MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf08a37ece16dd2e5f8484b49437bb1d84ec62f8dd64b791cdcb6af1ff691568. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf08a37ece16dd2e5f8484b49437bb1d84ec62f8dd64b791cdcb6af1ff691568
SHA3-384 hash: b389fbb912713c262b2747c9d25a5d86f3341d03ce25169c07d65b6d51c05434319e3e02e7bf75c7f981853ba9216231
SHA1 hash: 44174d331f2c4bbb3a02617774c94f17d8703e74
MD5 hash: a63422b7c6e0cf3bf52fb516205cb711
humanhash: failed-video-july-lamp
File name:Merostomatous.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'278'072 bytes
First seen:2023-04-21 12:43:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7ed0d71376e55d58ab36dc7d3ffda898 (133 x GuLoader, 28 x RemcosRAT, 23 x AgentTesla)
ssdeep 24576:eO5UfDFgKjASXCjjpNNUcm6R2s6WQtlAN3f4sjou7vNfAvUiDFhr:eOMDuU/UNcdsktluTjou7RQf9
Threatray 739 similar samples on MalwareBazaar
TLSH T1664523656750CD6FC160B2379F3AC4B9C36B753669307B0E1304FAE6A979242922F78C
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 58eed21429a9d0d4 (2 x Formbook, 1 x GuLoader)
Reporter malwarelabnet
Tags:exe FormBook signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2023-01-23T07:53:39Z
Valid to:2026-01-22T07:53:39Z
Serial number: 1adc9d84a423fb01a2d3613ac821a8afb0c3245f
Thumbprint Algorithm:SHA256
Thumbprint: c8efda16ef038a3b22df21fb6a69b71363c04d0d517c1e63c2f6d658d8257101
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
260
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Merostomatous.exe
Verdict:
Malicious activity
Analysis date:
2023-04-21 12:46:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7c99e578-8b38-4089-8520-5e68b2e6d547

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/383944/
Detection(s):
SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file
Delayed reading of the file
Creating a file in the %temp% subdirectories
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/644285147ee5da80cfdfee72/reports/9f971a1f-c456-4b3e-a321-8bb694f75ff0/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/bf08a37ece16dd2e5f8484b49437bb1d84ec62f8dd64b791cdcb6af1ff691568
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/33171ea9-8602-438e-9ac5-25507832008e
Result
Threat name:
GuLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1218613
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found potential ransomware demand text
Hides threads from debuggers
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 851562 Sample: Merostomatous.exe Startdate: 21/04/2023 Architecture: WINDOWS Score: 100 37 www.yin.world 2->37 39 www.yf979.com 2->39 41 30 other IPs or domains 2->41 53 Snort IDS alert for network traffic 2->53 55 Multi AV Scanner detection for domain / URL 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 8 other signatures 2->59 10 Merostomatous.exe 1 36 2->10         started        signatures3 process4 file5 29 C:\Users\user\Manna\...\libzmq.dll, PE32+ 10->29 dropped 31 C:\Users\user\Manna\...\libfreetype-6.dll, PE32+ 10->31 dropped 33 C:\Users\user\...\default-browser-agent.exe, PE32+ 10->33 dropped 35 3 other files (none is malicious) 10->35 dropped 71 Tries to detect Any.run 10->71 73 Hides threads from debuggers 10->73 14 Merostomatous.exe 6 10->14         started        signatures6 process7 dnsIp8 49 drive.google.com 142.250.203.110, 443, 49790 GOOGLEUS United States 14->49 51 googlehosted.l.googleusercontent.com 142.250.203.97, 443, 49791 GOOGLEUS United States 14->51 75 Modifies the context of a thread in another process (thread injection) 14->75 77 Tries to detect Any.run 14->77 79 Maps a DLL or memory area into another process 14->79 81 3 other signatures 14->81 18 RAVCpl64.exe 14->18 injected signatures9 process10 process11 20 help.exe 13 18->20         started        signatures12 61 Tries to steal Mail credentials (via file / registry access) 20->61 63 Tries to harvest and steal browser information (history, passwords, etc) 20->63 65 Writes to foreign memory regions 20->65 67 3 other signatures 20->67 23 explorer.exe 5 1 20->23 injected 27 firefox.exe 20->27         started        process13 dnsIp14 43 www.hzibrahimkurankursu.com 69.197.188.43, 49828, 49829, 49830 WIIUS United States 23->43 45 conexaoimoveislitoral.com 162.240.81.18, 49837, 49838, 49839 UNIFIEDLAYER-AS-1US United States 23->45 47 17 other IPs or domains 23->47 69 System process connects to network (likely due to code injection or exploit) 23->69 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bf08a37ece16dd2e5f8484b49437bb1d84ec62f8dd64b791cdcb6af1ff691568/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x4ekg7woc3os4x4eqs2jin53dwcoyyxy3vslpeonznvpd73jcvua._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
11b7ed15ae6b1bb53ad3eeff567acb939f794bfdf067b6c3c07c19a15a02fb8f
Formbook
63351d94c96745a2830b1a206583511c04d1f78cd631d2c51c08cfd391f4a211
Formbook
6769905302dd965b16c74da2c0a5633dd4cbfe5c8879a5db6a7322d53d668533
Formbook
8aa4a5feee91f2caa993c9624153ee2ecbe97098fc7470a5103c408376b2a12a
Formbook
8f576935bb94657e73e9b2d2aa9d1de9913f69c1a5b1251a526d5258dfe498fa
Formbook
929bb5ebaacd2750b9f7cbabb07e7fdf678d2958b8552af4e7fb705bbb92c21e
Formbook
b4ae90babbf85fb137c173dbc6a8791c9b40a7d9b32ab70ef81284736c683710
Formbook
bf71631457bec8633d10c816bfa914ef51bee4acda9a37c2613697976a21decb
Formbook
cc2ffcb49e5ff1b4f1be2c0c8f5bef3cf51caeef5fcd8be8a6367174b7dd8063
Formbook
e6303d0730eaecd16e8a3becf77fce3d5da13155d2e27e102ecc2b700ad42814
Formbook
+ 729 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230421-pygrlafe76/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
7fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528
MD5 hash:
fc90dfb694d0e17b013d6f818bce41b0
SHA1 hash:
3243969886d640af3bfa442728b9f0dff9d5f5b0
Link:
https://www.unpac.me/results/a6ba4980-0d28-4667-8f2e-a2656a0a75d1/
SH256 hash:
bf08a37ece16dd2e5f8484b49437bb1d84ec62f8dd64b791cdcb6af1ff691568
MD5 hash:
a63422b7c6e0cf3bf52fb516205cb711
SHA1 hash:
44174d331f2c4bbb3a02617774c94f17d8703e74
Link:
https://www.unpac.me/results/a6ba4980-0d28-4667-8f2e-a2656a0a75d1/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bf08a37ece16/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.18
Link:
https://yomi.yoroi.company/submissions/bf08a37ece16dd2e5f8484b49437bb1d84ec62f8dd64b791cdcb6af1ff691568

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/383944/

Comments