MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3197cca74f60c552d9d3b4d04d99996ceca8c8dc6ad845a468c10c65062a0fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f3197cca74f60c552d9d3b4d04d99996ceca8c8dc6ad845a468c10c65062a0fc
SHA3-384 hash: 082eb149e5c75bd4b38ca84eab2a18b7190a51a30a63fe407964269622b8b05f4b5e38e37c40795f45160ce933120341
SHA1 hash: 13b2c7e70fbf0027584783910e61222e7cacae58
MD5 hash: 9d0b109dd6efb4a954ff88d024034d3a
humanhash: may-berlin-pizza-king
File name:T.C.Ziraat Bankasi A.S_Ekstre_20191102_073809_405251-PDF.com
Download: download sample
Signature Formbook
Create hunting rule
File size:286'787 bytes
First seen:2023-02-14 07:20:44 UTC
Last seen:2023-02-20 08:45:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:/Ya6Y4oiwtoVxuTwRsDNwrLU0QQDYFKwCyGARrUmHsH6X7lfR4:/Ye4QQ4wCZwrg0QQsSpM9sH6X7l54
TLSH T14D5412057DB8C057E5B09B322F341AC5ADACBA2B5EB4478F5360A71CBE19394D90D3A3
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
190
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
T.C.Ziraat Bankasi A.S_Ekstre_20191102_073809_405251-PDF.com
Verdict:
Malicious activity
Analysis date:
2023-02-14 07:22:05 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/41a08e1c-8f16-4025-bbd9-26971051a46f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/365466/
Detection(s):
SecuriteInfo.com.Trojan.Garf.Gen.7.20619.14684.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Launching a process
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Reading critical registry keys
Launching the default Windows debugger (dwwin.exe)
Searching for synchronization primitives
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/69399/overview
Behaviour
MalwareBazaar
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f3197cca74f60c552d9d3b4d04d99996ceca8c8dc6ad845a468c10c65062a0fc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e1b1d429-38d9-4b0e-a3ab-75c2caa4c5fe
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1174133
Signature
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 806923 Sample: T.C.Ziraat Bankasi A.S_Ekst... Startdate: 14/02/2023 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus detection for URL or domain 2->42 44 3 other signatures 2->44 9 T.C.Ziraat Bankasi A.S_Ekstre_20191102_073809_405251-PDF.com.exe 19 2->9         started        process3 file4 26 C:\Users\user\AppData\Local\...\tqxwmam.exe, PE32 9->26 dropped 12 tqxwmam.exe 9->12         started        process5 signatures6 58 Multi AV Scanner detection for dropped file 12->58 60 Detected unpacking (changes PE section rights) 12->60 62 Maps a DLL or memory area into another process 12->62 64 Contains functionality to detect sleep reduction / modifications 12->64 15 tqxwmam.exe 12->15         started        process7 signatures8 66 Modifies the context of a thread in another process (thread injection) 15->66 68 Maps a DLL or memory area into another process 15->68 70 Sample uses process hollowing technique 15->70 72 Queues an APC in another process (thread injection) 15->72 18 explorer.exe 1 15->18 injected process9 dnsIp10 28 www.energybig.xyz 184.94.215.91, 49709, 49710, 80 VXCHNGE-NC01US United States 18->28 30 cutgang.net 194.102.227.30, 80 VODAFONE_ROCharlesdeGaullenr15RO Romania 18->30 32 7 other IPs or domains 18->32 46 System process connects to network (likely due to code injection or exploit) 18->46 48 Performs DNS queries to domains with low reputation 18->48 22 cmmon32.exe 13 18->22         started        signatures11 process12 dnsIp13 34 www.cutgang.net 22->34 36 cutgang.net 22->36 50 Tries to steal Mail credentials (via file / registry access) 22->50 52 Tries to harvest and steal browser information (history, passwords, etc) 22->52 54 Modifies the context of a thread in another process (thread injection) 22->54 56 Maps a DLL or memory area into another process 22->56 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f3197cca74f60c552d9d3b4d04d99996ceca8c8dc6ad845a468c10c65062a0fc/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2023-02-14 05:55:06 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
17 of 26 (65.38%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6mmxzstu6ygfklm5hngqjwmzs3hmvdeny2wyiwsgrqimmudcud6a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230214-h6m51sbf48/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
b6597235146d92b00a259159d5b55fa66609b614563e11e12a22c53ab7fd07e1
MD5 hash:
5752622be89bf057c5dfba56579ce433
SHA1 hash:
b863a48c1a990d4c56a4d3294b5caf427f8f32c5
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/3a50854b-4c7d-4342-83f1-2f6ef8e3ea1a/
Parent samples :
6de63b7890315976d74cb265d71a3c370cfcc337eb20831cce254355529b4e03
39156092712f27714fed918a43876cd6b85c9ad6d3ab6b96fe22e49eb2f34346
f3197cca74f60c552d9d3b4d04d99996ceca8c8dc6ad845a468c10c65062a0fc
24df0ccdc95c15d68f1bdee2d09ec3cd9fafbe9913cadacee75889d407cd8f84
05977847b0408ec1abb7b4cd05ad10b4004c97d5c949e579d695d47518f4f376
SH256 hash:
a15c8513d6045f6b20e637c749209827a2b00f4f5c4eee7da4e950d11f0552f2
MD5 hash:
2d87b7759a0ec743070c7a484d6435c2
SHA1 hash:
5085cfc12612ea590dcec452b500398464632d81
Link:
https://www.unpac.me/results/3a50854b-4c7d-4342-83f1-2f6ef8e3ea1a/
SH256 hash:
46774fadd3afd1da3a577a2ab6f7be891496cb3d970fce7d4ba2e2ea88345a64
MD5 hash:
b3c569394e804a6c34e9677dace79a23
SHA1 hash:
5290e495798e598c49f8f6f37039efcab81bf869
Link:
https://www.unpac.me/results/3a50854b-4c7d-4342-83f1-2f6ef8e3ea1a/
SH256 hash:
f3197cca74f60c552d9d3b4d04d99996ceca8c8dc6ad845a468c10c65062a0fc
MD5 hash:
9d0b109dd6efb4a954ff88d024034d3a
SHA1 hash:
13b2c7e70fbf0027584783910e61222e7cacae58
Link:
https://www.unpac.me/results/3a50854b-4c7d-4342-83f1-2f6ef8e3ea1a/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f3197cca74f6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f3197cca74f60c552d9d3b4d04d99996ceca8c8dc6ad845a468c10c65062a0fc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe f3197cca74f60c552d9d3b4d04d99996ceca8c8dc6ad845a468c10c65062a0fc

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/365466/

Comments