MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 314c2feb9e8798e4676b9350faba5721af148fa1e04fcaac8e698bbb027aa7cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 314c2feb9e8798e4676b9350faba5721af148fa1e04fcaac8e698bbb027aa7cd
SHA3-384 hash: 9ecff048294c314a0e0c1521b5c14701ccd75ffc170395f11a2d7486614d869f005ee72ca8619b2400e4fdd237a6a6c2
SHA1 hash: c565c5541211d1dffc0026c3373ea2dd8a5e7f01
MD5 hash: 70feaa81667fb00ffb496579f56b7bf8
humanhash: tennis-wolfram-helium-sierra
File name:Maersk Line Shipment Documents.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:199'981 bytes
First seen:2021-07-07 12:55:09 UTC
Last seen:2021-07-07 13:40:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (293 x GuLoader, 51 x VIPKeylogger, 48 x RemcosRAT)
ssdeep 6144:xMm4CCAMbxnWaSh1rjEndqzH0uMKbHJCsF+kV:xMwRMbOeMAuMKkKZ
Threatray 5'823 similar samples on MalwareBazaar
TLSH FD14125893E0C87BE5B3C3B1AE7166B32B97A81819721A1F13308E4C7E553D2CA0F395
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Maersk Line Shipment Documents.exe
Verdict:
Malicious activity
Analysis date:
2021-07-07 09:06:50 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/0238dea5-2cf6-4303-9ff7-526b24c77dcd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170186/
Detection(s):
SecuriteInfo.com.Gen.Variant.Barys.126731.2468.11587.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/48b5c61b-c448-41d8-a266-9520d0ef582f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/812874
Signature
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/314c2feb9e8798e4676b9350faba5721af148fa1e04fcaac8e698bbb027aa7cd/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-07-07 02:14:26 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gfgc7246q6moiz3lsnipvosxegxrjd5b4bh4vleongf3wat2u7gq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3afb8f6f86741e036ed7ee941f4875344c2b384d6e9d21c85755bfbce63ee473
Formbook
788510bf3fc20aacc76bd0ed1884ff8452f4e79023f2f3ad3072efbd7e74139d
Formbook
7d803e44c98cd23b971f692182f8d1d508fe82fb0fd6b681e7896c552d88411a
Formbook
80b056a8c2fee08fd3361a8a271dea407425ca335275d49f81a1c50a06d9ed98
Formbook
8532972f199b85a336710c894ddebea7560f7f19c774b52a0d648275960e4db4
Formbook
a84fdf2c7dbfe8009f998273a7ff9e51c440ea3daa1b93d5b29b3a8e71b35a25
Formbook
c9b6e262a0d1effd54b6ffcdc4f761d159e21b74afd02519aed342c1d7fac68e
Formbook
d71677cc4b276a3ecc1de38281a1d88410be241c11422b2b55147bede496355a
Formbook
dd4114ea355d3f70e7683fb8491e2499347b6133bd9ef6d094a0cb6ad8aa4609
Formbook
ebe1f420ea3fcef5b426cf6458d23984e12c4ceb5983571699f60aaa963b159a
Formbook
+ 5'813 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210707-g7hj7614rx/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Unpacked files
SH256 hash:
418aba5b51171cfb46b94e20a5a833950d921fdb4e6ec70616fb0ccd088441b7
MD5 hash:
36b3d7438852c4bee0dd511e49cd06d3
SHA1 hash:
d1bba78ca9854facdb0c33a93663b3734c13084f
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/1e8b4fb6-930c-468e-9b44-2bbd2253c281/
Parent samples :
9015a3d36c6f378e870487b60ae7854376f55d0959444303691fb4f51d7b7420
314c2feb9e8798e4676b9350faba5721af148fa1e04fcaac8e698bbb027aa7cd
8e36abaf554e37c743a7874d53dcc57751e88be673ac98c5abaa873984cb6e23
SH256 hash:
6897103cb308a216378f44599cf7f6aa885d904a41136a0143ec40d05a3edc66
MD5 hash:
80b7c8675b8876142040c591273c3e4c
SHA1 hash:
a19508ddcd24809d34a0cbbca074fb9d0c47112d
Link:
https://www.unpac.me/results/1e8b4fb6-930c-468e-9b44-2bbd2253c281/
SH256 hash:
314c2feb9e8798e4676b9350faba5721af148fa1e04fcaac8e698bbb027aa7cd
MD5 hash:
70feaa81667fb00ffb496579f56b7bf8
SHA1 hash:
c565c5541211d1dffc0026c3373ea2dd8a5e7f01
Link:
https://www.unpac.me/results/1e8b4fb6-930c-468e-9b44-2bbd2253c281/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.47
Link:
https://yomi.yoroi.company/submissions/314c2feb9e8798e4676b9350faba5721af148fa1e04fcaac8e698bbb027aa7cd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/170186/

Comments