MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37b1b8d180f05d9be7c5a9821e9313993e5becaf03a5e46f4dc9711ad44ceaaf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 3 File information Comments

SHA256 hash:	37b1b8d180f05d9be7c5a9821e9313993e5becaf03a5e46f4dc9711ad44ceaaf
SHA3-384 hash:	8c632001241b4f49c6f847a7aad08c753f1406f353285895b3c29be187dccdc660cdccda984bd3af4240d877d88f855c
SHA1 hash:	3d0a1065612c4cfeefb24322acf9cb43d904362d
MD5 hash:	0b87473ff163964ec111f298547075b9
humanhash:	happy-autumn-asparagus-delta
File name:	SOA March 310322.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	314'584 bytes
First seen:	2022-04-01 16:00:44 UTC
Last seen:	2022-04-04 05:50:27 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	56a78d55f3f7af51443e58e0ce2fb5f6 (719 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep	6144:RNeZON827N5wptBh8EF6+ofNxn1g50EG8Y0lWNe7I+4auF9PX:RN7NvJ+ptBCU6++gr86I+69PX
Threatray	14'803 similar samples on MalwareBazaar
TLSH	T199645DB919559B4FF26E1C3D81A83B89A0B059C593835D4DDB2C39FBF5F5308A0CB84A
File icon (PE):
dhash icon	f0d092b2ea8cc4f0 (3 x AgentTesla, 1 x Formbook)
Reporter	malwarelabnet
Tags:	exe FormBook xloader

Intelligence

File Origin

# of uploads :

# of downloads :

258

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.3581.19544.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/12352/overview

Behaviour

MalwareBazaar

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/624721bf9253b276b7c1b50b/reports/6829396a-5a47-4124-b524-3b7ed4d4bc0d/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fd109278-2b41-4a2b-8c8c-a067b4170570

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/969145

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/37b1b8d180f05d9be7c5a9821e9313993e5becaf03a5e46f4dc9711ad44ceaaf/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2022-04-01 13:31:52 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=g6y3ruma6bozxz6fvgbb5eytte7fx3fpaos6i32nzfyrvvcm5kxq._file

Verdict:

malicious

Label(s):

formbook

Formbook

3987ea55911d57e4f6e97332a95794f8d38465b521f5b27e0372a4598ed702b6

Formbook

39cc0c369b8ce6f0570864f4ac0019abed40383a582aae1a13c34e2de08a7168

Formbook

69785e004f3bf684c91c8f188058022933f954154f42d4dc41047be3713397ea

Formbook

89a5384b284e44d23891f6b22590f0194c4ac0b2b6507bb51fa678ede6d6069a

Formbook

8ddf9843afa2f66549fe02a8ddc9811c2ca231f3107340272879da1a782159f9

Formbook

acf40f9d3eea74324291c55f5ab8d3678e0dcc085581bdd9cf66897f4324bc3c

Formbook

ea1c7db69290a2b343646ede684b58ed96e891feab6dadbbc9909c1c245d4bf2

Formbook

ff4f7b5393286be5e2c944baf8c38494796a80a1cbb833be3eaf5133ecc51842

Formbook

+ 14'793 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:op53 loader rat suricata

Link:

https://tria.ge/reports/220401-tf7braaaam/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

Xloader Payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Unpacked files

SH256 hash:

0d37038858fe778955c3bb5953ac4ebded1fe5193401adb0fb03bd141e8d015b

MD5 hash:

63b6d2698fe76698c0e352d22b7173b0

SHA1 hash:

dfdf58820584e7d4df4cc574d5ec389aeacd6e06

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/9bfec444-70af-4773-bbaf-48db7965b0e2/

Parent samples :

0068d2689ad7ece35e2ff64c617f602046573a7f1c3af13efbbb45990dc17aea
04464b5872e342d59c8f4c85443fb3198a35544a9844d9a20618b7808f649464
d03f00ecce22cef615ed1cc86894e3b57dad4e78ef7a34af16f7479be9f84cf1
69785e004f3bf684c91c8f188058022933f954154f42d4dc41047be3713397ea
37b1b8d180f05d9be7c5a9821e9313993e5becaf03a5e46f4dc9711ad44ceaaf
7ecfcfe4b4c8d6f50a38131f50bb86329510a038d22abf1d556d45552b5c06cd
6f297bb4016558a90be2eacf5707f91010ae324f55ca20ec983c32c853389458
93147c02e1b23c567066353a89bf3ed2dcf0b1e7e2e1ee3c435cdd3b085d4f9b

SH256 hash:

5ea8922abca03b6582faa74be8fae96517e6e0140362ed5c485d0d2670ba997a

MD5 hash:

167ec653c071922cc7a45c663a4779c5

SHA1 hash:

9b2e6c83ad4eb8679c0c66c306e1f95944b95ebc

Link:

https://www.unpac.me/results/9bfec444-70af-4773-bbaf-48db7965b0e2/

SH256 hash:

5c79dd9449eeaa3610e2d7f095b9a7c3b70790515b10c701b34645c170b5f6a7

MD5 hash:

45a34846aea94f56124300599733285f

SHA1 hash:

dd5af2f4ae1e6aaf651997654ddeebe01ebe5b3f

Link:

https://www.unpac.me/results/9bfec444-70af-4773-bbaf-48db7965b0e2/

SH256 hash:

37b1b8d180f05d9be7c5a9821e9313993e5becaf03a5e46f4dc9711ad44ceaaf

MD5 hash:

0b87473ff163964ec111f298547075b9

SHA1 hash:

3d0a1065612c4cfeefb24322acf9cb43d904362d

Link:

https://www.unpac.me/results/9bfec444-70af-4773-bbaf-48db7965b0e2/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/37b1b8d180f0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/37b1b8d180f05d9be7c5a9821e9313993e5becaf03a5e46f4dc9711ad44ceaaf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_win32_ransom_avaddon_1 Create hunting rule
Author:	@VK_Intel
Description:	Detects Avaddon ransomware
Reference:	https://twitter.com/VK_Intel/status/1300944441390370819

Rule name:	malware_Formbook_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample