MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3a24aa140797ba344e0e38ca85a738ce76c906f13492db3fdf982087abde342. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	e3a24aa140797ba344e0e38ca85a738ce76c906f13492db3fdf982087abde342
SHA3-384 hash:	678768f1dae7effdc27544ff5cda25269e396705ddfe54f57bee4266890de5e1759a521e2ee3145183a6eb2bb4ca759e
SHA1 hash:	d879ac8fceead34925984c2b51dedbcc0b011641
MD5 hash:	db51e78c231788625c581c4aa561937f
humanhash:	football-single-pizza-uranus
File name:	SecuriteInfo.com.W32.AIDetectNet.01.18744.24913
Download:	download sample
Signature	Formbook Create hunting rule
File size:	669'696 bytes
First seen:	2022-05-30 08:45:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:w3i1kgy4IkFGBHyCGfKxS6tkE++HcuF9wc4zcnzveZqc6q2AWW:wy1kgy4IJASk6t5hcuHn46jFI
TLSH	T191E401297EE4DF52C55842B1D1E3C83417E29A875232D78A3E8A13DA0E423A55DCDFCB
TrID	69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.9% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	00ccf096ccc0d400 (21 x FormBook, 18 x AgentTesla, 11 x SnakeKeylogger)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

271

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.W32.AIDetectNet.01.18744.24913

Verdict:

Malicious activity

Analysis date:

2022-05-30 08:52:59 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/849a2fae-64c3-44a9-bc26-bda2994ea017

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/275418/

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.18744.24913.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Сreating synchronization primitives

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Unauthorized injection to a recently created process

Creating a file

Enabling autorun by creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe obfuscated packed replace.exe

Link:

https://www.filescan.io/uploads/62948465abd125235085e955/reports/8f2be965-b6cc-4bfa-b72c-d60eccc5ee6c/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/091e46a7-7e75-4909-9667-1b6b3e7cc9c5

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1003570

Signature

.NET source code contains method to dynamically call methods (often used by packers)

Adds a directory exclusion to Windows Defender

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/e3a24aa140797ba344e0e38ca85a738ce76c906f13492db3fdf982087abde342/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2022-05-30 08:46:12 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4orevikapf52grha4ogkqwttrttwzedpcnes3m757gbaq6v54nba._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:oi25 rat spyware stealer trojan

Link:

https://tria.ge/reports/220530-kpavgacacm/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Formbook Payload

Formbook

Unpacked files

SH256 hash:

d9ad45bcbfe603a3be699508002edc692666abb8607437d7287797ebbb20c35c

MD5 hash:

75d51ce06fec59270a87053916934bbb

SHA1 hash:

892b1be0a0937ef4607d705b4e750b36e166e084

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/37181842-af2d-42d4-beb5-63d72512719a/

Parent samples :

e4769e3e2b77ecaf145799bbd14fc3ebe7b7032f12f34807c59f59cee8eb063d
e3a24aa140797ba344e0e38ca85a738ce76c906f13492db3fdf982087abde342
cba6f82874cfbafe61ef0cc5491e9d11aa8aba58a4df9b3eb738ceef2da0e828
154fb108d0bed6e3e736e5e00b6a52ac322216ae2053d71ead05f6f71d909f65
4519a9d46f0391eae9853aa7bfba414b8b04a22f6dfbc6b506c9385329c187c8
ff77c6e9dc25a550d8f37600c25b0ad1069e94196cbd2372968b3ad11f47268f
d789dc89cbdaa34557abf0c25f2ae5e35208c752fdfceb0aaff7ab15a7e45220
d060c0c503a5d377c6f8df72835faad2b6172958efa655f04d3b0f074d10d1dc
9120ea8d13a11c171723ddc231be7217f6611b631d98a71254be079cc3e9dfe2
591874c05f745cf6f02c3ab1d420f9edffbda8ca2c967b0d8cbad21a10f3fd09

SH256 hash:

c71af1c666125c07a99199a72f1e26cb4ebbcda50cb61b5de3505e9122641feb

MD5 hash:

3113950d20b049b3b573606a9b72d085

SHA1 hash:

fa44a0f7afbd85d9fe3e06a2cc3c015775ca619d

Link:

https://www.unpac.me/results/37181842-af2d-42d4-beb5-63d72512719a/

SH256 hash:

840be1d54ac08fdec3556b93ff92af7e2f6d7c909a7606c59c5ac777670e2742

MD5 hash:

cc4a8210cb3e6146e928003944c15fbf

SHA1 hash:

e218e2b2a8c8e204c19d6cc6aec987b87544d566

Link:

https://www.unpac.me/results/37181842-af2d-42d4-beb5-63d72512719a/

SH256 hash:

a479ef1e75d5b24a3937a44269039fb571216b0c912eb11c008d773de2317d7b

MD5 hash:

4e78d8eaae34a3b4342f660e2c8aa5a5

SHA1 hash:

b633bd1c977a0b9ac228dc4dd4c413e51dea97fc

Link:

https://www.unpac.me/results/37181842-af2d-42d4-beb5-63d72512719a/

SH256 hash:

710a81019bc6889e2878a30e6535bc44ee21d6f57d53dcc38559af483c8ac746

MD5 hash:

f56363b5a59961ae093e972f99b8947d

SHA1 hash:

64a76e40ce697b8e69bf92e40ad22952df60eaeb

Link:

https://www.unpac.me/results/37181842-af2d-42d4-beb5-63d72512719a/

SH256 hash:

e3a24aa140797ba344e0e38ca85a738ce76c906f13492db3fdf982087abde342

MD5 hash:

db51e78c231788625c581c4aa561937f

SHA1 hash:

d879ac8fceead34925984c2b51dedbcc0b011641

Link:

https://www.unpac.me/results/37181842-af2d-42d4-beb5-63d72512719a/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e3a24aa14079/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e3a24aa140797ba344e0e38ca85a738ce76c906f13492db3fdf982087abde342

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/275418/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample