MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1f3c884481aea76a89cfc659e509789e243226118ee103c76dafd76d73aa839. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1f3c884481aea76a89cfc659e509789e243226118ee103c76dafd76d73aa839
SHA3-384 hash: 6c54f66fbecd0b08629846169b6dcbf6e674e48e6b63e2fa0c7c1caa7ef94da0160369682cbaf724e81af36c8e04f68a
SHA1 hash: 5781f6d4918dfb0260444dcbaf040dee3ffc0319
MD5 hash: 58683f82a5c6a4b53e5eea6e3d2df375
humanhash: magnesium-louisiana-east-hawaii
File name:Invitation to Tender (ITT) - TED-DRL-2024-024 - Supply PDF.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:671'744 bytes
First seen:2024-06-11 08:59:24 UTC
Last seen:2024-06-11 09:29:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:/aCR5leZlNkbMvoHsUjsKZN5eJL/LaG2GcZO6EoLNSB2dC:i+erGMwMf8neJL/+GK3d
Threatray 1'183 similar samples on MalwareBazaar
TLSH T171E4235877CC8602D13F0F78957471E8E3FEA75076E6F6284EDB10C8E8B2AD26520786
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 017896b3a3361821 (10 x Formbook, 9 x AgentTesla, 3 x SnakeKeylogger)
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
419
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f1f3c884481aea76a89cfc659e509789e243226118ee103c76dafd76d73aa839.exe
Verdict:
Malicious activity
Analysis date:
2024-06-11 09:03:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d14a9ca0-5762-471b-915b-55346778abb4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Packed2.46843.8000.32093.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6668120e5c0e232c1ff044edwin7simulatehigh_evasion
Tags:
Msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f1f3c884481aea76a89cfc659e509789e243226118ee103c76dafd76d73aa839
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cc7f6ddc-950e-4644-83f9-f5d3c10bdae8
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1455039
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1455039 Sample: Invitation to Tender (ITT) ... Startdate: 11/06/2024 Architecture: WINDOWS Score: 100 38 www.wellnesswithpami.com 2->38 40 www.welding-ceramics.com 2->40 42 9 other IPs or domains 2->42 50 Snort IDS alert for network traffic 2->50 52 Multi AV Scanner detection for domain / URL 2->52 54 Found malware configuration 2->54 56 10 other signatures 2->56 11 Invitation to Tender (ITT)  - TED-DRL-2024-024 - Supply PDF.exe 2 2->11         started        signatures3 process4 signatures5 66 Injects a PE file into a foreign processes 11->66 14 Invitation to Tender (ITT)  - TED-DRL-2024-024 - Supply PDF.exe 11->14         started        process6 signatures7 70 Modifies the context of a thread in another process (thread injection) 14->70 72 Maps a DLL or memory area into another process 14->72 74 Sample uses process hollowing technique 14->74 76 2 other signatures 14->76 17 explorer.exe 68 7 14->17 injected process8 dnsIp9 34 www.welding-ceramics.com 104.166.67.208, 49730, 80 QUICKPACKETUS United States 17->34 36 td-ccm-neg-87-45.wixdns.net 34.149.87.45, 49725, 49729, 80 ATGS-MMD-ASUS United States 17->36 48 Uses netstat to query active network connections and open ports 17->48 21 NETSTAT.EXE 17->21         started        24 WerFault.exe 21 17->24         started        signatures10 process11 signatures12 58 Modifies the context of a thread in another process (thread injection) 21->58 60 Maps a DLL or memory area into another process 21->60 62 Tries to detect virtualization through RDTSC time measurements 21->62 64 Switches to a custom stack to bypass stack traces 21->64 26 explorer.exe 18 133 21->26         started        30 cmd.exe 1 21->30         started        process13 dnsIp14 44 wellnesswithpami.com 3.33.130.190, 49749, 80 AMAZONEXPANSIONGB United States 26->44 46 www.bestcryptominer.com 13.248.169.48, 49767, 80 AMAZON-02US United States 26->46 68 Query firmware table information (likely to detect VMs) 26->68 32 conhost.exe 30->32         started        signatures15 process16
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f1f3c884481aea76a89cfc659e509789e243226118ee103c76dafd76d73aa839
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f1f3c884481aea76a89cfc659e509789e243226118ee103c76dafd76d73aa839/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2024-06-10 19:19:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6hz4rbcidlvhnke47rsz4uexrhregitbddxbapdw3l6xnvz2va4q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0b97c43d0eb22c21c8c4be37b6b45a1fd2acc9aa8c2a30012a06c2a0fb23a1f2
Formbook
2eab6a48a08726441514655a1d84a3921af8139cd2e7b61f23a30c11785f28f2
Formbook
6d911bfb01daa6f3acafd3ccb33b432d806c82b2b35c0c3408d822bf8c6b4c00
Formbook
87698c1e19d65ae8f35f18b98690093601458944fe6317009f884c4e3b2a4842
Formbook
ad896a8982941cd8a7b4f237f775e712dc1a05cfb2d80601d45f4cc73475ecc0
Formbook
c4b6e4bd4131eaa2fba28259570135346ea35a90bf271bab1560f019550698fd
Formbook
c4f6b7795e7c6267497a352a75628f59778b0345d719fb49eca4967a681b5728
Formbook
d6f3187ea8a4c0cb9e263a665487060b5b14caf184a5343b2ed928b67d16a264
Formbook
f1f3c884481aea76a89cfc659e509789e243226118ee103c76dafd76d73aa839
Formbook
f6723f25605e46b8bdd2a8a875ee319c40108491934b2f8fbcdd58d649cbc651
Formbook
+ 1'173 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:38gc rat spyware stealer trojan
Link:
https://tria.ge/reports/240611-kybs5asaql/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
fd3ccfa0976fe220939fb9c25e59ac7f9f65e68dcfc4b136b8cd6f130ac57bdc
MD5 hash:
b0f47afa9085045e53ed6b33b8e7be20
SHA1 hash:
60b2d2af4ac6457683825ea44fc0a1572722b6dc
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/6622fdb6-3946-4041-851a-9c7d347aebfc/
SH256 hash:
1a1de9f3fe4c3a7ea7cd547cdd9d78b3873d6e243e544e5bb647452d6d9f6cfe
MD5 hash:
ceb52a5c98659e8905ea76737fe00c01
SHA1 hash:
bb7b30ff84d6aa26eaa0021c9fa3cd2c5a08e694
Link:
https://www.unpac.me/results/6622fdb6-3946-4041-851a-9c7d347aebfc/
SH256 hash:
0c8eaf5e9d755b800edf23dc811414f96226cd645b28ef28a051189bb40e063e
MD5 hash:
953214fda837c3b52e25c59c06392b24
SHA1 hash:
61d1ea8e11b64c409af48b122cf1e5c0689e93c2
Link:
https://www.unpac.me/results/6622fdb6-3946-4041-851a-9c7d347aebfc/
SH256 hash:
6243c709db7165f4a84036c0544b462ee9539412c61de6151a6aa18465659e48
MD5 hash:
5166d8930d5a1bf5a1738cc180587975
SHA1 hash:
4316633ea531432ff67776d1e59dcf8481a7cbbc
Link:
https://www.unpac.me/results/6622fdb6-3946-4041-851a-9c7d347aebfc/
SH256 hash:
f1f3c884481aea76a89cfc659e509789e243226118ee103c76dafd76d73aa839
MD5 hash:
58683f82a5c6a4b53e5eea6e3d2df375
SHA1 hash:
5781f6d4918dfb0260444dcbaf040dee3ffc0319
Link:
https://www.unpac.me/results/6622fdb6-3946-4041-851a-9c7d347aebfc/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819
Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 8fcdfb3ba15c9fc6d420300a336bb51793970dff8f1556ae4e67b734f4fd5742

Formbook

Executable exe f1f3c884481aea76a89cfc659e509789e243226118ee103c76dafd76d73aa839

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 8fcdfb3ba15c9fc6d420300a336bb51793970dff8f1556ae4e67b734f4fd5742
  
Dropped by
MD5 23c8d16927b30f99c51ac394dec571ec

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments