MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37c4f4f899e08371042e4b4cc03b87297989ad424c62228a7a50293f2ea7de22. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 22 File information Comments

SHA256 hash:	37c4f4f899e08371042e4b4cc03b87297989ad424c62228a7a50293f2ea7de22
SHA3-384 hash:	cea8ac0aa12318e0c37d4f1292d9f40a735de40a2410c2046141ae1b0f41d4d21b7dae5d82f9e3968f9ec4c1ec69e38c
SHA1 hash:	ca2e787144dcd2b969fe7bf78de63ce63084bc61
MD5 hash:	31aeff0b92d96eb73d4aaf624eec07a8
humanhash:	lactose-leopard-network-floor
File name:	FEB PAYROLL 2024.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	668'672 bytes
First seen:	2024-03-19 09:00:49 UTC
Last seen:	2024-03-19 10:30:31 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	12288:/lPloOJRYWqI9eJwqI570fxuP8oIrXrwbTLkQB2rJ0szg8fOMsSAol:N9oOJbHa3ICJEAkTLvAJHwSAW
Threatray	839 similar samples on MalwareBazaar
TLSH	T1F7E423A07975C1D3CFBB86F819789B810BB2588E7D64D2D88CA511CF85E1F412211FEB
TrID	61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.1% (.SCR) Windows screen saver (13097/50/3) 8.9% (.EXE) Win64 Executable (generic) (10523/12/4) 5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	threatcat_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

359

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

37c4f4f899e08371042e4b4cc03b87297989ad424c62228a7a50293f2ea7de22.exe

Verdict:

Malicious activity

Analysis date:

2024-03-19 09:25:27 UTC

Tags:

formbook xloader

Link:

https://app.any.run/tasks/4d53c7ee-e0f2-418f-91df-a8307311338d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

Launching a process

Moving a file to the Program Files subdirectory

Replacing files

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/65f954565cd908a33db8e523/reports/a72764f7-0514-47f3-88b6-5350c998df4b/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/37c4f4f899e08371042e4b4cc03b87297989ad424c62228a7a50293f2ea7de22

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

MSIL Injector

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/49d25510-758e-46aa-86c1-ab36b462dd18

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1411586

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/37c4f4f899e08371042e4b4cc03b87297989ad424c62228a7a50293f2ea7de22

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/37c4f4f899e08371042e4b4cc03b87297989ad424c62228a7a50293f2ea7de22/

Threat name:

ByteCode-MSIL.Trojan.Heracles

Status:

Malicious

First seen:

2024-03-19 03:14:36 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=g7cpj6ez4cbxcbbojngmao4hff4ytlkcjrrcfct2kaut6lvh3yra._file

Verdict:

malicious

Label(s):

formbook

Formbook

614ae605266b9829b5577ebd8562f5fadb2ef82337597d32e54c8ace9f1ea25c

Formbook

70f27cc87397701a73835625b0ee8caf3ef97b506554f2a7f65c2c08afd264f7

Formbook

b3dd3ec805692dca3ce544068053b8d4e85521265dd4a1392ecf0d47b2814c66

Formbook

d0b94b855d2f24add1edf6b3a6ecae24e4366f181a1ccd0bcd3b27e94de95bc0

Formbook

d68a5d440931df383de62e3436f5f485ecd75b552e8b78065706a8c880828378

Formbook

dfa384f6136c43639f6c66766ca81c245e65a70fcf92015656b1cd7a579a3647

Formbook

e54350487bda76835619ccc44ff79db38db5183f544efbf33159cfd707bcdb75

Formbook

+ 829 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/240319-kywhjafe84/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

d098e5b0477b97ea0af6ac09a52c8783161d4f315a37d510f396b30f22ed3dd7

MD5 hash:

d4c5213fd5fff502de06ef4879627fe0

SHA1 hash:

dd36a8c2538f86865e7a3859df33be7b3c2a8376

Detections:

win_formbook_w0

win_formbook_g0

Link:

https://www.unpac.me/results/dc377f5d-0055-4283-9b6c-e55e08a7b9b9/

Parent samples :

c37c2251736d52c3234a7d1541033b7d08916bf2c701e925bfd0370c398d8c10
37c4f4f899e08371042e4b4cc03b87297989ad424c62228a7a50293f2ea7de22

SH256 hash:

318cbe6c5e8564e124fb94887d6cc6da5b6589e4374980aeaaca1e90279c3c5a

MD5 hash:

5c6bf8dd2e824198fe624a6f22a7be6e

SHA1 hash:

1092637d98fcf9f5bdc078c686ddc81712e69a50

Link:

https://www.unpac.me/results/dc377f5d-0055-4283-9b6c-e55e08a7b9b9/

SH256 hash:

bc39c3ba2ef220300f37e0ccffd84e387eaa28c831859c3588cdfdeec243b0c5

MD5 hash:

e4c53cafec45a303e00d4d7702b02822

SHA1 hash:

bf21964cd02330655a1eb04fb83ece35899977bf

Detections:

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/dc377f5d-0055-4283-9b6c-e55e08a7b9b9/

Parent samples :

5d7b1224c77b4413e49156de8a050fdcfbfc5cc75b3d73c13abd67475ddabd3c
70f27cc87397701a73835625b0ee8caf3ef97b506554f2a7f65c2c08afd264f7
f7e3d289131a067c332064bd6f6cb7d336f0fb0476af14eea1d1b1a7127493a9
c1ecdc617db839e561aa5318e3458ce0f0db30386f8b9cb5586314b2e75a8a7d
54a4891d6753b4acaa07bb6c01aebcb44a0140ffc05ccdc53785a74365969585
2843aae844d0b90a78597dc383828ef6d67ecc6e3d5e689ca4567bc823383b72
994e690703864150e91ac5f4d3cd5264d45e2ecc182424bd5285cbf935cb855d
37c4f4f899e08371042e4b4cc03b87297989ad424c62228a7a50293f2ea7de22
921d900f4ba05b2c93f5ca8076861ea60f698eecc36e4fd6013a415592e3272d
82048072a8cf203444037aa1f037b305437c7a273811a2287f2a5addb2cbcb41
c7a16881f8c69d16a9b0bdcbfdd5c4aada81eba19521d1c03ee7f6005f7d6629
78b15621d0319e8b7a105e1aa9a1927fb434bfce29e2a4f56051f552e393f08a
12c7ec6f047ebf12cb9f142bb71fb0de5a61de79286776440b5814c94d93e2e4
9f70d8532d4c8655671ecb52609c6ba9e8e34dc0b08cbb92ca795b59a9bdc862
ce213fe45b524d85486c2f3956e17a333b2d8ecbf1d73078bf56014cc1c7702c
31462fecb3ea50e9d958b14e99acf10b91ef3207224f82a90c6b15f0f1d1285a
7f610fb90140292d4a5dfcb4bd0e691833307a428714f6381fefaa6c39bc5bed
94279f693b7bb1c21594d96e572ebc15e6aea416816b03d677a3875ebb84a99b
413bf66fb3f4c507d5e04fcd975056619d5874af3b92fa59eb9db52d18e2928b
8243f0400ffe13c6d332e0ab70af833ae44e446a5419f411a5c2586c86c51277
9d4ba0d30577e0398c95e01ff42e2ea2f2f02dcb50ff3202f6077de094e7a439
46c5c413b31c08c49b03d6de4ddb926863d66a7d0b39b7b30cb340d2cb963ad0
cd00f31be2b7bb08d5e499cbe39d3ab9d5aac66ba0a5e5ffc3e97bd9cc598fc1
8ab205dc4d6f7c232cf9e2047a6abf4b2bb6425258cefeaf9b05e922c8229c6a
32b7561a0ed879b965b01f99cf9cd249f533104462bbec8ff65a4607f61d75ec
d302ca49fbe8a59c391e8de2ba44683dbff2e9b97fd136b9dea96f4354defb62
3edd3fe6434d631459584bfef13f646c14866e7d99121a3067d10f1e330b28e6
18f2d604285e3f9987eb47ae56cda190d11ae271a5ac05f0413b2c988ae241e1
5702612caa2cfd626ce28bb1e173d884d5314e0922bca28d979e7bf5158441e2

SH256 hash:

9390502a7498976297d699417f817c9e5443ce3d3f917a6d7fa3afa274adee58

MD5 hash:

49cc0ea9679ab31ce8bbfe3439f26c08

SHA1 hash:

63975a78f4b8a3f37a39ac1f0022e51b016dff64

Link:

https://www.unpac.me/results/dc377f5d-0055-4283-9b6c-e55e08a7b9b9/

SH256 hash:

d82dd56e9c9a459d5b9fb375fae69f46191e6f9227883d0cadcb9085530eb8bd

MD5 hash:

921c76d8400687c1d71e4be21ea09e2f

SHA1 hash:

2a4b17c1c0be1494c06073c926602661d3309085

Link:

https://www.unpac.me/results/dc377f5d-0055-4283-9b6c-e55e08a7b9b9/

SH256 hash:

37c4f4f899e08371042e4b4cc03b87297989ad424c62228a7a50293f2ea7de22

MD5 hash:

31aeff0b92d96eb73d4aaf624eec07a8

SHA1 hash:

ca2e787144dcd2b969fe7bf78de63ce63084bc61

Link:

https://www.unpac.me/results/dc377f5d-0055-4283-9b6c-e55e08a7b9b9/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/37c4f4f899e0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/37c4f4f899e08371042e4b4cc03b87297989ad424c62228a7a50293f2ea7de22

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__GlobalFlags Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Formbook Create hunting rule
Author:	kevoreilly
Description:	Formbook Payload

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_Formbook Create hunting rule
Author:	@malgamy12

Rule name:	Windows_Trojan_Formbook_1112e116 Create hunting rule
Author:	Elastic Security
Reference:	https://www.elastic.co/security-labs/formbook-adopts-cab-less-approach

Rule name:	win_formbook_w0 Create hunting rule
Author:	@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 37c4f4f899e08371042e4b4cc03b87297989ad424c62228a7a50293f2ea7de22

(this sample)

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample