MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 137cc4e18cc512d1c430b3760b746755080a945b0394975e1f1101831eb89289. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 137cc4e18cc512d1c430b3760b746755080a945b0394975e1f1101831eb89289
SHA3-384 hash: 86891af7fb2838f242a137ee3a433d9fd0178a5df852dcd632f98b5183204fc48a93c65499423c6296850f3106a5a83f
SHA1 hash: a04f86b9a7a634b0af8701cd12ce92cb14a70738
MD5 hash: a596ebd2dbfeaf87999c3893b73eebd5
humanhash: saturn-london-moon-delaware
File name:Dhl Delivery Document.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:750'080 bytes
First seen:2024-07-04 15:36:13 UTC
Last seen:2024-07-04 16:19:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fc6683d30d9f25244a50fd5357825e79 (92 x Formbook, 52 x AgentTesla, 23 x SnakeKeylogger)
ssdeep 12288:SYV6MorX7qzuC3QHO9FQVHPF51jgcKAPKK9XUhk5JWsGS3PVxU7kg:hBXu9HGaVHKASRylGS3PE7kg
Threatray 77 similar samples on MalwareBazaar
TLSH T1C2F423967B5E953BC4944BB0847B62387036BC60CA456BCAB0857F3BF973EC978011A7
TrID 31.3% (.EXE) UPX compressed Win32 Executable (27066/9/6)
30.7% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
12.1% (.EXE) Win64 Executable (generic) (10523/12/4)
7.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 5232d212f0cc8626 (20 x AgentTesla, 1 x Formbook, 1 x MassLogger)
Reporter malwarology
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
367
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a596ebd2dbfeaf87999c3893b73eebd5.exe
Verdict:
No threats detected
Analysis date:
2024-07-04 07:24:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5864f42a-4ccb-4385-902a-9e34d2431640

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.AutoIt.1410.15687.30277.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6686c2091005591c3c2e9554win10vpnfull_triage
Tags:
Shellcodecrypter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Launching a process
Сreating synchronization primitives
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
AutoIt lolbin masquerade microsoft_visual_cc packed packed shell32 upx
Link:
https://www.filescan.io/uploads/6686c19fce78046c1aae946d/reports/e589bb42-c6ca-4b20-92ec-d4ee60ff1006/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/137cc4e18cc512d1c430b3760b746755080a945b0394975e1f1101831eb89289
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3ee87f0c-941c-4dc0-b987-50493cfb4c1c
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1467756
Signature
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/137cc4e18cc512d1c430b3760b746755080a945b0394975e1f1101831eb89289
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/137cc4e18cc512d1c430b3760b746755080a945b0394975e1f1101831eb89289/
Threat name:
Win32.Trojan.Strab
Create hunting rule
Status:
Malicious
First seen:
2024-07-04 10:23:49 UTC
File Type:
PE (Exe)
Extracted files:
24
AV detection:
21 of 37 (56.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cn6mjymmyujndrbqwn3aw5dhkueavfc3aokjoxq7ceayghvyskeq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
137cc4e18cc512d1c430b3760b746755080a945b0394975e1f1101831eb89289
Formbook
927e8668d7e5b22d0d278cb66ecbb15a51420f2fc5299aaa324d43a7d04719a2
Formbook
a566d5f1d8c962fba2c10102275118dba15251f6790d88839b3a60bfd533fcb0
Formbook
acc92a65ca022b4655bab496f447640dfe74055e9fbfcdf63e3e681ddf6b3bb8
Formbook
b5e250a95073b5dfe33f66c13cc89da0fc8d3af226e5efb06bb8fcfd9a4cd6ec
Formbook
d0b94b855d2f24add1edf6b3a6ecae24e4366f181a1ccd0bcd3b27e94de95bc0
Formbook
e5f5e88e8becfe092d10a927f72f580fd3a98612989a69a1f6df309f32b169f6
Formbook
f310dd81d3c2274dc41b3799af4957d9c84cd614a0917d80f197e84a2bd8753d
Formbook
+ 67 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
upx
Link:
https://tria.ge/reports/240704-s2f61s1bkb/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
AutoIT Executable
Suspicious use of SetThreadContext
UPX packed file
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a46bc2df-b34e-4c90-8c9e-644a83f52d0e
Unpacked files
SH256 hash:
f4ddb3ea2960cc4182f0ae13e6a1728b16c484721efb856e9f6d19576d0782ee
MD5 hash:
3fc9073327e0726a9ec199a92ad2d4bf
SHA1 hash:
1f32e426adb6385b285a618084be6f12674e31af
Detections:
win_formbook_g0
Create hunting rule
win_formbook_w0
Create hunting rule
Link:
https://www.unpac.me/results/c07fa382-2fd9-475f-8d0e-30b273070ab5/
SH256 hash:
f1436b66a7c37efbc7b211ca451c9cb9fbd839010dd52575c5d81a4193898f85
MD5 hash:
427cebc9716a1e67f5525f1b346ec655
SHA1 hash:
5baeaff71e1f74035b26abc33d449de0f1eec411
Link:
https://www.unpac.me/results/c07fa382-2fd9-475f-8d0e-30b273070ab5/
SH256 hash:
fa50a65986bc1e9b37b059d5acc30de42590b69a6b65921c29765079806a1dee
MD5 hash:
85fca557eed33305ca63075db3ed7726
SHA1 hash:
9dc03eb9dfe417a6240b798bc0aba2a761640e4f
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/c07fa382-2fd9-475f-8d0e-30b273070ab5/
SH256 hash:
137cc4e18cc512d1c430b3760b746755080a945b0394975e1f1101831eb89289
MD5 hash:
a596ebd2dbfeaf87999c3893b73eebd5
SHA1 hash:
a04f86b9a7a634b0af8701cd12ce92cb14a70738
Detections:
SUSP_Imphash_Mar23_3
Create hunting rule
Link:
https://www.unpac.me/results/c07fa382-2fd9-475f-8d0e-30b273070ab5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/137cc4e18cc512d1c430b3760b746755080a945b0394975e1f1101831eb89289

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip a4cb74b1a586d8ba87bce47b6fa775056586970f3dbe39ddd1e06a1968563a6d

Formbook

Executable exe 137cc4e18cc512d1c430b3760b746755080a945b0394975e1f1101831eb89289

(this sample)

91b57e4a229a929ffef77e2cf564dea624bbc50fd54372d48d8ec812753c976f

  
Link
https://www.unpac.me/results/9e9b9db1-45fa-4592-ac9b-f38ebf2d46c1
  
Dropped by
SHA256 a4cb74b1a586d8ba87bce47b6fa775056586970f3dbe39ddd1e06a1968563a6d
  
Dropping
SHA256 91b57e4a229a929ffef77e2cf564dea624bbc50fd54372d48d8ec812753c976f
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
MD5 0401ba1b0e79a95e50ae03a892a3632d

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::GetAce
MULTIMEDIA_APICan Play MultimediaWINMM.dll::timeGetTime
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetUseConnectionW

Comments