MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3c78a11dc0b821e6833fc5c2040cb94a2b4f91a37d27bce5576c1daa190b8e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f3c78a11dc0b821e6833fc5c2040cb94a2b4f91a37d27bce5576c1daa190b8e7
SHA3-384 hash: 87c8a54fb8cddb7eda157015cfa02f74db5d185553b58d0c3846567b6b5d1ca680228e8d7be75abb7b57f320191aedea
SHA1 hash: 91502930791280bb8e938e19578b7160c65da340
MD5 hash: d48f1e07e2a3a115b8607be5d66654f6
humanhash: two-shade-orange-green
File name:d48f1e07e2a3a115b8607be5d66654f6
Download: download sample
Signature Formbook
Create hunting rule
File size:837'120 bytes
First seen:2023-03-16 19:31:34 UTC
Last seen:2023-03-16 21:28:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:JuFQwcvHCQjAHS/MvjkunmVFPFtT3nGlNP5z/Q:RPhjvHVFPf34
Threatray 2'455 similar samples on MalwareBazaar
TLSH T17405018DFEE52510CA6D0BB7E0D324A483B15A175F81DB1E9DCA0AE62F31797C980C67
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 8e0d8c1414e87f8e (7 x AgentTesla, 6 x Formbook, 4 x SnakeKeylogger)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d48f1e07e2a3a115b8607be5d66654f6
Verdict:
Malicious activity
Analysis date:
2023-03-16 19:34:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c09b021a-f93c-4bbe-b9de-e0f844db53fe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/374883/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64136eb4c65d1ebf04c0c616/reports/c422eeb0-bdc1-4d13-bdab-2f620e950f74/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f3c78a11dc0b821e6833fc5c2040cb94a2b4f91a37d27bce5576c1daa190b8e7
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/62a9904a-187f-4dd1-bd54-0e8b6400af82
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1195300
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 828201 Sample: pVMKbPXsqb.exe Startdate: 16/03/2023 Architecture: WINDOWS Score: 100 51 www.cmproutdoors.com 2->51 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus detection for URL or domain 2->61 63 Sigma detected: Scheduled temp file as task from temp location 2->63 65 3 other signatures 2->65 9 pVMKbPXsqb.exe 7 2->9         started        13 FOyetuUIHRvSD.exe 5 2->13         started        signatures3 process4 file5 43 C:\Users\user\AppData\...\FOyetuUIHRvSD.exe, PE32 9->43 dropped 45 C:\...\FOyetuUIHRvSD.exe:Zone.Identifier, ASCII 9->45 dropped 47 C:\Users\user\AppData\Local\...\tmp1DCF.tmp, XML 9->47 dropped 49 C:\Users\user\AppData\...\pVMKbPXsqb.exe.log, ASCII 9->49 dropped 75 Uses schtasks.exe or at.exe to add and modify task schedules 9->75 77 Adds a directory exclusion to Windows Defender 9->77 79 Injects a PE file into a foreign processes 9->79 15 pVMKbPXsqb.exe 9->15         started        18 powershell.exe 21 9->18         started        20 schtasks.exe 1 9->20         started        81 Machine Learning detection for dropped file 13->81 22 FOyetuUIHRvSD.exe 13->22         started        24 schtasks.exe 1 13->24         started        26 FOyetuUIHRvSD.exe 13->26         started        signatures6 process7 signatures8 85 Modifies the context of a thread in another process (thread injection) 15->85 87 Maps a DLL or memory area into another process 15->87 89 Sample uses process hollowing technique 15->89 91 Queues an APC in another process (thread injection) 15->91 28 explorer.exe 3 1 15->28 injected 32 conhost.exe 18->32         started        34 conhost.exe 20->34         started        36 conhost.exe 24->36         started        process9 dnsIp10 53 lokoua.com 83.229.19.64, 49702, 80 SKYVISIONGB United Kingdom 28->53 55 popcors.com 173.230.227.171, 49712, 49713, 49714 INTERNAP-2BLKUS United States 28->55 57 7 other IPs or domains 28->57 83 System process connects to network (likely due to code injection or exploit) 28->83 38 mstsc.exe 13 28->38         started        41 cmstp.exe 28->41         started        signatures11 process12 signatures13 67 Tries to steal Mail credentials (via file / registry access) 38->67 69 Tries to harvest and steal browser information (history, passwords, etc) 38->69 71 Modifies the context of a thread in another process (thread injection) 38->71 73 Maps a DLL or memory area into another process 38->73
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f3c78a11dc0b821e6833fc5c2040cb94a2b4f91a37d27bce5576c1daa190b8e7/
Threat name:
ByteCode-MSIL.Trojan.RemLoader
Create hunting rule
Status:
Malicious
First seen:
2023-03-16 19:32:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6pdyueo4bobb42bt7rocaqglssrlj6i2g7jhxtsvo3a5vimqxdtq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
13c4ed220256fb2dfb95631c042d9eadf977bd2dc5e4aa0898ab99bd16d33ef7
Formbook
5dc78112397a04a6b3cef6f63aa0c817e641cb4cefb8fd91958cdfed48d57bbe
Formbook
7444076452ac7a4117951614eafa9552214d8b61650f8fdbc83c5de230058b23
Formbook
77ed29ab8aa9da3669874c3f49e81c581105a981e8537a78382dc69e043943a6
Formbook
a442f82c38de8318198d6dd2415b2ff10eb9851e20687ba6d4105525d1e56f0b
Formbook
ced21302bfa069209473ff66c3511ee8530a11a5323db0b485acb12d6a88a188
Formbook
dbe3f374ece034f9fcfce5ea34796ca35fb13e1a6d929d708ea74a14357676df
Formbook
ec3aca205b55b422244e9d46cffe68348e1e6691fcf465495ca69a0f972ce1b3
Formbook
edf9df1a661fc13c4773ac176efe0381a60a04e829e338fdbcab37b5b45170e2
Formbook
fb1ccc21ef84112ec41d904546fa6e35c0ee0ff48626b68dd2d1839f77a4b508
Formbook
+ 2'445 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230316-x8yf4aeg4z/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
5546b796e9f2cd13e3dbc9dd2b88fbaecd87860b3141bf09a5ebc7c317772774
MD5 hash:
666790b9763027ad86c9643614e7eb91
SHA1 hash:
c2a75f9097ee4be0bd7b97ad805fc6a7155f86f1
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/931c9a10-2771-4fd5-866a-e8479f612d50/
Parent samples :
7444076452ac7a4117951614eafa9552214d8b61650f8fdbc83c5de230058b23
f3c78a11dc0b821e6833fc5c2040cb94a2b4f91a37d27bce5576c1daa190b8e7
77194b668ce640225df0d876e991d58dc8c08e809474cd21abe5dc030857cb10
SH256 hash:
d6800f1a77ab727bd6c451d8d988d5d13d11ee42679051c8875e71842d0c4018
MD5 hash:
dae26f805251765b8585b73e71b5ed5f
SHA1 hash:
002be915573fc8ab6a8c97057bcf4a5927f16243
Link:
https://www.unpac.me/results/931c9a10-2771-4fd5-866a-e8479f612d50/
SH256 hash:
37a8a266f08784d4fc25a2f9025a3cb6ec6140d789e422e7488d43671ae6525e
MD5 hash:
a314d608085d1b159e5eb23179c241f0
SHA1 hash:
093ab8d2d48a262e41314cc05ca461590fbedec7
Link:
https://www.unpac.me/results/931c9a10-2771-4fd5-866a-e8479f612d50/
SH256 hash:
ad1ce687f1d85c83e24c240413a3654243985db457f1b2ae9f06a538b6be7ef7
MD5 hash:
18f762c4041b5fd7b56abcbdf17e60d7
SHA1 hash:
5550d34be96169a77a150d4c5af24a13ea84759d
Link:
https://www.unpac.me/results/931c9a10-2771-4fd5-866a-e8479f612d50/
SH256 hash:
8617cea503c2a3961120a9c503d853bc21d38d1fca7143d6b1ef4f388bc5cec7
MD5 hash:
7f225c69df031bf0560aed3847a1221a
SHA1 hash:
4d5f3ccdb2c6015d2b2a73326c0f32b173af2819
Link:
https://www.unpac.me/results/931c9a10-2771-4fd5-866a-e8479f612d50/
SH256 hash:
ff6d34968a4437590d1ca20e46620d83245b4d0f78f53ced00e8d926be04fc10
MD5 hash:
277975ea9c896f312172000af8df193e
SHA1 hash:
3542d315f4315120209949820c89d54842e89943
Link:
https://www.unpac.me/results/931c9a10-2771-4fd5-866a-e8479f612d50/
SH256 hash:
7b018d831e5a135868fc7e507c2e4360b7fb5890554e689a7817759528a29b85
MD5 hash:
a4ef8d0a55cbfe334ef8e92dfa18d8ca
SHA1 hash:
b22515298982a3bc17a127e49a4f7afd5b8e69fa
Link:
https://www.unpac.me/results/931c9a10-2771-4fd5-866a-e8479f612d50/
SH256 hash:
f3c78a11dc0b821e6833fc5c2040cb94a2b4f91a37d27bce5576c1daa190b8e7
MD5 hash:
d48f1e07e2a3a115b8607be5d66654f6
SHA1 hash:
91502930791280bb8e938e19578b7160c65da340
Link:
https://www.unpac.me/results/931c9a10-2771-4fd5-866a-e8479f612d50/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f3c78a11dc0b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f3c78a11dc0b821e6833fc5c2040cb94a2b4f91a37d27bce5576c1daa190b8e7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe f3c78a11dc0b821e6833fc5c2040cb94a2b4f91a37d27bce5576c1daa190b8e7

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2573895/
Cape
Cape
https://www.capesandbox.com/analysis/374883/

Comments


Avatar
zbet commented on 2023-03-16 19:31:38 UTC

url : hxxp://172.245.191.19/709/vbc.exe