MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf6837cd64c8a37fc41b2d868fdd148e637f926e6665fe25f40f2b46327cdf31. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf6837cd64c8a37fc41b2d868fdd148e637f926e6665fe25f40f2b46327cdf31
SHA3-384 hash: 54b51fbdd28558e1432c0b25f36579d1f5cbe3db737facec82a5d4294ce0d861b3d13505b36f43d582d6e900082f5644
SHA1 hash: 943e28a8cac663dc4beba7b9d298fb7268e1dcfa
MD5 hash: d22375a02236939df6e4f2b423322465
humanhash: high-romeo-east-early
File name:RFQ for Req 12465.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:300'006 bytes
First seen:2023-06-01 06:02:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:pYa6myvpo9HV+vftlItkuk66Km4VC7PP3ZovVb0f3FeuZrC3y21:pY4rMbIyLSmb7PPpovVb0fZZN21
Threatray 2'951 similar samples on MalwareBazaar
TLSH T15D5412546AF19123D9B313722D7972176FE9ED2730E9470B23246E29B932653C90FB32
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e4dcd8c4d4d4c4d4 (95 x AgentTesla, 51 x Formbook, 12 x RemcosRAT)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
254
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ for Req 12465.exe
Verdict:
Malicious activity
Analysis date:
2023-06-01 06:05:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/410bf3ef-4b5e-4f9e-a0b7-a9155829bf8f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/394300/
Detection(s):
SecuriteInfo.com.Gen.Variant.Nemesis.22782.16198.11150.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Unauthorized injection to a recently created process
Сreating synchronization primitives
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/88897/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/647834978c539ae218a0943c/reports/bbc9a6f7-0ed6-430f-9044-288001d20551/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/bf6837cd64c8a37fc41b2d868fdd148e637f926e6665fe25f40f2b46327cdf31
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/692d5e0c-68b7-44be-8cf8-2debd903ef8e
Result
Threat name:
NSISDropper, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1246588
Signature
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bf6837cd64c8a37fc41b2d868fdd148e637f926e6665fe25f40f2b46327cdf31/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-05-31 22:46:30 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x5udptlezcrx7ra3fwdi7xiurzrx7etomzs74jpub4vummt434yq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1583037e8ed80b3e80955da8e0138cbce6faf0fd0df77f50c7551d290ec67f2d
Formbook
4adcc8ef0f0f441cf8e44f0c3c446f620409dbf79353811fa4d6526c6752f6ae
Formbook
4b2c21ea5f69768b3fa702304683c99e18dea0823d0c8585cec84be4210f08da
Formbook
730fa0df480a7101f3ba68bffa45423b39901c43b204008dfd509fcfff75d9b2
Formbook
ad8fd0b0690db382dc13e6e8a7365581877af214c39ca5dd673b8cea760e8891
Formbook
b819e0dd1a5dc229d16fa74251262ce7fdd7581a71f66c9dec61149a7c4c7a76
Formbook
bee95f90676280bca3212cc77b2dbd497f590cd560ce3005f2998fa324698427
Formbook
cef638f9ba310dfd22719a682dfe6ad1a07c06b122b54127e2a6257e9acc7752
Formbook
d0751a97dcbfedcddcf4c05434a1563f2c46c037b05744f7cbde14cd49584b61
Formbook
e0917d732b7c34e4ff60f30a9115ad84dbf3eb15be3301db9bb7297f1ac8581c
Formbook
+ 2'941 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230601-gr18nach45/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
ce25649abbe9630dc2b2d01633b89e1688fd701ef301838a083460cb11703ebf
MD5 hash:
30378a18a14c234fc4b39656c48c953c
SHA1 hash:
2506b2673a07297c20a25e8836b92d94b758f970
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/5a8dc41f-6f4f-4846-bc29-204dad40c7ae/
Parent samples :
45c495f1765c2a86062980d2e2b196b0696247fa42199a6fd278cd739550db57
86c26b4efb879db206ff583c304e8ceb75470c970b53737fd6d1fa4f6c4d1e54
2bab4b4ef0cd5ce5f2dff0ddcbdfb7295c0d141fb4c88ec305268b24a3e23a5c
e5462cb7be5124278c7afad2983341ae1df646d1407e5044567ca84db035f8a3
57b9e598a2344a9f11ea57e9def885d0548034bbfd7020c697770bc68d12660d
bf6837cd64c8a37fc41b2d868fdd148e637f926e6665fe25f40f2b46327cdf31
12a06c74a79a595fce85c5cd05c043a6b1a830e50d84971dcfba52d100d76fc6
SH256 hash:
5de47656d70990ec230319bd2e35b9254a19583f005487551a0d9a951607feed
MD5 hash:
c9d1695f8f861de42ff96e5a03ae3e36
SHA1 hash:
a09c013a0c262d8c8f6dba5ffbb4c2c4760129b4
Link:
https://www.unpac.me/results/5a8dc41f-6f4f-4846-bc29-204dad40c7ae/
SH256 hash:
6f0d98d3dc49eff86371bd109407b3d4cb7fd5cfb5c3a5dd00733e2d74dadc01
MD5 hash:
f08f78a2c44ba3bc855f773c8c68d93f
SHA1 hash:
e7f5cc83fa9a22ce98d5a1f25f2cbea86c3f7086
Link:
https://www.unpac.me/results/5a8dc41f-6f4f-4846-bc29-204dad40c7ae/
SH256 hash:
bf6837cd64c8a37fc41b2d868fdd148e637f926e6665fe25f40f2b46327cdf31
MD5 hash:
d22375a02236939df6e4f2b423322465
SHA1 hash:
943e28a8cac663dc4beba7b9d298fb7268e1dcfa
Link:
https://www.unpac.me/results/5a8dc41f-6f4f-4846-bc29-204dad40c7ae/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bf6837cd64c8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bf6837cd64c8a37fc41b2d868fdd148e637f926e6665fe25f40f2b46327cdf31

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe bf6837cd64c8a37fc41b2d868fdd148e637f926e6665fe25f40f2b46327cdf31

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/394300/

Comments