MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82ca37f8d0b630ec22f7b60a7ce6e5e8490ca703f240b0db10b2e6e014c5d4ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	82ca37f8d0b630ec22f7b60a7ce6e5e8490ca703f240b0db10b2e6e014c5d4ab
SHA3-384 hash:	7d99396beda67e20cf9c28da1208f6b3560d34317bb05cf354ba05a5ebfcaebac2757200b32c5f74590c47b857307d63
SHA1 hash:	6d8bb4e47d7466e4f8621b59417a143e309c3682
MD5 hash:	e9fff61eda3e215d51499c06e5391937
humanhash:	eleven-zebra-east-artist
File name:	DHL Delivery Documents PDF.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	285'184 bytes
First seen:	2022-02-02 21:13:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:lB2MloAY00OfiFvcQtHTrVhlrNCsQiF6bmbBhljhYVooJ8L:T2MmAY0nfscQtHn3Cs5lBRX
TLSH	T11254028ADAC74213D52E5AB6308356C38FA1921D7D92CA572CCA359E295F30E3447ECF
File icon (PE):
dhash icon	550959654d651945 (37 x Formbook, 28 x AgentTesla, 14 x RemcosRAT)
Reporter	GovCERT_CH
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

162

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/230719/

Detection(s):

SecuriteInfo.com.Variant.Adware.BrowseFox.62.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

DNS request

Sending a custom TCP request

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control.exe obfuscated packed replace.exe

Link:

https://www.filescan.io/uploads/61faf4266d25ac9e79fe6589/reports/80d82496-4537-4966-a7f5-62481d06a089/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/703d7b58-b812-41ff-b53e-a682c5d71dc2

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/932780

Behaviour

Behavior Graph:

n/a

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/82ca37f8d0b630ec22f7b60a7ce6e5e8490ca703f240b0db10b2e6e014c5d4ab/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2022-02-02 19:03:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qlfdp6gqwyyoyixxwyfhzzxf5beqzjyd6jalbwyqwltoafgf2svq._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:zqzw loader rat suricata

Link:

https://tria.ge/reports/220202-z3b21sbefn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Unpacked files

SH256 hash:

79ae0b03c7fb13f978ce4d5240f8ac11d7df67fa21d870dd77fc7566685c2ec2

MD5 hash:

b1e1ec5c090c44cf46751f1a1ec609b6

SHA1 hash:

ae8c65bfa078322b1f6ff8fec4361373edaf01a5

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/61e675d5-ff03-4559-9338-e03c18f78e6b/

Parent samples :

82ca37f8d0b630ec22f7b60a7ce6e5e8490ca703f240b0db10b2e6e014c5d4ab
e8232a6b14f66804622f2ea2bfd8c2d8bfe5eef292f664c5801844b96a84d125
2a170cc5086a00b41ce8ff4bcf8fce45f85aef342d4cf4d08f018943cc5221ac
fa0c54af42af10dbb34626554f789c0d00d392a6bca0017f97babda9e17ef785
ed99b5652455f1287171fd7d49a5ac69add7ed72a08712d4c66f6474fd094615
08e2b0e469f2809991e59e65177fe994f3aeeea601a2af8aec6c7ae1406debb0
cd4ee025ad3406b7e572952d42465eee19649cef6c0d3a6acbb0e972096988f4
670a250601cc6d66fe3491438274b4a3de650b7283525caf699ab7d81ff93b93
3c6a613507d90d332e2d4d7f91c7c2ef3135e464e5937b1da1a9c4f749528343
c0a5470477f1ef65286a66e14b46c02b71c41eabc473b9885fbe7911844d90b7

SH256 hash:

b247665d115dfec5e0fd6595cd872918fc5a668565191f7b2d06c648c5ea1ffe

MD5 hash:

10578d81e5ec84df25208adb6dacb394

SHA1 hash:

8f63d725d70b19094e14a9454f3b6ac3a7668b0f

Link:

https://www.unpac.me/results/61e675d5-ff03-4559-9338-e03c18f78e6b/

SH256 hash:

82ca37f8d0b630ec22f7b60a7ce6e5e8490ca703f240b0db10b2e6e014c5d4ab

MD5 hash:

e9fff61eda3e215d51499c06e5391937

SHA1 hash:

6d8bb4e47d7466e4f8621b59417a143e309c3682

Link:

https://www.unpac.me/results/61e675d5-ff03-4559-9338-e03c18f78e6b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/82ca37f8d0b630ec22f7b60a7ce6e5e8490ca703f240b0db10b2e6e014c5d4ab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_win32_ransom_avaddon_1 Create hunting rule
Author:	@VK_Intel
Description:	Detects Avaddon ransomware
Reference:	https://twitter.com/VK_Intel/status/1300944441390370819

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 82ca37f8d0b630ec22f7b60a7ce6e5e8490ca703f240b0db10b2e6e014c5d4ab

(this sample)

Dropped by

Formbook

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/230719/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample