MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0bf1ad7e3d5f2bdd589d32f36db80fe2862a8b3412c7cfcdef4f839c9339d6af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	0bf1ad7e3d5f2bdd589d32f36db80fe2862a8b3412c7cfcdef4f839c9339d6af
SHA3-384 hash:	6b2ed570e367606c8496161f0fab7e5f141105fe957524646d83775b86bb24f676f701ebbd4db236ef136c5a3c54ccf0
SHA1 hash:	aa15fdd8d6f27edf23996c1178f2a08f7ac5cb5d
MD5 hash:	6ea5fce03544701f377053818fccbbe8
humanhash:	rugby-eighteen-shade-juliet
File name:	Request for quote_April 2023.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	606'208 bytes
First seen:	2023-04-13 13:35:00 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:BJMUDyLwtHQsnNpXPMgnA0u+pZtfeTep1:BOUDuwuypXPMo9vfeTeH
Threatray	3'263 similar samples on MalwareBazaar
TLSH	T1BFD41206B267A62AD59D027B89D2000003F14B4BE953EA5D5CE632E8574EFDA8BF1F47
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0000c4c4e4c47000 (17 x AgentTesla, 7 x SnakeKeylogger, 6 x Loki)
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

290

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Request for quote_April 2023.exe

Verdict:

Malicious activity

Analysis date:

2023-04-13 13:37:24 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a1732b45-2145-4fc9-beec-33b56766e4c5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/382015/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Win.Trojan.EmbeddedDotNetBinary-9940868-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

clipbanker comodo darkkomet packed

Link:

https://www.filescan.io/uploads/643805070530985b5cccde62/reports/38d628d3-eae0-4434-91cc-ff03f996722e/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/0bf1ad7e3d5f2bdd589d32f36db80fe2862a8b3412c7cfcdef4f839c9339d6af

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2ec20d8c-3288-48af-abf5-5a89c8f98bec

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1213214

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0bf1ad7e3d5f2bdd589d32f36db80fe2862a8b3412c7cfcdef4f839c9339d6af/

Threat name:

Win32.Trojan.Pwsx

Status:

Malicious

First seen:

2023-04-13 13:34:12 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bpy227r5l4v52we5glzw3oap4kdcvczucld47tppj6bzzezz22xq._file

Verdict:

malicious

Label(s):

formbook

Formbook

342215db36f2fa15a4b72d54cb4e7a7179462dcaab9dc9f791336df867d6d286

Formbook

3ff8da989c0463e0eca88964ea38876e1b9e1e3dfe7cbab96297feadff54713b

Formbook

80c6293d18c38b686ea6ab60d134247f8d72553be2d20a305b94c78115227667

Formbook

9eb2b7acb3ab10e79a731f59d8cb0674cdaeff303db290a18e86d808d0aeb6ca

Formbook

a5976236ba0b3e31a6dd09af3abe7d0121a4053bb22669869a874d1ba97bd495

Formbook

b284d003b3fe69db7b293a9ec8d080952f6190026bbd28f2e0ab22273197a080

Formbook

e2f96798a7d58ac8a06c39d4459336c8fddafec67fe12cda3c9d4e497702601f

Formbook

e8120ddaa86fc56ab083a38b22ca366809e5d1196f3c10175bc745e3dfd15750

Formbook

f90cae8d2f230d52a461faf67dd818065329eb8cac4c241734a3f224eee1c531

Formbook

+ 3'253 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:c29i rat spyware stealer trojan

Link:

https://tria.ge/reports/230413-qvnw6sbg24/

Behaviour

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Blocklisted process makes network request

Formbook payload

Formbook

Unpacked files

SH256 hash:

257fc20e7d669ad99b02171c3ad8e283c15a03f37353b86dfc9ce7f97a2e83f4

MD5 hash:

5ec006776d581c467571140ae88a8fc5

SHA1 hash:

79146bdccbcdd91c70ebab114e202ee8b611c2b9

Detections:

FormBook

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/5b5e094b-83e7-42ef-be42-b5e3bf40a363/

Parent samples :

2358f255cb8390a108fca6934209b56e8f72eb08dbb3708431c449fffe8338e5
b284d003b3fe69db7b293a9ec8d080952f6190026bbd28f2e0ab22273197a080
0bf1ad7e3d5f2bdd589d32f36db80fe2862a8b3412c7cfcdef4f839c9339d6af
bd407e66453e00d96368122b1d8761c995aa3a9606995dbd46ec1629debb18ed

SH256 hash:

40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403

MD5 hash:

c768bac25fc6f0551a11310e7caba8d5

SHA1 hash:

95f9195e959fb48277c95d1dd1c97a4edff7cb3a

Link:

https://www.unpac.me/results/5b5e094b-83e7-42ef-be42-b5e3bf40a363/

SH256 hash:

e7504be67a6efbac3984b0e04091e2164593e437486b40d29b963d90874fd057

MD5 hash:

46ba389011d00279c8527f798312844d

SHA1 hash:

59910cacab5f3e989658988b64898608b4240a6e

Link:

https://www.unpac.me/results/5b5e094b-83e7-42ef-be42-b5e3bf40a363/

SH256 hash:

f074b2c09142fa55caae482b5ec6ba350fda0ac62329bb825d61f21e2e7059a1

MD5 hash:

567bbf43aac601560b1def4a872d4089

SHA1 hash:

21dfc6e6ecf39c9c23927c114ca911559ca4593e

Link:

https://www.unpac.me/results/5b5e094b-83e7-42ef-be42-b5e3bf40a363/

SH256 hash:

4b8461daa868a2a5e0437391e6cdb5bfba236d05e0737d7b99c89bd5c7c9ec30

MD5 hash:

62e7d8d82d5486543dfbf2df5ede7e6b

SHA1 hash:

16bf3ebdee47eca274e0680e6d901959688f28ed

Link:

https://www.unpac.me/results/5b5e094b-83e7-42ef-be42-b5e3bf40a363/

SH256 hash:

0bf1ad7e3d5f2bdd589d32f36db80fe2862a8b3412c7cfcdef4f839c9339d6af

MD5 hash:

6ea5fce03544701f377053818fccbbe8

SHA1 hash:

aa15fdd8d6f27edf23996c1178f2a08f7ac5cb5d

Link:

https://www.unpac.me/results/5b5e094b-83e7-42ef-be42-b5e3bf40a363/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0bf1ad7e3d5f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0bf1ad7e3d5f2bdd589d32f36db80fe2862a8b3412c7cfcdef4f839c9339d6af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/382015/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample