209a03f6bfe569e9a8cc99bc1c2c5bab1dcbe0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Formbook
Create hunting rule
Author:kevoreilly
Description:Formbook Payload
Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/formbook-adopts-cab-less-approach
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe d3f24911d00d121b1cbda0eb6b209a03f6bfe569e9a8cc99bc1c2c5bab1dcbe0

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/478571/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments