MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ffe3bd82c51fad6a9fb150b18a7522e2495925a1ebd78942af78cd6e23580282. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ffe3bd82c51fad6a9fb150b18a7522e2495925a1ebd78942af78cd6e23580282
SHA3-384 hash: 90fccf453b697bc3cec3478543f5ae3ee84a27be2786d45c75436e1625080b54693a36dd2d0d78b712c6f959c1b3e19d
SHA1 hash: 8d15d381db32622af14e09070557192f583b5a84
MD5 hash: f7ab12018bf8ca81c2a717c36dd99195
humanhash: emma-virginia-india-mobile
File name:z89ORDENDECOMPRAURGENTEpdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:598'528 bytes
First seen:2023-04-17 19:38:38 UTC
Last seen:2023-04-18 14:27:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:nQ3nj8JirlFcnDrIVsSix1zdQjn63Chb/jW3PkTJ:nAfZeQ63Wb/SfkN
Threatray 2'700 similar samples on MalwareBazaar
TLSH T1BCD4E029D125ADF3E6DD063200003AEEDB70A6E37477C63C4BA679D5DB9E7052C9818B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter FXOLabs
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
302
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
z89ORDENDECOMPRAURGENTEpdf.exe
Verdict:
Suspicious activity
Analysis date:
2023-04-17 19:39:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/39958888-5127-45c6-9505-ae217441db9a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/382868/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/643da0568ecb3afce931c6c1/reports/8f6ee417-ef8d-4290-ae47-70062b0e7fd1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ffe3bd82c51fad6a9fb150b18a7522e2495925a1ebd78942af78cd6e23580282
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/da134c03-b742-4c3a-bd39-21013f8881b6
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1215480
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 848404 Sample: z89ORDENDECOMPRAURGENTEpdf.exe Startdate: 17/04/2023 Architecture: WINDOWS Score: 100 68 Snort IDS alert for network traffic 2->68 70 Found malware configuration 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 8 other signatures 2->74 10 z89ORDENDECOMPRAURGENTEpdf.exe 7 2->10         started        14 jFZOxuserb.exe 5 2->14         started        process3 file4 50 C:\Users\user\AppData\...\jFZOxuserb.exe, PE32 10->50 dropped 52 C:\Users\...\jFZOxuserb.exe:Zone.Identifier, ASCII 10->52 dropped 54 C:\Users\user\AppData\Local\...\tmpA88F.tmp, XML 10->54 dropped 56 C:\...\z89ORDENDECOMPRAURGENTEpdf.exe.log, ASCII 10->56 dropped 82 Uses schtasks.exe or at.exe to add and modify task schedules 10->82 84 Writes to foreign memory regions 10->84 86 Allocates memory in foreign processes 10->86 88 Adds a directory exclusion to Windows Defender 10->88 16 RegSvcs.exe 10->16         started        19 powershell.exe 21 10->19         started        21 schtasks.exe 1 10->21         started        23 conhost.exe 10->23         started        90 Multi AV Scanner detection for dropped file 14->90 92 Machine Learning detection for dropped file 14->92 94 Injects a PE file into a foreign processes 14->94 25 RegSvcs.exe 14->25         started        27 schtasks.exe 1 14->27         started        signatures5 process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 16->60 62 Maps a DLL or memory area into another process 16->62 64 Sample uses process hollowing technique 16->64 66 2 other signatures 16->66 29 explorer.exe 3 1 16->29 injected 33 conhost.exe 19->33         started        35 conhost.exe 21->35         started        37 conhost.exe 27->37         started        process8 dnsIp9 58 www.ewa-china.com 104.206.153.188, 49701, 80 EONIX-COMMUNICATIONS-ASBLOCK-62904US United States 29->58 96 System process connects to network (likely due to code injection or exploit) 29->96 39 systray.exe 29->39         started        42 cmstp.exe 29->42         started        44 autoconv.exe 29->44         started        signatures10 process11 signatures12 76 Modifies the context of a thread in another process (thread injection) 39->76 78 Maps a DLL or memory area into another process 39->78 80 Tries to detect virtualization through RDTSC time measurements 39->80 46 cmd.exe 39->46         started        process13 process14 48 conhost.exe 46->48         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ffe3bd82c51fad6a9fb150b18a7522e2495925a1ebd78942af78cd6e23580282/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=77r33awfd6wwvh5rkcyyu5jc4jevsjnb5plysqvppdgw4i2yakba._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
397ca8a839fae5e6c07fd3036a25e5df37220967ad381ca181da0a97354ed8cd
Formbook
6afbb9ebc94ae5fbc1a98207af3ce84dec75c243605ebbd6b15b721165e4130a
Formbook
875f736e15e9825359679dd4482ef43a0d4ac3274c9ea4b3a8df90fa5d9ed47c
Formbook
898d893d7c46d0c70d498f0323b24175c4d49df99b88f57d30aef08cb3e3edca
Formbook
9776ff04f5a266245eb0837078897bf8bdc9dac49d9a5cea1f23c146d00c295c
Formbook
a036acc68623b42509e807b81be7270e1fc0c626aa15d8164d2f52bd321be1fd
Formbook
d89323dd840c86ee64285f6353eee84089b4c242df329b9b5f0c42a6b8944eb5
Formbook
d8d96fb0f87869e18b2f527be9a50e08768896ae6df8df2311a71bac4281a1e2
Formbook
e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef
Formbook
ee79d711f50c08fc3f58d643b0974e2030d5f6f0479a5e000eaef3940f099636
Formbook
+ 2'690 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:de08 rat spyware stealer trojan
Link:
https://tria.ge/reports/230417-ycybwshe61/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook payload
Formbook
Unpacked files
SH256 hash:
090dab2183aeb7c37f179655e5f9742c38dd715995039fc99aae589494a062fa
MD5 hash:
53404bc52c323cfabf11c4d994648fdb
SHA1 hash:
b132eed92f4954081d018a9639a77f9a102beb12
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/ceeeece7-8ff8-446d-b8ec-d01b1d5dad44/
SH256 hash:
0fd1f00d94aff36ad8f02077efb33ddf269985ea37038aae554ff6202fdc020f
MD5 hash:
8dfd8e44c82066f4aeeff652fa2a33c5
SHA1 hash:
b844952e48ecab0e7ab2e3d5e38a20629399f94c
Link:
https://www.unpac.me/results/ceeeece7-8ff8-446d-b8ec-d01b1d5dad44/
SH256 hash:
c2cbf2dd5d57a02f83599305ac1c797ddd05ac901530faa64da2cc8dd17c3f72
MD5 hash:
ec21e25362a39b7e90dfeeb242a5ea85
SHA1 hash:
a798a35f49bb667bfddd53ba65d77b42cd141229
Link:
https://www.unpac.me/results/ceeeece7-8ff8-446d-b8ec-d01b1d5dad44/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/ceeeece7-8ff8-446d-b8ec-d01b1d5dad44/
SH256 hash:
0f5d7e069d49ff85bdcd1ac79e551b82c36ba12f77b8292b95a4bafdcca97bf1
MD5 hash:
9e0c6d37883cbc4dc5ed6ecba831d952
SHA1 hash:
56cc8a5dd264d7491726d17a4eb73216d9ee747f
Link:
https://www.unpac.me/results/ceeeece7-8ff8-446d-b8ec-d01b1d5dad44/
SH256 hash:
ffe3bd82c51fad6a9fb150b18a7522e2495925a1ebd78942af78cd6e23580282
MD5 hash:
f7ab12018bf8ca81c2a717c36dd99195
SHA1 hash:
8d15d381db32622af14e09070557192f583b5a84
Link:
https://www.unpac.me/results/ceeeece7-8ff8-446d-b8ec-d01b1d5dad44/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ffe3bd82c51f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ffe3bd82c51fad6a9fb150b18a7522e2495925a1ebd78942af78cd6e23580282

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe ffe3bd82c51fad6a9fb150b18a7522e2495925a1ebd78942af78cd6e23580282

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/382868/

Comments