MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 179d1cf7266d0149e967f7e6829ed485e3bb73e75ffbce4883111f2595845c85. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 179d1cf7266d0149e967f7e6829ed485e3bb73e75ffbce4883111f2595845c85
SHA3-384 hash: d4f08d8d110584433371120469c8299c7af493c706d4d40d968cd76b1406510dfafa5cef080e60f19832ef8ba7227ef7
SHA1 hash: 3c3f8e30daaedb7bf1350136e512dfad1d297793
MD5 hash: e701d30f2c8adda50eb89a10d6091d44
humanhash: illinois-spring-video-hydrogen
File name:REQUEST_FOR_QUOTATION_77999_PDF.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:241'264 bytes
First seen:2021-08-19 01:17:05 UTC
Last seen:2021-08-19 05:36:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f86f9a1397ea2f648b8914df9ad78914 (4 x Formbook, 2 x Loki)
ssdeep 6144:xEdPbrL20zr5OwAKPucinhwg29CtSwuUzRvVBQn:xgbrLZzra8inhwz9VW1vVw
Threatray 3 similar samples on MalwareBazaar
TLSH T16E340282E7D81799C066413059A8547F9A9E2FB78ABFB07ACBB0371E747DDC034117A2
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
REQUEST_FOR_QUOTATION_77999_PDF.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-19 01:17:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1b183d55-5b9f-4458-a463-ee381d2a2eb5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/180483/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.25148.2953.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/edb8e42d-fd8e-48d0-a4f7-701a8680c04d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/835447
Signature
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/179d1cf7266d0149e967f7e6829ed485e3bb73e75ffbce4883111f2595845c85/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-08-19 00:33:00 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
11 of 46 (23.91%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c6orz5zgnuaut2lh67tifhwuqxr3w47hl7544sedcepslfmelscq._file
Verdict:
unknown
Similar samples:
1736c3f3d740011ba6f6d8f18def38d20f0bcbf88c3f69821db18578bc00590a
Formbook
9f8faf1ca8d3262940620bcb00487188e8657336cc3cb498ba4ad90ae96a59af
Formbook
e72dab4f75cd19899422ecf38de195bf487f0f9d2b0ccad98c13a48e9d782e97
Formbook
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:snaa loader rat
Link:
https://tria.ge/reports/210819-lx8d4b4yce/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.xeotochevrolet.com/snaa/
Unpacked files
SH256 hash:
143d67342ea7ddf9ef6051ad138d6cc0d7b3411917bcf28263b64b8749201930
MD5 hash:
9c811a12fb67076165fb0d1fec975902
SHA1 hash:
815e5214c95de00940018cd50e5e3bdfbb732642
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/e2a67c01-cd50-41e8-a88c-b5d20ab48f43/
Parent samples :
70e7c5966ac86d48e0519f9b2b34703d2915b603836f4de0be2a2badddd258e7
179d1cf7266d0149e967f7e6829ed485e3bb73e75ffbce4883111f2595845c85
SH256 hash:
179d1cf7266d0149e967f7e6829ed485e3bb73e75ffbce4883111f2595845c85
MD5 hash:
e701d30f2c8adda50eb89a10d6091d44
SHA1 hash:
3c3f8e30daaedb7bf1350136e512dfad1d297793
Link:
https://www.unpac.me/results/e2a67c01-cd50-41e8-a88c-b5d20ab48f43/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.13
Link:
https://yomi.yoroi.company/submissions/179d1cf7266d0149e967f7e6829ed485e3bb73e75ffbce4883111f2595845c85

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 179d1cf7266d0149e967f7e6829ed485e3bb73e75ffbce4883111f2595845c85

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/180483/

Comments