MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15dcdfbd4c4fa20ce82cff55159ae0276c9cce9f487a340681f77234f0d64a3b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 15dcdfbd4c4fa20ce82cff55159ae0276c9cce9f487a340681f77234f0d64a3b
SHA3-384 hash: e16a255dc3065ad08306376f714ab8b5935dffb409563b9a2b4e8f36e6f558af01cbd19881b050a7e1007c8d9bb7f8c7
SHA1 hash: 62704189a0ec33f9522a31c73fb237158fa43599
MD5 hash: 0147b07938bf36bf5849bd1aa6117409
humanhash: apart-chicken-october-island
File name:RE QUOTATION.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:881'152 bytes
First seen:2022-07-12 10:22:25 UTC
Last seen:2022-07-12 11:01:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:kDI4/Mtm1ge1Iojjm9kGwYjtGNy/7p1PXCrwnyxjI7YtXU5eUYR5d3K:kR/XFNssNaDCrwYBtkOnd6
Threatray 13'645 similar samples on MalwareBazaar
TLSH T16D15E12AFF29CE65D2540A36C4F70A54137496B6C207EF8F2BF911642D033A76DC6AC6
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 18a219d4d4198a10 (20 x AgentTesla, 12 x Formbook, 10 x SnakeKeylogger)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
333
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
RE QUOTATION.exe
Verdict:
Malicious activity
Analysis date:
2022-07-12 10:50:37 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/dc3a3bc3-6bd0-45cb-aea1-51725ca7b151

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/286568/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.19693.17900.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm packed
Link:
https://www.filescan.io/uploads/62cd4b8abbcf6baf279695b0/reports/3bfad80c-775f-4717-8753-82593b3bd83a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dd6fcf53-3983-4827-bbe0-323e9027a73b
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1029336
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 661831 Sample: RE QUOTATION.exe Startdate: 12/07/2022 Architecture: WINDOWS Score: 100 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 Multi AV Scanner detection for dropped file 2->48 50 13 other signatures 2->50 10 RE QUOTATION.exe 20 2->10         started        process3 file4 36 C:\Users\user\AppData\Roaming\hcFiiK.exe, PE32 10->36 dropped 38 C:\Users\user\...\hcFiiK.exe:Zone.Identifier, ASCII 10->38 dropped 40 C:\Users\user\AppData\Local\...\tmpFB86.tmp, XML 10->40 dropped 42 C:\Users\user\...\RE QUOTATION.exe.log, ASCII 10->42 dropped 52 Adds a directory exclusion to Windows Defender 10->52 14 RE QUOTATION.exe 10->14         started        17 powershell.exe 25 10->17         started        19 schtasks.exe 1 10->19         started        21 2 other processes 10->21 signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 23 explorer.exe 14->23 injected 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        process8 process9 29 help.exe 23->29         started        signatures10 54 Maps a DLL or memory area into another process 29->54 56 Tries to detect virtualization through RDTSC time measurements 29->56 32 cmd.exe 1 29->32         started        process11 process12 34 conhost.exe 32->34         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/15dcdfbd4c4fa20ce82cff55159ae0276c9cce9f487a340681f77234f0d64a3b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-07-12 10:23:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cxon7pkmj6raz2bm75krlgxae5wjztu7jb5dibub65zdj4gwji5q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1877648fdaaeb4d9cc21527eb8c3d5609b41333d886f73837a4fd3a2116d9973
Formbook
3b2aed15298aa9110cc90c069742839fdc9ddb24f91a8269284a504a5ba1fb9c
Formbook
3f6c93773e47afcf964b6d01313d63b90dcdb8ac227cd7bb80b232fc924f5aac
Formbook
8bb6042a5324981df5fc9259ab15da7c6badfb20be1d99cfe987634d9e37ea83
Formbook
947f2382fc8bc6976d1fd37ac489d9ea783f0a1becfe36d44943596f1178deef
Formbook
9bccba2dd88df736c04d6d657879abe5b3bee28103aecedbba19b91b684d43af
Formbook
af5011d40d9869926e4f208372a75fcd5fd2547f5e406e7e5b5e5aab4a5b7cd3
Formbook
ea0537606344cb60ca5159b9337165626af8301982b0d77020b4f49a0a6ef7b0
Formbook
ea4ca77890daba701679e692e4ad121c665c5089082450e00eb921976dffbe04
Formbook
+ 13'635 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:jr04 rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220712-mesnmsdhgk/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Formbook payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
256d761b54d3e6f4ff15499cd707a4bd02c92710e85eb9e8fc3ae387e6e2704f
MD5 hash:
85855cd278c43f55ae386f92e584fc6f
SHA1 hash:
ca00ac6fd54bf7e5a1710981e9857451abc8b617
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
FormBook
Create hunting rule
Link:
https://www.unpac.me/results/25df3a22-99f3-4b63-bcb8-6e95ae1fe30e/
Parent samples :
cb2fe19cf830c90e1619bf31283d4abb68ac50e20eb0897891c6ce2ab6ba803f
15dcdfbd4c4fa20ce82cff55159ae0276c9cce9f487a340681f77234f0d64a3b
941b5d0273cb5958fd40a02b5251393140f8b72725e29cc1889bcf66cd3d0c54
03674981113e278ddd535c0c2f1be91ab6f65533a3cd69efd7a0e5ff9eb1957d
18061c8a31f3728962bed4acb1806d2c87cfcefe616e4003fe8c9569e6877a8b
dba99585218765f78dddf353fa0bc8cda522649bb25e13d71dfcd316e5d7c3f1
SH256 hash:
883b63ef84c6b1cc09687962beca56e4f4b7960df7c5459e29998befaa3ccf15
MD5 hash:
ecb3f27eb8279c51608c8ea8f8050655
SHA1 hash:
82385d75444ab5fccacf37e2746c7dce73faa7f3
Link:
https://www.unpac.me/results/25df3a22-99f3-4b63-bcb8-6e95ae1fe30e/
SH256 hash:
7355a5910a6c85909a409650b0481f036d07e787d5a78017ee2cc70c956e1286
MD5 hash:
b0bf93c5452f1e784cdd9c4261d54d31
SHA1 hash:
32ad58ee57c4ff0404a978eb5e90390b282fb04a
Link:
https://www.unpac.me/results/25df3a22-99f3-4b63-bcb8-6e95ae1fe30e/
SH256 hash:
c3d464f07bd66958f9ca1ab1e85d6cfb0ddab337dd9a9000900a14173297c649
MD5 hash:
6892819693644d45b522a3725d4533e8
SHA1 hash:
1d1493736406052ae73ef7661786e21cd9805dd2
Link:
https://www.unpac.me/results/25df3a22-99f3-4b63-bcb8-6e95ae1fe30e/
SH256 hash:
ea801ddd1ea57f52ae69533038861744365d8d9c05c3a9c1190dba32d07dc6b6
MD5 hash:
4d0e9bfe94004ceb16e9b63c7c03067d
SHA1 hash:
05e3fb4119f85cc6b6543d8624191a7000d856cd
Link:
https://www.unpac.me/results/25df3a22-99f3-4b63-bcb8-6e95ae1fe30e/
SH256 hash:
15dcdfbd4c4fa20ce82cff55159ae0276c9cce9f487a340681f77234f0d64a3b
MD5 hash:
0147b07938bf36bf5849bd1aa6117409
SHA1 hash:
62704189a0ec33f9522a31c73fb237158fa43599
Link:
https://www.unpac.me/results/25df3a22-99f3-4b63-bcb8-6e95ae1fe30e/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/15dcdfbd4c4f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/15dcdfbd4c4fa20ce82cff55159ae0276c9cce9f487a340681f77234f0d64a3b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 15dcdfbd4c4fa20ce82cff55159ae0276c9cce9f487a340681f77234f0d64a3b

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/286568/

Comments