MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f79385f9bcec46db2e28c2437a0ea603e208685f9d42ef70b326edd821d6fb75. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f79385f9bcec46db2e28c2437a0ea603e208685f9d42ef70b326edd821d6fb75
SHA3-384 hash: 0e30f3d33d66aa23066e1dfb8d956ae95275b3d1f5fb68d16961d23c30755007fb30991cd62bd6473c3c5bc3fce445f5
SHA1 hash: 1393ab44a7e646dfb1b713a57229b793f22a9373
MD5 hash: ca1aa0acbc52b31bec58215eab3be293
humanhash: stream-green-nitrogen-tango
File name:r3DCProjectMarterials.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:899'584 bytes
First seen:2023-03-06 10:59:15 UTC
Last seen:2023-03-06 12:56:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:epX3cOQfLzn9sZ2ieafUAsmBPyV4QoYilhohEZka:lLJszee5BPRyilGmZ7
Threatray 2'289 similar samples on MalwareBazaar
TLSH T1D9159E9132B194B3F5CB016964287ACC2C3CB193B6D9E24B6A3779C096059FFF798E11
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 8cf2684d6868e892 (13 x AgentTesla, 4 x Loki, 3 x SnakeKeylogger)
Reporter FXOLabs
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
214
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
r3DCProjectMarterials.exe
Verdict:
Malicious activity
Analysis date:
2023-03-06 11:01:49 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/70a62f99-768b-4e66-a32a-1733ed9b2d41

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/371919/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6405c7b3bfec0852a68fadfc/reports/5693a54a-ab89-4d92-8921-cb8832f14b3b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f79385f9bcec46db2e28c2437a0ea603e208685f9d42ef70b326edd821d6fb75
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e7496fb4-744a-4ec7-b8f6-9e6c50aa4877
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1188193
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 821068 Sample: r3DCProjectMarterials.exe Startdate: 06/03/2023 Architecture: WINDOWS Score: 100 58 Snort IDS alert for network traffic 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus detection for URL or domain 2->62 64 4 other signatures 2->64 8 r3DCProjectMarterials.exe 7 2->8         started        12 xnlzmjynVrev.exe 5 2->12         started        process3 file4 44 C:\Users\user\AppData\...\xnlzmjynVrev.exe, PE32 8->44 dropped 46 C:\Users\...\xnlzmjynVrev.exe:Zone.Identifier, ASCII 8->46 dropped 48 C:\Users\user\AppData\Local\...\tmp7F85.tmp, XML 8->48 dropped 50 C:\Users\...\r3DCProjectMarterials.exe.log, CSV 8->50 dropped 74 Uses schtasks.exe or at.exe to add and modify task schedules 8->74 76 Adds a directory exclusion to Windows Defender 8->76 14 MSBuild.exe 8->14         started        17 powershell.exe 21 8->17         started        19 schtasks.exe 1 8->19         started        78 Multi AV Scanner detection for dropped file 12->78 80 Machine Learning detection for dropped file 12->80 21 MSBuild.exe 12->21         started        23 schtasks.exe 1 12->23         started        signatures5 process6 signatures7 84 Modifies the context of a thread in another process (thread injection) 14->84 86 Maps a DLL or memory area into another process 14->86 88 Sample uses process hollowing technique 14->88 90 Queues an APC in another process (thread injection) 14->90 25 explorer.exe 3 1 14->25 injected 29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        33 conhost.exe 23->33         started        process8 dnsIp9 52 pv-solarteur.com 81.169.145.92, 49742, 49744, 49745 STRATOSTRATOAGDE Germany 25->52 54 bechargeparking.com 195.110.124.133, 49723, 49725, 49726 REGISTER-ASIT Italy 25->54 56 6 other IPs or domains 25->56 82 System process connects to network (likely due to code injection or exploit) 25->82 35 control.exe 13 25->35         started        38 autofmt.exe 25->38         started        40 autoconv.exe 25->40         started        42 wlanext.exe 25->42         started        signatures10 process11 signatures12 66 Tries to steal Mail credentials (via file / registry access) 35->66 68 Tries to harvest and steal browser information (history, passwords, etc) 35->68 70 Modifies the context of a thread in another process (thread injection) 35->70 72 Maps a DLL or memory area into another process 35->72
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f79385f9bcec46db2e28c2437a0ea603e208685f9d42ef70b326edd821d6fb75/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-03-06 01:21:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=66jyl6n45rdnwlriyjbxudvgapraq2c7tvbo64fte3w5qiow7n2q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0bc4886cebbde3d4a932203fa8596540269e0c92bb20cf2f8250f063c43798b8
Formbook
34daae4c26da65a8a6b4b5fe0286dcd9c412610120e31ddb98ab67f0466b3a56
Formbook
53e04b40ad30d83c66ef729d87e5822f732fbc6804cbe216d68898f583ce7ad3
Formbook
5fdb6e2373c18ec9d19f822279bce3d0e84c731ae8c0410fdd613c59379e6ad9
Formbook
896363cb6c5505b48615777ce409a415de259e7277888afc1bceae8afbf3b03c
Formbook
89c9935b305ddc218ccce08c0676176e0c8be511b15f9fa9af9a7560c76560c7
Formbook
8f2a0d373539a2f7f3a871315e598bfc0451307e89a4550b85de34ba49299e20
Formbook
96438df4cd911e468ec9fdad3922c0c3e223c7c6e0524f01420b920b3ed642ed
Formbook
d6edba98646efecccc2f9e35c537d8a08f986bef694efdc8cdc0301f80fba616
Formbook
e91b0fc888495a9583c32e70cae090980adccfab2ba310ff7f5f16eea7417354
Formbook
+ 2'279 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230306-m3zrvsbc8v/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Unpacked files
SH256 hash:
1cfb4c1ffdf8aa62c453d491a4b0b94e9457761e5f715f88b708a2609cbe306d
MD5 hash:
2236b86760a9206699c37a55ceb2b882
SHA1 hash:
76e278dbeba66f7f28e2f55a347aca9f727afd93
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/6d574683-4a11-4374-a4d4-58a5fda43b7d/
Parent samples :
f79385f9bcec46db2e28c2437a0ea603e208685f9d42ef70b326edd821d6fb75
2f260a7dd8ae9e2acf2c741d221a735644f9846740c3d379f1c7edb4ce30b845
SH256 hash:
afaa15e8731eb9dfb6c3f1015fa33dbe36e9883af9b53930ea7048ec669d6198
MD5 hash:
15cd650343759cb87a6cee5b85c24210
SHA1 hash:
75b86f569caf163f0f26e123fb2d9a5f642db40e
Link:
https://www.unpac.me/results/6d574683-4a11-4374-a4d4-58a5fda43b7d/
SH256 hash:
498c0460da26cfc2c4ec95b9b394bbd3db719ba08ccbd5964a533bc9006dcf8f
MD5 hash:
f4e7e91d4fdda2d3feb401b5b1d53abf
SHA1 hash:
cf9e76e6418850ac853bd9c6ce82a0be7920fc1d
Link:
https://www.unpac.me/results/6d574683-4a11-4374-a4d4-58a5fda43b7d/
SH256 hash:
f66d78a7649d3221d7eadaf0fdc76f073a9361f28bbabb669273e49601db05f4
MD5 hash:
d0246388914b73434b80463d034cf75c
SHA1 hash:
9d685dd3f6d3fb2c7e9e7bae6139b9c7c5622ad6
Link:
https://www.unpac.me/results/6d574683-4a11-4374-a4d4-58a5fda43b7d/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/6d574683-4a11-4374-a4d4-58a5fda43b7d/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
db98f7d4012e2bc19b90691711950e1ae13b0e91c5b58c28e35868d4cb620419
MD5 hash:
f4e235a3c1c5dbb738e7a94c3f02b06b
SHA1 hash:
59f2529215eafd92c3c28add26afc779d2c97eaa
Link:
https://www.unpac.me/results/6d574683-4a11-4374-a4d4-58a5fda43b7d/
SH256 hash:
f79385f9bcec46db2e28c2437a0ea603e208685f9d42ef70b326edd821d6fb75
MD5 hash:
ca1aa0acbc52b31bec58215eab3be293
SHA1 hash:
1393ab44a7e646dfb1b713a57229b793f22a9373
Link:
https://www.unpac.me/results/6d574683-4a11-4374-a4d4-58a5fda43b7d/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f79385f9bcec/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/f79385f9bcec46db2e28c2437a0ea603e208685f9d42ef70b326edd821d6fb75

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe f79385f9bcec46db2e28c2437a0ea603e208685f9d42ef70b326edd821d6fb75

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/371919/

Comments