MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3fed1b0555a01cd3e481c2cd164f8cca01df0e461a0378fba8b7a1f53469a3d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f3fed1b0555a01cd3e481c2cd164f8cca01df0e461a0378fba8b7a1f53469a3d
SHA3-384 hash: 695fb8c8c7292ce9d4c6ce11de869dbd633104d708ca7226bb81f27a9101adf0805bbef1510c8a77926ffdf324c3ae42
SHA1 hash: 5f867c05df9f08f7475ba36eae09cc7a6d65fa43
MD5 hash: 4bd712105e5362f7b7d030f56d8d39eb
humanhash: pip-sink-spaghetti-undress
File name:rexzx.exe1
Download: download sample
Signature Formbook
Create hunting rule
File size:867'840 bytes
First seen:2022-07-13 13:47:49 UTC
Last seen:2022-07-14 05:04:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:riHBgGEUm1ge+ZLKuMMeLA62gtQ8/BHDUhu72Ymupe7ewYd9stFuVv4OsgtGG:ik1F+MtMmVtZ/BHv2D7ew490GQOssGG
Threatray 15'819 similar samples on MalwareBazaar
TLSH T12605F10EFBAAD916C7581633CCF04B150360DAC2A257EB2F76C163955D033A798CA6DE
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon b3b3333969693b3b (69 x Formbook, 63 x AgentTesla, 26 x Loki)
Reporter KdssSupport
Tags:exe FormBook


Avatar
KdssSupport
Uploaded with API

Intelligence

File Origin
# of uploads :
3
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
QUOTE_REQUEST.doc
Verdict:
Malicious activity
Analysis date:
2022-07-13 13:11:45 UTC
Tags:
exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/c69650b9-e951-4dd1-af94-dfbc5d1d3adf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/287077/
Detection(s):
SecuriteInfo.com.Trojan.Olock.1.26880.15132.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62cecd750b00dfa734ec6901/reports/3b6fd55a-8539-466d-841a-986e447f41d3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/38e12754-613d-4d2a-a63b-a836e135a9f1
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1030212
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f3fed1b0555a01cd3e481c2cd164f8cca01df0e461a0378fba8b7a1f53469a3d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-07-13 13:48:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6p7ndmcvlia42psidqwnczhyzsqb34hemgqdpd52rn5b6u2gti6q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
077d4640e51e8a6cb8b05aafa60f5cb061619f556bed260481f2d537a57515d8
Formbook
1b79f5c913e11c7c7fdd9cf12706d6049894dcc48c5b87368ff4ff05b03cc7e8
Formbook
25349b2c8f2818db5174e1a60ca9c589ea76d90fd9422c9fb8d4f860caf9696a
Formbook
27ef35c90367b8bd42a5d68e93cd132c1ce8a7b0ba6a73e0447b016da8c4ddd6
Formbook
4d69d40bb281b4f3e23d1a12e060e7705b2b4ac67ede8ea6ec593d1a5991d960
Formbook
4ece28a4229d41e763203acb8c66af294e5461b01de2c4e25daddab193dfe554
Formbook
5fd380b77aed19d5086ee0c5afb1a717b0901bcf456ef658c0381107e47f17a1
Formbook
7fd0e394a9d74592a74d04b3dccf2dcf8457d0e894cadadbf999c327e9b3940e
Formbook
8c0ce5ef01612337d63e947ddbbd90b752cc3a50047e503958715d83100ae477
Formbook
a8542b82f30bd1f1ac0fad9da2d06c9c0ee63d4a5b2e02534b7cbf97be882c0a
Formbook
+ 15'809 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata
Link:
https://tria.ge/reports/220713-q34btshge4/
Behaviour
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Unpacked files
SH256 hash:
e26fd77e5cfaecb8249352b9a5eb5bee56d603d313ea78c02146a801eddde39d
MD5 hash:
e7885349a3454e27ca2dce8c1df18ac9
SHA1 hash:
52460c4e9a8697f34cf05cae868a71033504af7a
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/6e0dd3dd-991c-4819-ad27-75fe1165ba0e/
Parent samples :
4d69d40bb281b4f3e23d1a12e060e7705b2b4ac67ede8ea6ec593d1a5991d960
f3fed1b0555a01cd3e481c2cd164f8cca01df0e461a0378fba8b7a1f53469a3d
bcdb1cf55758eba1f5a2af93e137ce0bf004969e59419c576b2781f80659da55
ee24a04b1dfb099dba9c6ea59d5225ad4f9a626d622475f5a77f2d325ff260b8
cc241fc34501296b9d528cc1a58bee76407a68a811f26705d868c76f496981d3
d524deece8493db69c10101c080269bbac5054a3d5740d21d50d536753df0c9a
dea4c28b344a778b2d1e880d4d52a69e4fabd2c62657143368fddb8302dccaff
7aeb7b7c9709aa5f1ec6e42ee76aa4a9791999e5f838de009b86bc840a031eab
4ed7500498bf6e841d2089acf3ae49e8a9a29c67926c390ebcc1a36a17cd6329
SH256 hash:
469985066b5c1402e6781857b574c78187b7ad7ffb9b7bd395239e8552f5a98e
MD5 hash:
b43e53728c9f870075a79102ff6628d0
SHA1 hash:
da833ed2954ca3ca827c93c1dea8427b1b17ddb2
Link:
https://www.unpac.me/results/6e0dd3dd-991c-4819-ad27-75fe1165ba0e/
SH256 hash:
ff8cdebaee55f9bb0a248442642fdade22e845ac83e96d961346b606932f8c03
MD5 hash:
fc95e69e2d9b0e5a3cdb269b0584d086
SHA1 hash:
d6283786aa7be0b986baffc6f337bef072b2cbe0
Link:
https://www.unpac.me/results/6e0dd3dd-991c-4819-ad27-75fe1165ba0e/
SH256 hash:
883b63ef84c6b1cc09687962beca56e4f4b7960df7c5459e29998befaa3ccf15
MD5 hash:
ecb3f27eb8279c51608c8ea8f8050655
SHA1 hash:
82385d75444ab5fccacf37e2746c7dce73faa7f3
Link:
https://www.unpac.me/results/6e0dd3dd-991c-4819-ad27-75fe1165ba0e/
SH256 hash:
ea801ddd1ea57f52ae69533038861744365d8d9c05c3a9c1190dba32d07dc6b6
MD5 hash:
4d0e9bfe94004ceb16e9b63c7c03067d
SHA1 hash:
05e3fb4119f85cc6b6543d8624191a7000d856cd
Link:
https://www.unpac.me/results/6e0dd3dd-991c-4819-ad27-75fe1165ba0e/
SH256 hash:
f3fed1b0555a01cd3e481c2cd164f8cca01df0e461a0378fba8b7a1f53469a3d
MD5 hash:
4bd712105e5362f7b7d030f56d8d39eb
SHA1 hash:
5f867c05df9f08f7475ba36eae09cc7a6d65fa43
Link:
https://www.unpac.me/results/6e0dd3dd-991c-4819-ad27-75fe1165ba0e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/f3fed1b0555a01cd3e481c2cd164f8cca01df0e461a0378fba8b7a1f53469a3d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe f3fed1b0555a01cd3e481c2cd164f8cca01df0e461a0378fba8b7a1f53469a3d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2256885/
Cape
Cape
https://www.capesandbox.com/analysis/287077/

Comments