MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e36abaf554e37c743a7874d53dcc57751e88be673ac98c5abaa873984cb6e23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	8e36abaf554e37c743a7874d53dcc57751e88be673ac98c5abaa873984cb6e23
SHA3-384 hash:	bda93e261ce4419649b8b8fa8df6df011d8b7da6ec8a1a0c9da907e98f489fde25e035230133b1a5aaab9aa41cbe4a2b
SHA1 hash:	570f5297e16123ce27ff864f3b955f6cf3553c04
MD5 hash:	97d30b37b8219e14f38b78920223a8fa
humanhash:	grey-beer-green-rugby
File name:	Maersk Line Shipment Documents.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	200'599 bytes
First seen:	2021-07-08 10:22:45 UTC
Last seen:	2021-07-08 10:53:03 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	6e7f9a29f2c85394521a08b9f31f6275 (293 x GuLoader, 51 x VIPKeylogger, 48 x RemcosRAT)
ssdeep	6144:xMm4CCAfqW/T1b1VtdJftH6zuq1hBT0k1:xMwRfqM1dJft+xBTl
Threatray	5'844 similar samples on MalwareBazaar
TLSH	T17514010532E8C8ABD5722E721D3AABAB2EF8B53408A10F0B57A457CD7513791EC4D396
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

119

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Maersk Line Shipment Documents.exe

Verdict:

Malicious activity

Analysis date:

2021-07-08 10:26:23 UTC

Tags:

trojan formbook stealer

Link:

https://app.any.run/tasks/f8dd5071-ce80-4fab-a550-4a63fba13478

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/170390/

Detection(s):

SecuriteInfo.com.Trojan.Nsis.Spy.Gen.1.15886.4489.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/41414c6a-3419-48db-88d4-7b606cc3d9b6

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/813384

Signature

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Executable has a suspicious name (potential lure to open the executable)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8e36abaf554e37c743a7874d53dcc57751e88be673ac98c5abaa873984cb6e23/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2021-07-08 04:11:30 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 29 (62.07%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ry3kxl2vjy34oq5hq5gvhxgfo5i6rc7goowjrrnlvkdttbglnyrq._file

Verdict:

malicious

Label(s):

formbook

Formbook

3afb8f6f86741e036ed7ee941f4875344c2b384d6e9d21c85755bfbce63ee473

Formbook

788510bf3fc20aacc76bd0ed1884ff8452f4e79023f2f3ad3072efbd7e74139d

Formbook

7d803e44c98cd23b971f692182f8d1d508fe82fb0fd6b681e7896c552d88411a

Formbook

80b056a8c2fee08fd3361a8a271dea407425ca335275d49f81a1c50a06d9ed98

Formbook

8532972f199b85a336710c894ddebea7560f7f19c774b52a0d648275960e4db4

Formbook

c9b6e262a0d1effd54b6ffcdc4f761d159e21b74afd02519aed342c1d7fac68e

Formbook

d71677cc4b276a3ecc1de38281a1d88410be241c11422b2b55147bede496355a

Formbook

dd4114ea355d3f70e7683fb8491e2499347b6133bd9ef6d094a0cb6ad8aa4609

Formbook

ebe1f420ea3fcef5b426cf6458d23984e12c4ceb5983571699f60aaa963b159a

Formbook

+ 5'834 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/210708-cwfdh7n816/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Loads dropped DLL

Unpacked files

SH256 hash:

418aba5b51171cfb46b94e20a5a833950d921fdb4e6ec70616fb0ccd088441b7

MD5 hash:

36b3d7438852c4bee0dd511e49cd06d3

SHA1 hash:

d1bba78ca9854facdb0c33a93663b3734c13084f

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/393895f7-2574-41b4-8bb4-dc568e5b71e1/

Parent samples :

9015a3d36c6f378e870487b60ae7854376f55d0959444303691fb4f51d7b7420
314c2feb9e8798e4676b9350faba5721af148fa1e04fcaac8e698bbb027aa7cd
8e36abaf554e37c743a7874d53dcc57751e88be673ac98c5abaa873984cb6e23

SH256 hash:

99d14753271f254becce6ad71bde67b1c3fbf34dcba0c8215b4a9bc1b7549b92

MD5 hash:

6b1d068a835ac383a446d0d5d0a86796

SHA1 hash:

f4b2e5788fa69a349853ed6be1178093729b9e9e

Link:

https://www.unpac.me/results/393895f7-2574-41b4-8bb4-dc568e5b71e1/

SH256 hash:

1fc3f71a783ded3808dacec63a645f98666268c6791d7a490e11d9b8d0e1cfb3

MD5 hash:

f6186bbe4a7a6eaf64dbf412a51ce48e

SHA1 hash:

16e8a6fb967e12f9911e613dbac80783acf8f379

Link:

https://www.unpac.me/results/393895f7-2574-41b4-8bb4-dc568e5b71e1/

SH256 hash:

8e36abaf554e37c743a7874d53dcc57751e88be673ac98c5abaa873984cb6e23

MD5 hash:

97d30b37b8219e14f38b78920223a8fa

SHA1 hash:

570f5297e16123ce27ff864f3b955f6cf3553c04

Link:

https://www.unpac.me/results/393895f7-2574-41b4-8bb4-dc568e5b71e1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.47

Link:

https://yomi.yoroi.company/submissions/8e36abaf554e37c743a7874d53dcc57751e88be673ac98c5abaa873984cb6e23

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/170390/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample