MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c37c2251736d52c3234a7d1541033b7d08916bf2c701e925bfd0370c398d8c10. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c37c2251736d52c3234a7d1541033b7d08916bf2c701e925bfd0370c398d8c10
SHA3-384 hash: 3728a0e1ffc922a2a26295735705ceefd5c9b1f7919bf4e55d89f4ec55723131e12ad509f1041960a5090957aa2b7322
SHA1 hash: 12e627c595a26538939f7fe14d8188f077ad0c4f
MD5 hash: c4a1549f106d6ebcf445cfdb30b54233
humanhash: fifteen-angel-artist-london
File name:SHIPPING DOCS INV PL G & W KIDS LLC -61-2023-FALL-22-COPY.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:934'912 bytes
First seen:2024-02-15 11:02:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:UIDQ7Wvlcj1kFtldDooOGqUvq5ceRcMd4QtTTkD9c3h:1DQ7Djchq6qeMd4uTE9cx
TLSH T1B615D0F98202251DC43536B8C3B763ED23BD1EE6BC56C60A94EC75B4687E3803619B5E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
299
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/476321/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Win.Packed.Formbook-10020621-0
Create hunting rule

Win.Packed.Pwsx-10020694-0
Create hunting rule

Win.Packed.Pwsx-10020695-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
davinci formbook masquerade packed
Link:
https://www.filescan.io/uploads/65cdef85bef28d0c6fb9748c/reports/4ae849b3-2daa-4d96-bfd6-1e0b1089baf1/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/c37c2251736d52c3234a7d1541033b7d08916bf2c701e925bfd0370c398d8c10
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MSIL Injector
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6e94fb96-1cec-47f2-b687-a81cb969bb72
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1392790
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c37c2251736d52c3234a7d1541033b7d08916bf2c701e925bfd0370c398d8c10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c37c2251736d52c3234a7d1541033b7d08916bf2c701e925bfd0370c398d8c10/
Threat name:
ByteCode-MSIL.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2024-02-06 09:30:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yn6ceultnvjmgi2kpukucaz3puejc27sy4a6sjn72a3qyomnrqia._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240215-m5rt2aeh2y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
d098e5b0477b97ea0af6ac09a52c8783161d4f315a37d510f396b30f22ed3dd7
MD5 hash:
d4c5213fd5fff502de06ef4879627fe0
SHA1 hash:
dd36a8c2538f86865e7a3859df33be7b3c2a8376
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/51aef5ab-b7cd-4ccf-a2e4-2aaf086caf66/
Parent samples :
c37c2251736d52c3234a7d1541033b7d08916bf2c701e925bfd0370c398d8c10
37c4f4f899e08371042e4b4cc03b87297989ad424c62228a7a50293f2ea7de22
SH256 hash:
318cbe6c5e8564e124fb94887d6cc6da5b6589e4374980aeaaca1e90279c3c5a
MD5 hash:
5c6bf8dd2e824198fe624a6f22a7be6e
SHA1 hash:
1092637d98fcf9f5bdc078c686ddc81712e69a50
Link:
https://www.unpac.me/results/51aef5ab-b7cd-4ccf-a2e4-2aaf086caf66/
SH256 hash:
bb06a23e308f2eaceefb17f856ec6967eb7eb8d31473de6d8b0744bfc71300ec
MD5 hash:
64920344e3d76f82a0d5f94e1a0ac816
SHA1 hash:
38ef8198c7cbc87a03552cfdf4afd43cb5ca4c7b
Link:
https://www.unpac.me/results/51aef5ab-b7cd-4ccf-a2e4-2aaf086caf66/
SH256 hash:
38e0c6d980305c75802c29c0296f16fe0e9d8ef0c387580096acbfb914a805a3
MD5 hash:
6d6dc9776d8f8feaf6f35048c87e3c85
SHA1 hash:
2a93098d71c171354d458ecabd97c5b2aca00cf4
Link:
https://www.unpac.me/results/51aef5ab-b7cd-4ccf-a2e4-2aaf086caf66/
SH256 hash:
75c64c989b913c5fcbc70a557cf25236a08f17ab6c4c71231394e98d214975b4
MD5 hash:
572863056016185f5daa4c76fa44778a
SHA1 hash:
25a0660fd71ba86b0127411d7485a6ea614e0238
Link:
https://www.unpac.me/results/51aef5ab-b7cd-4ccf-a2e4-2aaf086caf66/
SH256 hash:
731223cc23140a70d6d7cb3a6894c8fc27b742b1f3dba02ffc82a0809ad4951e
MD5 hash:
7e817168f5b53affbea32c93db801a7e
SHA1 hash:
33c1e77ff5a4e446f0e6aefc68251be343ec38b9
Link:
https://www.unpac.me/results/51aef5ab-b7cd-4ccf-a2e4-2aaf086caf66/
SH256 hash:
4c9e00f90c76ac9b69035ae6d037cab3547a96169c6964ccce0f700d5582ba92
MD5 hash:
1f55649cc2c8816cfde6bb1ed485c619
SHA1 hash:
f43e6e0f28f0f4d1d8366e3f808e3afd87639f88
Link:
https://www.unpac.me/results/51aef5ab-b7cd-4ccf-a2e4-2aaf086caf66/
SH256 hash:
e2c10e80c225c6020ffc3b30d6d55bb0b6e5c8c93686e510d5b25da9dc718488
MD5 hash:
adc1c2e1890779327ddd206b3514b580
SHA1 hash:
ef64311d3c78af78d769e8bba4364b0e1e447354
Link:
https://www.unpac.me/results/51aef5ab-b7cd-4ccf-a2e4-2aaf086caf66/
SH256 hash:
262269c644675c2ba71996d9f723a4410746ccc20424cbf7f9e2b1e8371e4788
MD5 hash:
745b1151e18c52c873aed367ff871106
SHA1 hash:
e5bd22801544cbb0682ac79d7d88b1d1ca609489
Link:
https://www.unpac.me/results/51aef5ab-b7cd-4ccf-a2e4-2aaf086caf66/
SH256 hash:
05ee916259d608ce9b60b2aa66ff75385643e1653a922eef70e0f6233af8d1d9
MD5 hash:
bd530ff992d98192951b25865b0379e0
SHA1 hash:
9851cc4ffe2f3226764d1162dd447f3b0311c3a2
Link:
https://www.unpac.me/results/51aef5ab-b7cd-4ccf-a2e4-2aaf086caf66/
SH256 hash:
ad15bb5c0c926dc24b183b4d52b105fa1ad421160b0bce873c73ea96e30d1934
MD5 hash:
57ac569f50965fdf146faf480589ae2e
SHA1 hash:
2e10d50caab506c35233d6b0e9370a533252c8e2
Link:
https://www.unpac.me/results/51aef5ab-b7cd-4ccf-a2e4-2aaf086caf66/
SH256 hash:
3867275da4a801b9b490107df3a9ceaa655f2e0f036d38971828efedb5bf0441
MD5 hash:
3be916f4f6775c5bc5d3383fd8c6798c
SHA1 hash:
134446c011b686eaeabdeba092f13150bae29992
Link:
https://www.unpac.me/results/51aef5ab-b7cd-4ccf-a2e4-2aaf086caf66/
SH256 hash:
c37c2251736d52c3234a7d1541033b7d08916bf2c701e925bfd0370c398d8c10
MD5 hash:
c4a1549f106d6ebcf445cfdb30b54233
SHA1 hash:
12e627c595a26538939f7fe14d8188f077ad0c4f
Link:
https://www.unpac.me/results/51aef5ab-b7cd-4ccf-a2e4-2aaf086caf66/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c37c2251736d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/c37c2251736d52c3234a7d1541033b7d08916bf2c701e925bfd0370c398d8c10

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Formbook
Create hunting rule
Author:kevoreilly
Description:Formbook Payload
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe c37c2251736d52c3234a7d1541033b7d08916bf2c701e925bfd0370c398d8c10

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/476321/

Comments