MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 192f3b70cda2b630bff5dab6eb11bf130882352634956762e39524f541210292. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 192f3b70cda2b630bff5dab6eb11bf130882352634956762e39524f541210292
SHA3-384 hash: 61cbc86a6e4223b0a737109037f502a8458abf62c527754fb5971b70354398ee8fd79423740cbb9214f3bd2108420290
SHA1 hash: d9981a9445678ac4bc87650128f46357b68174e8
MD5 hash: dc0b9a5a2d4c7f8093a262d439c339d9
humanhash: mountain-kentucky-eleven-grey
File name:Quotation-pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:612'377 bytes
First seen:2022-04-18 12:37:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 12288:SNWec+PHw/opzURBiDsdr+Rv2EKe1Zyhc9ftbtdJDK6fz:SNWD/6zURBi0r+RvzKs/9VbrJrr
Threatray 12'222 similar samples on MalwareBazaar
TLSH T186D4121C3B6ACD1BC51527B009B4E6B9967ADD063935C7072BE9BEAF3E35B847C04281
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 60d8983838d8d8d4 (1 x Formbook)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
278
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/264330/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for the window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
75%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/625d5bbfeab80a7a6c380605/reports/a7772124-0530-4333-b008-f3c2a039b701/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3704f1b9-88e6-435e-8507-22e19996c9ab
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/978182
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 610669 Sample: Quotation-pdf.exe Startdate: 18/04/2022 Architecture: WINDOWS Score: 100 22 Multi AV Scanner detection for domain / URL 2->22 24 Found malware configuration 2->24 26 Malicious sample detected (through community Yara rule) 2->26 28 5 other signatures 2->28 8 Quotation-pdf.exe 18 2->8         started        process3 file4 20 C:\Users\user\AppData\Local\Temp\sfcxb.exe, PE32 8->20 dropped 11 sfcxb.exe 1 8->11         started        process5 signatures6 30 Multi AV Scanner detection for dropped file 11->30 14 sfcxb.exe 11->14         started        16 conhost.exe 11->16         started        process7 process8 18 WerFault.exe 20 9 14->18         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/192f3b70cda2b630bff5dab6eb11bf130882352634956762e39524f541210292/
Threat name:
Win32.Trojan.NSISInject
Create hunting rule
Status:
Malicious
First seen:
2022-04-13 01:33:28 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
28 of 42 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dextw4gnuk3dbp7v3k3owen7cmeienjggskwoyxdsuspkqjbakja._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0eb3aea0d96d9fb004f9c3b63ff3cd49b5f35262102104aab0f39b8f7797a5b1
Formbook
2c096e676a791721c8988f951f06c87c4306f34befe39b04991286143b755c9e
Formbook
2ee32fd5fafe174b2fdfa8dfd614686e9d8bf0552ff8ee78a3a1460566619769
Formbook
38c909bf15fc21291bb3bda3e4c56b117bc9810a85508eb46308b5ebcccd2719
Formbook
46cd865e4436d5c43c1d5ff76d6dc1c7468760df1b7d4f84060b7d429e0ab74d
Formbook
4d5d803e91d5a07b32a19a06a8f722d3d4aead462bb2cab23470f2c2ad79b71a
Formbook
995ed5a87efc98cfc45cd810d470bb7aa28a8e598da4a27516892bffdc99ac27
Formbook
aaa025e66e7edbf2120c46ca3f09420caf7a71ff6c52cd64ff69198b339778ed
Formbook
+ 12'212 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:o27j rat spyware stealer trojan
Link:
https://tria.ge/reports/220418-pt27qsahh9/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
Unpacked files
SH256 hash:
eb113721ae337f5920cffa1b21456290acaa56830f25188b8f6dd25057492b80
MD5 hash:
3a2c41b37bd5993d6b3f01fc4a8bf707
SHA1 hash:
09d0a1e57e0241fcf2b4b9ed7d6ee9cea809395b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/0f0d6234-72be-4ba7-9630-6b4ebb39c50d/
Parent samples :
4d5d803e91d5a07b32a19a06a8f722d3d4aead462bb2cab23470f2c2ad79b71a
ae2b607c9b6ba263d98e7bf7e0ed87287c33304752cf492dfff6f253f3e43289
2ee32fd5fafe174b2fdfa8dfd614686e9d8bf0552ff8ee78a3a1460566619769
192f3b70cda2b630bff5dab6eb11bf130882352634956762e39524f541210292
SH256 hash:
355f9e49a29df270f5df2842cb1cab9afa64178871a8e6bf4f8e11e7e8ebc574
MD5 hash:
b1e5e6091e98ca78222cb0a8119db6f9
SHA1 hash:
00c4b5d44f971a5c757821db79e00cce1f38f6b4
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/0f0d6234-72be-4ba7-9630-6b4ebb39c50d/
SH256 hash:
23f0f398cad4b1daf2accdb0c391eb328e3600624a4900c1b2b25bf080d0c05e
MD5 hash:
5bd5599a07d0cc75d60e606fde211ecd
SHA1 hash:
357f07816d7f235e904d5a825d056e5f5207268c
Link:
https://www.unpac.me/results/0f0d6234-72be-4ba7-9630-6b4ebb39c50d/
SH256 hash:
192f3b70cda2b630bff5dab6eb11bf130882352634956762e39524f541210292
MD5 hash:
dc0b9a5a2d4c7f8093a262d439c339d9
SHA1 hash:
d9981a9445678ac4bc87650128f46357b68174e8
Link:
https://www.unpac.me/results/0f0d6234-72be-4ba7-9630-6b4ebb39c50d/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/192f3b70cda2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/192f3b70cda2b630bff5dab6eb11bf130882352634956762e39524f541210292

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 192f3b70cda2b630bff5dab6eb11bf130882352634956762e39524f541210292

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/264330/

Comments