MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37fa31427360d762439a46e805c18146897384a73e22c02eea7612d9a92d4639. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 37fa31427360d762439a46e805c18146897384a73e22c02eea7612d9a92d4639
SHA3-384 hash: 26ae4ac4f4f20fb817dbb0b255b61cf8fc68001e15278ed8f5b625f84c887849ff5650b9c1d24206e9f3ef180f84bdcd
SHA1 hash: 482b540039ed9409fc80e188d2a10ea9c0009c4c
MD5 hash: a12a9f294c38a0668d4fadce425a08a4
humanhash: blue-lactose-comet-paris
File name:Order 3027838.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:449'858 bytes
First seen:2022-02-02 14:46:46 UTC
Last seen:2022-02-02 21:52:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 6144:nwxWuYZOUelA2BxJCNlVRYWwWBN0ow6Zos1FC8R1PBbZ3WCUT:7uYmzvCNlwWwlf6ZDF1BFo
Threatray 13'180 similar samples on MalwareBazaar
TLSH T1E4A4CF0B62857D42F26389BE502D94ACEA65BC341B92F9DF53C07B3ED9313C182319E5
File icon (PE):PE icon
dhash icon 69cce0f0cccc70b2 (1 x Formbook)
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/230245/
Detection(s):
SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
Сreating synchronization primitives
DNS request
Launching a process
Launching cmd.exe command interpreter
Searching for synchronization primitives
Sending an HTTP GET request
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/61fa996d6d25ac9e79fca1db/reports/95c622cc-c2af-49f3-8050-4b7ae4d6396c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RaRansomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a92b5e19-ce31-406d-8afd-e914682c2b08
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/932508
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 564986 Sample: Order 3027838.exe Startdate: 02/02/2022 Architecture: WINDOWS Score: 100 31 www.vear.club 2->31 33 www.lifement-test.com 2->33 35 2 other IPs or domains 2->35 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 9 other signatures 2->49 11 Order 3027838.exe 19 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\fhudw.dll, PE32 11->29 dropped 63 Injects a PE file into a foreign processes 11->63 15 Order 3027838.exe 11->15         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 Queues an APC in another process (thread injection) 15->71 18 explorer.exe 15->18 injected process9 dnsIp10 37 www.shouldimint.com 213.186.33.5, 49775, 80 OVHFR France 18->37 39 www.villagecrossingapartments.com 208.91.197.27, 49801, 80 CONFLUENCE-NETWORK-INCVG Virgin Islands (BRITISH) 18->39 41 13 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 53 Performs DNS queries to domains with low reputation 18->53 22 mstsc.exe 18->22         started        signatures11 process12 signatures13 55 Self deletion via cmd delete 22->55 57 Modifies the context of a thread in another process (thread injection) 22->57 59 Maps a DLL or memory area into another process 22->59 61 Tries to detect virtualization through RDTSC time measurements 22->61 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/37fa31427360d762439a46e805c18146897384a73e22c02eea7612d9a92d4639/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-02-02 01:09:51 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g75dcqttmdlweq42i3ualqmbi2exhbfhhyrmalxkoyjntkjniy4q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0be58a33d1ccbb74ef24592d2d16009bd56638aef6c294af7793e57588e04ef6
Formbook
1b63747868505bd36bda5292992b2ff09c371844379d7a180530e02186524627
Formbook
28562d1e97597dbe302d550277e91bd4aa6869bd3d356668bc7c48b2b6eaa3d1
Formbook
4216ff4fa7533209a6e50c6f05c5216b8afb456e6a3ab6b65ed9fcbdbd275096
Formbook
5111f4fa05b89a9d727c4686485acedc16553a7715fd36776c68972acf8e5382
Formbook
57037671020fbbcf7e45114c351297ed8ccf818410c36aa4030434bc41ce86b3
Formbook
58f65684890c1ec3e63d010defd5f3c48f963865d2fa1d468d5a5f44b7026164
Formbook
6bd5fda97afe76f3d6cc66ffac1350e77256315e151364355af9ee6d56be8ebf
Formbook
9e6a92df11bb23b335d5bbf85731a1ea96f6c4038a24c2e4edb28e2169804c30
Formbook
e5ba1cfe2454e107c54219a4368bbe6921069e3e51608079bbfcfc0593caa4a0
Formbook
+ 13'170 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220202-r5v9nsadan/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Loads dropped DLL
Unpacked files
SH256 hash:
0ce19f8378ae3660546d44ca7054e8ddf7a908cf8f745362b9154cd698d6378c
MD5 hash:
f22e686588ae2133fa5367d30d023b23
SHA1 hash:
f45951e574667d3bf0a008ed6f674e5fe78f1104
Link:
https://www.unpac.me/results/f9da2b59-1896-468e-92f1-73b1593f29c0/
SH256 hash:
37fa31427360d762439a46e805c18146897384a73e22c02eea7612d9a92d4639
MD5 hash:
a12a9f294c38a0668d4fadce425a08a4
SHA1 hash:
482b540039ed9409fc80e188d2a10ea9c0009c4c
Link:
https://www.unpac.me/results/f9da2b59-1896-468e-92f1-73b1593f29c0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.43
Link:
https://yomi.yoroi.company/submissions/37fa31427360d762439a46e805c18146897384a73e22c02eea7612d9a92d4639

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/230245/

Comments