MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 08d17b9c0d3ab4eb79a38b0a500655f9f47bc3468718ae5b61d59d0b2b687e53. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 08d17b9c0d3ab4eb79a38b0a500655f9f47bc3468718ae5b61d59d0b2b687e53
SHA3-384 hash: 81d3f3b5bcc749f81fc134e53be08bb9ddd2fed3dcba02d2859667620fc1f1c53527b3376d3ef4a6fd747c4897f268b5
SHA1 hash: 09c2fcae04979ac5eaa9a30efef0e59aa5bf034d
MD5 hash: cfe607172762768ef0d28bd9d46459bd
humanhash: green-october-hydrogen-four
File name:Request for Quotation.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:569'344 bytes
First seen:2022-01-10 06:47:42 UTC
Last seen:2022-01-10 08:37:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash cf6a6d4cfbd4eaf85b2795df0626b1d5 (2 x Formbook)
ssdeep 12288:hIlLNX+OnUoEIf9SBB4GgW+0PY0oInE8cZCcNTRA:OlLNX+OnUoeBB4G/3P3oInERCEd
Threatray 13'126 similar samples on MalwareBazaar
TLSH T193C4BF41B7BCE9B6E2A352320D44D9304C65F87A1E3FAA87B7C26E0EC53C9901539797
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Request for Quotation.exe
Verdict:
Malicious activity
Analysis date:
2022-01-10 06:50:24 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/86fcc49a-2702-4dc2-9590-adad282960bf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217950/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.25651.1989.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file in the %temp% directory
Сreating synchronization primitives
DNS request
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3961/overview
Behaviour
MalwareBazaar
CursorPosition
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger packed print.exe shell32.dll
Link:
https://www.filescan.io/uploads/61dbd6aa1c0d769df9ddc805/reports/9e15047d-6729-4468-b367-15b16493f842/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/917468
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 549943 Sample: Request for Quotation.exe Startdate: 10/01/2022 Architecture: WINDOWS Score: 100 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 13 other signatures 2->45 10 Request for Quotation.exe 1 2->10         started        process3 file4 27 C:\Users\user\AppData\Local\...\Cielert.tmp, PE32 10->27 dropped 13 Request for Quotation.exe 10->13         started        process5 signatures6 55 Modifies the context of a thread in another process (thread injection) 13->55 57 Maps a DLL or memory area into another process 13->57 59 Sample uses process hollowing technique 13->59 61 Queues an APC in another process (thread injection) 13->61 16 explorer.exe 13->16 injected process7 dnsIp8 29 viperiastudios.com 50.87.249.32, 49819, 49828, 80 UNIFIEDLAYER-AS-1US United States 16->29 31 www.teentykarm.quest 37.123.118.150, 49788, 80 UK2NET-ASGB United Kingdom 16->31 33 30 other IPs or domains 16->33 35 System process connects to network (likely due to code injection or exploit) 16->35 37 Performs DNS queries to domains with low reputation 16->37 20 rundll32.exe 16->20         started        signatures9 process10 signatures11 47 Self deletion via cmd delete 20->47 49 Modifies the context of a thread in another process (thread injection) 20->49 51 Maps a DLL or memory area into another process 20->51 53 Tries to detect virtualization through RDTSC time measurements 20->53 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/08d17b9c0d3ab4eb79a38b0a500655f9f47bc3468718ae5b61d59d0b2b687e53/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-01-10 06:48:15 UTC
File Type:
PE (Exe)
AV detection:
24 of 27 (88.89%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bdixxhanhk2ow6ndrmffabsv7h2hxq2gq4mk4w3b2woqwk3ipzjq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
129d230573fdb00a681a7f0c507bc16d2efcd08c4408f544f1d7653162b2cd92
Formbook
4a5b5a531a3b114eec42bec024ce1f0d4178a109c08510311819c58e920fd90e
Formbook
64e3a0f2298f21833eb7a9c51aa0b2b8d3354bdcefb0156bb34371e3163d8b3d
Formbook
6bd5fda97afe76f3d6cc66ffac1350e77256315e151364355af9ee6d56be8ebf
Formbook
78bb96983441b23a5dc66dbf465887bfd3c26ccf3dda2557f17e291dd11076bd
Formbook
7f4888239060a411b5a521d19e88bb1158189634f764383c2c2fc0bb84e01169
Formbook
8ab0631733cbd75ee80236daf25af3a79d6c2471c2c5b3f354407f92101bea28
Formbook
b207cf6e0fe84692f4311e2768d913bae8005da5f7ed4cf1cee2459a6f62faa9
Formbook
deac58296321ec67026dc3de7275137fbdf1775e28fbd9e4d3bf528be7bc95ff
Formbook
ea12191fcd49d36b68be2c466a24cac87cfd79f9d1fb18ef252037f0fb976979
Formbook
+ 13'116 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:b80i loader rat
Link:
https://tria.ge/reports/220110-hkstdadhg2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Unpacked files
SH256 hash:
0c3a45da7ec9a0c118c42decdf545d44289cb1f362f9de3ac3a775a0f6593ebc
MD5 hash:
aceaee03848ffe132194e3e674d14135
SHA1 hash:
9f16971f647cfea9eaef5a0a1e045a0d8a282db9
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/3bec7040-866f-4e50-ade4-1e881b240c6e/
Parent samples :
78bb96983441b23a5dc66dbf465887bfd3c26ccf3dda2557f17e291dd11076bd
08d17b9c0d3ab4eb79a38b0a500655f9f47bc3468718ae5b61d59d0b2b687e53
1ec8f5c2a626d9484af9532ed48a5b7482fc0dcdab074d8545ac8e4454c68a89
59b1f5cc85d4edc7bcd38811f27e9991a829e977cbadd58913670d434dfbfeff
02c848711be5356cc435b98837bdf0120cac86fdeaa5238793a3ab6300482147
f8d64de8061469f13cef1bffd0a1f45a5bea64f918acaf76026e04130185764c
SH256 hash:
08d17b9c0d3ab4eb79a38b0a500655f9f47bc3468718ae5b61d59d0b2b687e53
MD5 hash:
cfe607172762768ef0d28bd9d46459bd
SHA1 hash:
09c2fcae04979ac5eaa9a30efef0e59aa5bf034d
Link:
https://www.unpac.me/results/3bec7040-866f-4e50-ade4-1e881b240c6e/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/08d17b9c0d3a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/08d17b9c0d3ab4eb79a38b0a500655f9f47bc3468718ae5b61d59d0b2b687e53

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 08d17b9c0d3ab4eb79a38b0a500655f9f47bc3468718ae5b61d59d0b2b687e53

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/217950/

Comments