MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3688d8caa70a496aa55ed70190c2d7fd53487b21f286d14ea6849d78cd375a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	e3688d8caa70a496aa55ed70190c2d7fd53487b21f286d14ea6849d78cd375a8
SHA3-384 hash:	917eb3962955ba4722acf543d929baf2c7a949881f1bf3f076c3cae10841e202c60860ed3c63031796905f16193275eb
SHA1 hash:	6feafa94d202c84d1cf2b5ad5d29678ab3904175
MD5 hash:	cbd7a53e96bdac43eab1d17d7cd2f3d7
humanhash:	illinois-charlie-nevada-north
File name:	Proforma invoice Shipping documents.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	303'104 bytes
First seen:	2021-10-07 16:16:43 UTC
Last seen:	2021-10-07 18:38:53 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	8a29d5b60fd6ca6491e11ecd8084e737 (1 x Formbook)
ssdeep	3072:1kc6mNLJkqWsV3m+lhUJUn2hjuoClIxZ009CxykFSc05qOk0J2nvb8jrrJecYAWf:6zmdJiJuoMQF9CxX/tO7JS4PIcJhOh
Threatray	7'855 similar samples on MalwareBazaar
TLSH	T14C548C119682C430F65240B86856C2378FEFED3D2802E76B7F6E16D84FE6961A2553CF
File icon (PE):
dhash icon	1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter	GovCERT_CH
Tags:	exe FormBook GuLoader

Intelligence

File Origin

# of uploads :

# of downloads :

330

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

vbc.exe.bin

Verdict:

No threats detected

Analysis date:

2021-10-07 23:52:22 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/25c9e70a-0d2d-4bca-a468-931757b490fb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/195913/

Detection(s):

Win.Malware.Formbook-9802749-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

fareit formbook packed

Link:

https://www.filescan.io/uploads/615f1d80b95458900cde4c3d/reports/67d9ce29-e2e8-4b3a-9a41-28f91c3ba94a/overview

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/791bba70-ff27-42bf-9c2c-2b86e0dcaadd

Result

Threat name:

FormBook GuLoader

Detection:

malicious

Classification:

rans.troj.evad.spre

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/866558

Signature

C2 URLs / IPs found in malware configuration

Executable has a suspicious name (potential lure to open the executable)

Found malware configuration

Found potential dummy code loops (likely to delay analysis)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Potential malicious icon found

Yara detected FormBook

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/e3688d8caa70a496aa55ed70190c2d7fd53487b21f286d14ea6849d78cd375a8/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2021-10-07 12:09:33 UTC

AV detection:

17 of 28 (60.71%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4nui3dfkocsjnksv5vybsdbnp7ktjb5sd4ug2fhknbe5pdgtowua._file

Verdict:

malicious

Label(s):

formbook

Formbook

2dc7525f9ee6e09a25f840b457bf5b0ba228c4697e1f3d4b81bd2964d2eafc61

Formbook

3ac2da7ec8b0c46550c9b85707c4743ea4cacbb5bb6ee0fd159792f3978e3ad3

Formbook

40da3a76d7dfbe395b879dc9b090af73483617c65c7c433975490c0a22e4a71a

Formbook

ab4676fc90e455da2127126bfbd1fd167328c79eda83f686ef71dd89266825f5

Formbook

b2c722497192e585403d800c2b34bc14ed8c7ea9b0f2b4e8c7b7951b645cd319

Formbook

bb55c88ca46b3d34d58e0fd9eacedc2a4b753f2d6e7d9d1627ba2fd914deac71

Formbook

e51c60f40080414b74c2eeef62780b28aa31c7875dada6dc2097323a61cc8396

Formbook

ea12191fcd49d36b68be2c466a24cac87cfd79f9d1fb18ef252037f0fb976979

Formbook

ee3de0972b839ce801d88ed0ce2946aa8900d0f11e497bb703f17d59596a1ec0

Formbook

+ 7'845 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:guloader family:xloader downloader rat

Link:

https://tria.ge/reports/211007-trcxaachdq/

Behaviour

Suspicious use of SetWindowsHookEx

Guloader,Cloudeye

Unpacked files

SH256 hash:

e3688d8caa70a496aa55ed70190c2d7fd53487b21f286d14ea6849d78cd375a8

MD5 hash:

cbd7a53e96bdac43eab1d17d7cd2f3d7

SHA1 hash:

6feafa94d202c84d1cf2b5ad5d29678ab3904175

Detections:

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/c904f676-0c7a-4426-8827-75c444e51bf9/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/e3688d8caa70a496aa55ed70190c2d7fd53487b21f286d14ea6849d78cd375a8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.