MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c2f373ff5cc5a441bb057f2f168b5bf502b9c98d3ad1640be39dc617c6d7b03. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c2f373ff5cc5a441bb057f2f168b5bf502b9c98d3ad1640be39dc617c6d7b03
SHA3-384 hash: 9ca291df4c00be2fb49772b83a708e5e7818a8e74a2e35090b3cb3f405d0825107e6bbbb06d3879bc92f1aea5916f0a3
SHA1 hash: fc27d37f8fd45b4dcabd79d05ba86b97e511e3c8
MD5 hash: b3fc98596e410ebebb2c1f39007abaf5
humanhash: mirror-nitrogen-grey-georgia
File name:b3fc98596e410ebebb2c1f39007abaf5.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:348'968 bytes
First seen:2023-08-15 12:52:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f10e4da994053bf80c20cee985b32e29 (65 x GuLoader, 9 x RemcosRAT, 6 x QuasarRAT)
ssdeep 6144:QM23fNkLCxC1X5G8/GjpDeZFYNIcQnT8E/f3gBaVjl9YBsxVj3Q:oPNlxAGPjpDebYpG3LVjYBsX3Q
Threatray 1'826 similar samples on MalwareBazaar
TLSH T11C74131272628853E273D6708EBF4D81FBF4E112286A731B673257E5BE13181990F76A
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe FormBook signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2023-01-25T01:23:24Z
Valid to:2026-01-24T01:23:24Z
Serial number: 4f54cf0c98a5182942a870e02470bc21ab3f8208
Thumbprint Algorithm:SHA256
Thumbprint: 0fbd6fca018dcef65aec76b779013a94eb9f5c3bd56f77f11096f366b638c3f3
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
277
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Quotation.xls
Verdict:
Malicious activity
Analysis date:
2023-08-15 12:21:15 UTC
Tags:
opendir exploit cve-2017-11882 loader
Link:
https://app.any.run/tasks/12e9fdf3-df5c-49a7-a6c7-599c884cb236

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442835/
Detection(s):
SecuriteInfo.com.NSIS.DropperX-gen.1097.13373.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/102890/overview
Behaviour
MalwareBazaar
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/8c2f373ff5cc5a441bb057f2f168b5bf502b9c98d3ad1640be39dc617c6d7b03
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/4dacc288-5527-426d-88d7-b21143671287
Result
Threat name:
GuLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1291465
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1291465 Sample: jaYwF6fELS.exe Startdate: 15/08/2023 Architecture: WINDOWS Score: 100 34 www.w2w37.com 2->34 36 www.virtusnets.com 2->36 38 25 other IPs or domains 2->38 56 Snort IDS alert for network traffic 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 7 other signatures 2->62 11 jaYwF6fELS.exe 1 44 2->11         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\...\System.dll, PE32 11->30 dropped 32 C:\Users\user\AppData\...\RadioSupport.dll, PE32+ 11->32 dropped 70 Tries to detect Any.run 11->70 15 jaYwF6fELS.exe 6 11->15         started        signatures6 process7 dnsIp8 46 192.210.175.4, 49767, 80 AS-COLOCROSSINGUS United States 15->46 48 Modifies the context of a thread in another process (thread injection) 15->48 50 Tries to detect Any.run 15->50 52 Maps a DLL or memory area into another process 15->52 54 2 other signatures 15->54 19 explorer.exe 6 1 15->19 injected signatures9 process10 dnsIp11 40 virtusnets.com 192.254.233.191, 49776, 80 UNIFIEDLAYER-AS-1US United States 19->40 42 www.blenderhigher.space 185.104.45.49, 49782, 80 UKRAINE-ASUA Ukraine 19->42 44 12 other IPs or domains 19->44 64 System process connects to network (likely due to code injection or exploit) 19->64 23 wlanext.exe 19->23         started        signatures12 process13 signatures14 66 Modifies the context of a thread in another process (thread injection) 23->66 68 Maps a DLL or memory area into another process 23->68 26 cmd.exe 1 23->26         started        process15 process16 28 conhost.exe 26->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c2f373ff5cc5a441bb057f2f168b5bf502b9c98d3ad1640be39dc617c6d7b03/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-08-15 12:48:34 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rqxtop7vzrneig5qk7zpc2fvx5icxhey2owrmqf6hhogc7dnpmbq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
cloudeye
Create hunting rule
Similar samples:
1d5bb553d60ae8991ac063133535b4e3b9d858e0235a8d48c9c27cc8c52b663b
Formbook
28384833cb4f57932b5344a38245cc995941d7fcccc387a2ffa7f295c91108ac
Formbook
3682f76c6feec004f58d0b9c732b45215375d45f250bdac03fb3694097710c3f
Formbook
41618cb3eabd9750fa776f31b8117e4025fd3d03af5e30d62100d84ce8101406
Formbook
83104e0cf5b8f50ec9724e7a27ba87ef39ecbfd81d4f456d42b7fd06fd9c28e9
Formbook
856c3482c119fdecb777d14ef351c90a24a045cf8da8cafbb2d229619cb11bbf
Formbook
86d7bb37384646a755a03c2f6e743483ee40d5af6f018824e89c54a9308ceecf
Formbook
a31f2c90d1b4546cc56693c44f07e4f161d52fecf99c4b1ddc2b2674e49f51fd
Formbook
b36dee6691e5fe4f8caabfe5602e16b6a287f98aa3a13df2deedad15e31aec32
Formbook
e6303d0730eaecd16e8a3becf77fce3d5da13155d2e27e102ecc2b700ad42814
Formbook
+ 1'816 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:gs22 rat spyware stealer trojan
Link:
https://tria.ge/reports/230815-p4mvsscg3z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Loads dropped DLL
Formbook payload
Formbook
Unpacked files
SH256 hash:
7342b73593b3aa1b15e3731bfb1afd1961802a5c66343bac9a2c737ee94f4e38
MD5 hash:
e23600029d1b09bdb1d422fb4e46f5a6
SHA1 hash:
5d64a2f6a257a98a689a3db9a087a0fd5f180096
Link:
https://www.unpac.me/results/739f03dc-523a-4477-8ceb-979c488ba94a/
SH256 hash:
8c2f373ff5cc5a441bb057f2f168b5bf502b9c98d3ad1640be39dc617c6d7b03
MD5 hash:
b3fc98596e410ebebb2c1f39007abaf5
SHA1 hash:
fc27d37f8fd45b4dcabd79d05ba86b97e511e3c8
Link:
https://www.unpac.me/results/739f03dc-523a-4477-8ceb-979c488ba94a/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8c2f373ff5cc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 8c2f373ff5cc5a441bb057f2f168b5bf502b9c98d3ad1640be39dc617c6d7b03

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2704698/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/442835/

Comments