MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1cfe87811d0c330dd6fdca569e2c0139fe747ce6ed286a6b1967211da83aea9e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	1cfe87811d0c330dd6fdca569e2c0139fe747ce6ed286a6b1967211da83aea9e
SHA3-384 hash:	1e70b8dbbfc9fc619a3931017657b949d43988004ce73ab564e610846a5baf6000c0b335c3037e03a10964dea6207e99
SHA1 hash:	610ae0aaf8207aaa5f53c9f6c590c93236d74f2e
MD5 hash:	9b04049db7fa11306845b50bdae4db75
humanhash:	snake-eleven-steak-one
File name:	Request For Quotation GM-0034.pdf.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	825'344 bytes
First seen:	2022-04-01 08:16:26 UTC
Last seen:	2022-04-01 09:49:55 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:xUIsJI7P8CoRl1s8F0nNHZYmKOXnqToEar+zqTDCJKG4F0w7N8T:psJIwfRQ8qGMruzqMKNFn7iT
Threatray	11'196 similar samples on MalwareBazaar
TLSH	T10E05122333D88E24C1F8DB3695610641663ABD263136FF4C26CD709E8DBBBC5926539B
Reporter	GovCERT_CH
Tags:	exe FormBook xloader

Intelligence

File Origin

# of uploads :

# of downloads :

236

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.Siggen17.32690.26549.31021.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

fareit obfuscated packed

Link:

https://www.filescan.io/uploads/6246b5011f204239486326c8/reports/93d59c52-09c1-456c-a7aa-feb9fd8fc771/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/889d4ca2-11e5-4463-9a80-5b903f24c326

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/968828

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Self deletion via cmd delete

Sigma detected: Suspicious Double Extension

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1cfe87811d0c330dd6fdca569e2c0139fe747ce6ed286a6b1967211da83aea9e/

Threat name:

ByteCode-MSIL.Trojan.Tnega

Status:

Malicious

First seen:

2022-04-01 03:03:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 25 (72.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dt7ipai5bqzq3vx5zjlj4labhh7hi7hg5uugu2yzm4qr3kb25kpa._file

Verdict:

malicious

Label(s):

formbook

Formbook

1e44c6643254f7547111c6d6b60167d3303af2b0521c355335a9d90621d5a091

Formbook

6fe90dc59e5714ff4c7ab9d9d3cfda6870eb745b6ff9e6ce4b24b36a33d8dd7b

Formbook

a6d6dfb0f05974dc8b41f7f79a0aebcab35b5608a900e53c9726059b2afed130

Formbook

a85b3b04c88279079b90d37499c66905595d463b33a8b42971cc7ccd042f5e84

Formbook

afe482e8b31cdab9fc20bbe3c2e39bac17c4c98a71e89ca57439ca9dd0f0249e

Formbook

db59f2e1e2d02abe7820e73098d1f7b46f54233011423920b873c2c430f61a9b

Formbook

e8dea312a09b6c4d62912126a38778be06eab9e5bc9d33cd3af7ee8938ddbe8a

Formbook

+ 11'186 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:cnt4 loader rat suricata

Link:

https://tria.ge/reports/220401-j6pvaadbdj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Xloader Payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Unpacked files

SH256 hash:

3d10e391c75dbd7aea54fca25d65fc8e8567aacb87410b0a71a50352d722c53c

MD5 hash:

169fef09540f138687bd08584e6eada0

SHA1 hash:

4194e60b7e11dd690c3323b7519747cccc524caf

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/dc193663-abe7-437d-8620-730911dfacaf/

Parent samples :

c790709d8dc4d64cc1d97f54c6fe4898324074fbabecb8b58805d314c2e90e94
1cfe87811d0c330dd6fdca569e2c0139fe747ce6ed286a6b1967211da83aea9e
936ba69a1651142a6cae81b4ec80cb136f50c8d4546a7bbed17d9f73c1585081
9fd0d61928b1ecb3a3c549211852f90d77c2385d61fefb41cfee90b3e02a9909
8df4859a1749748668a23e275774df251a33f9f06382c95b993eac828d56bf17
99bb3d1c9a2a4dad6465a81df1008b91f5836e51ce0463da76b31f9758dd9b62
e07c12a4c17554763b40b0ca410493875bbdd907bc8ba261a732d935e015f852
3ea19f45dd5b9c5ed0e6f371d7e92afda076c69e6a43eafc3c83337819eee56a
b2c216b105f0d625ec3d8fef5744dc11fc21c798fc2b308519cb753555b03ab5
aab4eddc82e46eeefa0bf82508f81ef3c5a4b3b46d2848550eb0fea69c41c80d
9ca60574d9d34c0b3450b8c79c865b3dc722169a3b16d86e6ccb71eef22cc9e1

SH256 hash:

ca67be40f3116b4928ad766f46ab34904f9b0e957934e962a524fd8680cd76b6

MD5 hash:

495d0f574daf3d0247c969890285e080

SHA1 hash:

7e64598855e2d4b5614fef50bd39a8ae8fe44e2d

Link:

https://www.unpac.me/results/dc193663-abe7-437d-8620-730911dfacaf/

SH256 hash:

613b2819d35360cbfe6c94b2b998d1a4998c89f5bdef505e0e158e1288ab684c

MD5 hash:

3096cbaf4b5d40f9c61bf7ce13fde62f

SHA1 hash:

6b3c580e51fd306bfdc2e727ca3bc7805aba4b53

Link:

https://www.unpac.me/results/dc193663-abe7-437d-8620-730911dfacaf/

SH256 hash:

3c174e612df09a1883e2acc430998337d1f91444fd6fa086c94ef054622fe65d

MD5 hash:

c1f436c4c93b9c21f71ba12a1e9d0c57

SHA1 hash:

3d7a4899b017387cdd2cea77888f09a88582c065

Link:

https://www.unpac.me/results/dc193663-abe7-437d-8620-730911dfacaf/

SH256 hash:

1cfe87811d0c330dd6fdca569e2c0139fe747ce6ed286a6b1967211da83aea9e

MD5 hash:

9b04049db7fa11306845b50bdae4db75

SHA1 hash:

610ae0aaf8207aaa5f53c9f6c590c93236d74f2e

Link:

https://www.unpac.me/results/dc193663-abe7-437d-8620-730911dfacaf/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/1cfe87811d0c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.81

Link:

https://yomi.yoroi.company/submissions/1cfe87811d0c330dd6fdca569e2c0139fe747ce6ed286a6b1967211da83aea9e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 1cfe87811d0c330dd6fdca569e2c0139fe747ce6ed286a6b1967211da83aea9e

(this sample)

Dropped by

xloader

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample