MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f37548aa52109fbdf38ab248aadb6809eb3a677a15f6916883d9612cec4ffa86. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f37548aa52109fbdf38ab248aadb6809eb3a677a15f6916883d9612cec4ffa86
SHA3-384 hash: 6118fa3cf0b5c5374e26920c41f8648fb620511b4c9f0ca3bb1824a731c95445e429b56b00eaf00c30f4f2df5d6db9ed
SHA1 hash: d49e48696b22d76eb2071be8d1e27d0471c8b76c
MD5 hash: 6e1fbcc9b8a012c6564b94a8b4c242fe
humanhash: alpha-moon-summer-six
File name:bunker inquiry_02022015.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:301'203 bytes
First seen:2022-02-15 08:17:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 6144:owvRVTvYIyB4lrGiXarrRzbFguquTzXox2rf4It3dPHVfljJ8:V4WqV+tu/ox2rfRt3dP1f1J8
Threatray 13'303 similar samples on MalwareBazaar
TLSH T1D254125E7DD49BF7CA1503315DB3CF2793B6B70802630B9BA3904E4FAD6A1A29125582
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter GovCERT_CH
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
1
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/241547/
Detection(s):
SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Searching for synchronization primitives
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Reading critical registry keys
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/620b61bea2660f3bb9d8806a/reports/9af4e1b9-1021-486e-ba48-da76fa59e852/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d8a52d1b-0fd8-4716-afcf-90d56bbe29b3
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/939935
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 572413 Sample: bunker inquiry_02022015.exe Startdate: 15/02/2022 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 3 other signatures 2->53 11 bunker inquiry_02022015.exe 19 2->11         started        process3 file4 31 C:\Users\user\AppData\Local\Temp\fptcx.exe, PE32 11->31 dropped 14 fptcx.exe 11->14         started        process5 signatures6 65 Tries to detect virtualization through RDTSC time measurements 14->65 17 fptcx.exe 14->17         started        process7 signatures8 39 Modifies the context of a thread in another process (thread injection) 17->39 41 Maps a DLL or memory area into another process 17->41 43 Sample uses process hollowing technique 17->43 45 Queues an APC in another process (thread injection) 17->45 20 explorer.exe 17->20 injected process9 dnsIp10 33 cluster-a.redirect.pizza 89.41.169.49, 49801, 80 TRANSIP-ASAmsterdamtheNetherlandsNL Netherlands 20->33 35 westcoastify.com 160.153.136.3, 49814, 80 GODADDY-AMSDE United States 20->35 37 13 other IPs or domains 20->37 55 System process connects to network (likely due to code injection or exploit) 20->55 57 Uses ipconfig to lookup or modify the Windows network settings 20->57 24 ipconfig.exe 20->24         started        signatures11 process12 signatures13 59 Modifies the context of a thread in another process (thread injection) 24->59 61 Maps a DLL or memory area into another process 24->61 63 Tries to detect virtualization through RDTSC time measurements 24->63 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f37548aa52109fbdf38ab248aadb6809eb3a677a15f6916883d9612cec4ffa86/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-02-15 08:18:11 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6n2urkssccp3344kwjekvw3ibhvtuz32cx3jc2ed3fqsz3cp7kda._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2a170cc5086a00b41ce8ff4bcf8fce45f85aef342d4cf4d08f018943cc5221ac
Formbook
31168981af16e0fc209774a91e04e5aaf622cacbed12e970b7a35db0705174d6
Formbook
34fc8a270fda2856448cb455e3dca4d8210f5e83f25f1fa8339d8f428a449466
Formbook
7cbd8cc35b03d65491ad01b6a44b84dc047e6663189554201c24dbfbeb81473c
Formbook
88d97538adda1f29e2f088883d64db0776c2f7e9c80a2a789785c4af970ec129
Formbook
8c4f6fdac7ad099e36f33ba17cb2f7439dc95916f4013b652f464c866fe88fdc
Formbook
d2cc3484cdabe8305bf9afd35530ca1118ca2c308408dc7140c3a94b392b60bb
Formbook
e8720afe9895124761086a0f00aa515997015669cc5332aebe99d5ea02ca7377
Formbook
fa0c54af42af10dbb34626554f789c0d00d392a6bca0017f97babda9e17ef785
Formbook
+ 13'293 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ciaz loader rat suricata
Link:
https://tria.ge/reports/220215-j7arraeaer/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
df87f745921a2f492e45d76cf7e74b886656a40649ac8d94a644196f7101d065
MD5 hash:
f0bc5f28b0fa7c0765f415614f05f89e
SHA1 hash:
eec083182c465bedf96b21de8ebf00acd50ff575
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/95de5c86-691f-4021-84af-aac5a52eb329/
Parent samples :
f37548aa52109fbdf38ab248aadb6809eb3a677a15f6916883d9612cec4ffa86
79e8144ee4e2e97695849928e162288fc282de48ff4caea48314f9cb56477917
93da913f4b899003071cf8743f4a06f14464397cdb135638e2e76072a283f970
e9330d2f7bfc24c38a60bb55c0624c97c5b89672188a0177d2596a9a11491e7c
SH256 hash:
c6cedf9644c5367c4813d59c64811a39bbfdf8df99bcfe6af9ae812a700f565d
MD5 hash:
b9fc0472008bf663a3d92bbd7a07080e
SHA1 hash:
0528326eb7d480eadf61420348d777b66f0c9e99
Link:
https://www.unpac.me/results/95de5c86-691f-4021-84af-aac5a52eb329/
SH256 hash:
f37548aa52109fbdf38ab248aadb6809eb3a677a15f6916883d9612cec4ffa86
MD5 hash:
6e1fbcc9b8a012c6564b94a8b4c242fe
SHA1 hash:
d49e48696b22d76eb2071be8d1e27d0471c8b76c
Link:
https://www.unpac.me/results/95de5c86-691f-4021-84af-aac5a52eb329/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f37548aa5210/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.18
Link:
https://yomi.yoroi.company/submissions/f37548aa52109fbdf38ab248aadb6809eb3a677a15f6916883d9612cec4ffa86

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe f37548aa52109fbdf38ab248aadb6809eb3a677a15f6916883d9612cec4ffa86

(this sample)

  
Dropped by
xloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/241547/

Comments