MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07569721866b0b2b3d83ec0db9d400f9cd623c51ea30706aaef9e032ec64795e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	07569721866b0b2b3d83ec0db9d400f9cd623c51ea30706aaef9e032ec64795e
SHA3-384 hash:	0f27fabb1fcb3612753f18bff2d7e8908e2ae0369fe89dd087fd960a2ced74a77b94ebdc12a2128f7107b40ab95f1521
SHA1 hash:	4c34b842888ba0c8f80fdba42055281c18e995f3
MD5 hash:	fce9b050476d555a64ce0522191d1f4a
humanhash:	colorado-snake-alanine-colorado
File name:	Revised Quotation & COA_jpg.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	564'736 bytes
First seen:	2022-01-27 15:38:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:JtOKlR4bK9r8tz9xhWMbOMujeszFBp3IrWD:3OKlRn9mz9XuRjlTp4rW
TLSH	T1DDC4CFB2395E8284F42F56B1A62EF81116F13C2BB9D0242905AFF01BC6F5756169EA0F
File icon (PE):
dhash icon	0f696a86630786cd (3 x Formbook)
Reporter	malwarelabnet
Tags:	exe FormBook xloader

Intelligence

File Origin

# of uploads :

# of downloads :

217

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Revised Quotation & COA_jpg.exe

Verdict:

Malicious activity

Analysis date:

2022-01-27 21:47:10 UTC

Tags:

trojan formbook stealer

Link:

https://app.any.run/tasks/4804bf54-6194-45ac-ab1b-2165764da01b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/224456/

Detection(s):

SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Sending a custom TCP request

Launching a process

Creating a file

Сreating synchronization primitives

Searching for synchronization primitives

Launching cmd.exe command interpreter

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe obfuscated packed

Link:

https://www.filescan.io/uploads/61f2bca76a7929f66a1b6536/reports/2b15c876-0c36-4f18-8c86-a733e6df52de/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b1f6efce-342f-49e0-9f15-235c8de5f9e5

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/929195

Behaviour

Behavior Graph:

n/a

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/07569721866b0b2b3d83ec0db9d400f9cd623c51ea30706aaef9e032ec64795e/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-01-27 11:45:19 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=a5ljoimgnmfswpmd5qg3tvaa7hgwepcr5iyha2vo7hqdf3depfpa._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:quc5 loader rat suricata

Link:

https://tria.ge/reports/220127-s3sansfagp/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Uses the VBS compiler for execution

Xloader Payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Unpacked files

SH256 hash:

2016760276966e7d0a1b3ce5eb62661ee8e92f66e5c04da23d3862c7c2e463f2

MD5 hash:

2cb4c00b5b6341dba4b67aa976efbbd2

SHA1 hash:

0d35ccfebfa45994f925c133ef0477cb33619a24

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/26260a42-5d1a-4d0a-9023-20e647dcc7f7/

Parent samples :

088cc7491fc68b14d1e883a36a411b992ef71a038526e9b15b820985d3bbb7d2
d53203021ea88e690e9254aff60634fbafd324c69bebcd705506046e0647eb88
2eba3f9d82559ae0f8d15c141d3844ad3ae4e98c786ab6720506ab3e80565d8f
07569721866b0b2b3d83ec0db9d400f9cd623c51ea30706aaef9e032ec64795e
db9a46ce4d2d56fb75e4990521c1e905526268b1a6f51311bb8ed6cc6a3ee7b1
ffbd8cb5a8779c934324bbee870d6b1d7549d4c6eb358cd67b923aa8a5b21a36

SH256 hash:

5247926388ed51a1178cb1de85bc5df1443c240ace43d7d9386edf8d7fceec02

MD5 hash:

9a6cb543f17cc6f61c016dbc8a331bc2

SHA1 hash:

62210e9d0f4d5b8101886a336feb3e1ae0eaf824

Link:

https://www.unpac.me/results/26260a42-5d1a-4d0a-9023-20e647dcc7f7/

SH256 hash:

140dfe11905a5a640484282902847f8ad0f9596507c5e891d78c8a3b42d89702

MD5 hash:

eac9cab142c2fab929ca1b3f1f6c6c41

SHA1 hash:

222cd1150a70b8afa21719219fda1f9d9f0e33fb

Link:

https://www.unpac.me/results/26260a42-5d1a-4d0a-9023-20e647dcc7f7/

SH256 hash:

07569721866b0b2b3d83ec0db9d400f9cd623c51ea30706aaef9e032ec64795e

MD5 hash:

fce9b050476d555a64ce0522191d1f4a

SHA1 hash:

4c34b842888ba0c8f80fdba42055281c18e995f3

Link:

https://www.unpac.me/results/26260a42-5d1a-4d0a-9023-20e647dcc7f7/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/07569721866b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/07569721866b0b2b3d83ec0db9d400f9cd623c51ea30706aaef9e032ec64795e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/224456/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample