MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f36f3336aedc47e7ec061cc5a11589d9e3adcff96bbc805a8da7ac0182d40e22. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f36f3336aedc47e7ec061cc5a11589d9e3adcff96bbc805a8da7ac0182d40e22
SHA3-384 hash: bbe9573d8da83e4c063e46d7eb0cfb9f533208372bf3c7b8e123f74a50bbe4b218751e30a53206db1a48d2cec7533520
SHA1 hash: 47d372a19fc28e8a825adb9511118fb15fa6c9ba
MD5 hash: aa54cc75551a0903c7c6ad095791cdd7
humanhash: football-sweet-lake-yellow
File name:Shipment Document BL,INV and packing list.jpg.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:561'664 bytes
First seen:2023-11-13 12:00:35 UTC
Last seen:2023-11-14 19:33:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'752 x AgentTesla, 19'658 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:r0VlgZ+9iPOxgFyxiXauAia7jebblCKEh0:rnsxgQxiXauAn2b5C
Threatray 446 similar samples on MalwareBazaar
TLSH T191C41210B7FEDB19E9BDB33A49F5172A1B70A506A036E30F8E45196C395BF814E42732
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter cocaman
Tags:exe FormBook Shipping

Intelligence

File Origin
# of uploads :
6
# of downloads :
304
Origin country :
CH CH
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/458333/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.59820.28339.22451.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/655210043dd412119bfa4bba/reports/7bd67d35-8eda-4f1d-b9b3-d0e204e75bed/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f36f3336aedc47e7ec061cc5a11589d9e3adcff96bbc805a8da7ac0182d40e22
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/583338cb-3d67-4357-9f04-2551fdaecc94
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1341672
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f36f3336aedc47e7ec061cc5a11589d9e3adcff96bbc805a8da7ac0182d40e22
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f36f3336aedc47e7ec061cc5a11589d9e3adcff96bbc805a8da7ac0182d40e22/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2023-11-13 12:00:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6nxtgnvo3rd6p3agdtc2cfmj3hr23t7zno6iawunu6wadawubyra._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
105723d9d7a4cebad5fdd0454435d7ff2776d8084fbc94795c5e9cd863dff0d4
Formbook
491a7d02ded7d63a9a098e361513409c040eeb9e8e03f38c2a1ec1e5d322c3f8
Formbook
6799ba146b9ff5bcb092d8d1e3295fcb990a8a3e9e6c4f46bbd1e2d4ec7e8c7d
Formbook
b907644a3bb4a1b9c09a952057ab8c9bcc7111e2e918115cdff09735181ea6a3
Formbook
e53fdefd4cafe3925c482e6ddd86d21658e8b42025ac5a37073b0650d10a03bc
Formbook
+ 436 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:fs35 rat spyware stealer trojan
Link:
https://tria.ge/reports/231113-n6v4hsch93/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetThreadContext
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
ebb46bf819d57e643e831c8cd436414a8961ab6112a7a4ce580fcf23e455030b
MD5 hash:
c90142f38b1efda69b3c2af1ad87f5ae
SHA1 hash:
3b34c8e64904987cd75b1a7b09105a39dc66f473
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/513fcf32-8f6b-4194-a4cf-e004ab170838/
Parent samples :
6467245f6d186b2dd54ba139a2bd8ea38cafe83952d7c20cd0937c53b9e9cb6a
f36f3336aedc47e7ec061cc5a11589d9e3adcff96bbc805a8da7ac0182d40e22
43141e46fdafbf6529ef4319ee733ef308a6e6e12278e74c135d977a5b135876
cf33cf1b99aec2e58ebff495b327734f9d444884af6846ea086c210bd4ee2623
6d8288a0edeabb4ce9889e7effa3983f1b300d49082e5eed5e8d9d256b4e2367
SH256 hash:
d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5
MD5 hash:
579197d4f760148a9482d1ebde113259
SHA1 hash:
cf6924eb360c7e5a117323bebcb6ee02d2aec86d
Link:
https://www.unpac.me/results/513fcf32-8f6b-4194-a4cf-e004ab170838/
SH256 hash:
b9a36939d8874c76bc1bacf9571af2742227cfc02a42bdccd724a82841deaa33
MD5 hash:
e831864aaf22fc4d147be06729040edf
SHA1 hash:
854e3673129a38c8c0b32659ed12804b7c541d53
Link:
https://www.unpac.me/results/513fcf32-8f6b-4194-a4cf-e004ab170838/
SH256 hash:
62757af7ce2dcfe188245dd26d85e233c2ded82311c600c7c8ec83c8c8a071b2
MD5 hash:
804cc8416b7db140f03d251ca3abbf00
SHA1 hash:
1a1160f7db639606a1046b555b08a43035aff960
Link:
https://www.unpac.me/results/513fcf32-8f6b-4194-a4cf-e004ab170838/
SH256 hash:
f36f3336aedc47e7ec061cc5a11589d9e3adcff96bbc805a8da7ac0182d40e22
MD5 hash:
aa54cc75551a0903c7c6ad095791cdd7
SHA1 hash:
47d372a19fc28e8a825adb9511118fb15fa6c9ba
Link:
https://www.unpac.me/results/513fcf32-8f6b-4194-a4cf-e004ab170838/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f36f3336aedc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f36f3336aedc47e7ec061cc5a11589d9e3adcff96bbc805a8da7ac0182d40e22

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

ace e958e73b9bc2207e404fc179ee4bf3768b108c755b7732769cd3edb493597a03

Formbook

Executable exe f36f3336aedc47e7ec061cc5a11589d9e3adcff96bbc805a8da7ac0182d40e22

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 e958e73b9bc2207e404fc179ee4bf3768b108c755b7732769cd3edb493597a03
  
URLhaus
https://urlhaus.abuse.ch/url/2726989/
Cape
Cape
https://www.capesandbox.com/analysis/458333/
  
Dropped by
MD5 d410aeea4a990b30f7ef300e05d6fe8a

Comments