MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb55c88ca46b3d34d58e0fd9eacedc2a4b753f2d6e7d9d1627ba2fd914deac71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments 1

SHA256 hash:	bb55c88ca46b3d34d58e0fd9eacedc2a4b753f2d6e7d9d1627ba2fd914deac71
SHA3-384 hash:	65ed33c15af5a10686bb686f2149b3aa14751b1abcfdb3ea77ea1bc4a67637393e5b4e4e1e4c8e1a20cb769e9757b40d
SHA1 hash:	3b6f6298e83776e44362f558df9aff9128f9bebc
MD5 hash:	d021c22ba09ae67c07936cc698af2bff
humanhash:	juliet-hotel-purple-london
File name:	d021c22ba09ae67c07936cc698af2bff
Download:	download sample
Signature	Formbook Create hunting rule
File size:	282'624 bytes
First seen:	2021-10-04 09:48:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	034798d5891f6a110ab94befc4c55274 (2 x Formbook, 1 x GuLoader)
ssdeep	6144:+ajB9wsfkJuoMQF9CxX/tO7JS4PIcJ1Eyo:+aNHQRMQHg/tGTPBfE
Threatray	7'841 similar samples on MalwareBazaar
TLSH	T149549D229601C030F2A245B1B26AC7B687FFCC3C6615D3A7AFD13AD56FB0191A5253DE
File icon (PE):
dhash icon	1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter	zbetcheckin
Tags:	32 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

135

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

New Order PO200305-01.xlsx

Verdict:

Malicious activity

Analysis date:

2021-10-04 09:20:27 UTC

Tags:

encrypted opendir exploit CVE-2017-11882 loader

Link:

https://app.any.run/tasks/33a2bfad-dd6d-4cac-850c-81450c7ad57c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/194521/

Detection(s):

Win.Malware.Formbook-9802749-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

formbook packed

Link:

https://www.filescan.io/uploads/615c0f2db95458900cdc5ff2/reports/60c2d6a4-0751-493c-8049-a98529718f2b/overview

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/46df2806-bc49-458d-a26c-ccdb019db5cf

Result

Threat name:

FormBook GuLoader

Detection:

malicious

Classification:

rans.troj.evad.spre

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/863792

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Potential malicious icon found

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/bb55c88ca46b3d34d58e0fd9eacedc2a4b753f2d6e7d9d1627ba2fd914deac71/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2021-10-04 09:42:47 UTC

AV detection:

15 of 45 (33.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xnk4rdfenm6tjvmob7m6vtw4fjfxkpznnz6z2frhxix5sfg6vryq._file

Verdict:

malicious

Label(s):

formbook

Formbook

2d0bddbcdb78a0fed7250784feb4238aa9ad086fb4c9ab8d7c877a6ff503d309

Formbook

2dc7525f9ee6e09a25f840b457bf5b0ba228c4697e1f3d4b81bd2964d2eafc61

Formbook

3ac2da7ec8b0c46550c9b85707c4743ea4cacbb5bb6ee0fd159792f3978e3ad3

Formbook

40da3a76d7dfbe395b879dc9b090af73483617c65c7c433975490c0a22e4a71a

Formbook

6707289e11e16158e605882cdd2ce2fc9574428dd0114c6d6246146cb6ba7b1b

Formbook

ab4676fc90e455da2127126bfbd1fd167328c79eda83f686ef71dd89266825f5

Formbook

e51c60f40080414b74c2eeef62780b28aa31c7875dada6dc2097323a61cc8396

Formbook

ea12191fcd49d36b68be2c466a24cac87cfd79f9d1fb18ef252037f0fb976979

Formbook

+ 7'831 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:guloader family:xloader downloader rat

Link:

https://tria.ge/reports/211004-ltcqasgbfq/

Behaviour

Suspicious use of SetWindowsHookEx

Guloader,Cloudeye

Unpacked files

SH256 hash:

bb55c88ca46b3d34d58e0fd9eacedc2a4b753f2d6e7d9d1627ba2fd914deac71

MD5 hash:

d021c22ba09ae67c07936cc698af2bff

SHA1 hash:

3b6f6298e83776e44362f558df9aff9128f9bebc

Detections:

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/6fae9640-885b-4c35-87eb-048179354409/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/bb55c88ca46b3d34d58e0fd9eacedc2a4b753f2d6e7d9d1627ba2fd914deac71

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.