MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f9b5c120efbd32491158582492dc17322b805c955626fbe43f2136a77b1812a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 6 File information Comments

SHA256 hash:	1f9b5c120efbd32491158582492dc17322b805c955626fbe43f2136a77b1812a
SHA3-384 hash:	24097b6ec6da479e26a13fd3a752ccaf519758f346edd18d4e18fb917ce955184ea71e0dd8d2d6c75230366651d4fac6
SHA1 hash:	27a42dd0e7d2711bf0cd8a96159ff521542115d7
MD5 hash:	18856c5e2a81b29efb2e77dec6b50387
humanhash:	six-golf-pizza-orange
File name:	Request for Quotation-BV-76435020.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	872'448 bytes
First seen:	2021-08-05 10:40:55 UTC
Last seen:	2021-08-05 12:09:30 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'634 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:lBoR65AXwgFvuSSXsDgtwsMntNEqf4ZHlQMaeJREZ+Lx0Js8OPmbX+eeRpzSLlCc:noR6qgGMPMnnyZHDJwNsWnEpxCLY4
Threatray	7'454 similar samples on MalwareBazaar
TLSH	T136057C2229EB154DF3B39BB54FC4F8BE56EAE5735B0AB0F638910B464322940CD61736
Reporter	lowmal3
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

291

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Request for Quotation-BV-76435020.exe

Verdict:

Malicious activity

Analysis date:

2021-08-05 10:42:04 UTC

Tags:

trojan formbook stealer

Link:

https://app.any.run/tasks/ede4ae19-387c-487d-8be8-a746d58d296d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/176612/

Detection(s):

SecuriteInfo.com.Backdoor.Fynloski.A3.18727.12961.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d704cac6-14d5-4aba-af2c-da4463e169f2

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/827745

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/1f9b5c120efbd32491158582492dc17322b805c955626fbe43f2136a77b1812a/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-08-05 10:41:07 UTC

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=d6nvyeqo7pjsjeivqwbeslobomrlqbojkvrg7psd6ijwu55rqeva._file

Verdict:

malicious

Label(s):

formbook

Formbook

30c70e6852155344b71c74dc919b365847a12ef299cda58501051f706e7bbbf4

Formbook

5fef6e5e702f6ac33542c50d34d3054d1b957c3afd5dffc8fbeaa81d82fdf562

Formbook

644b959318e7825454d8cdd4af75ddeb489c94a7754da360d4cd155bccc3a669

Formbook

7f3e97e42369a76be6688dc29fe71b83b0754acc7df08a6253460e23da7d1ce7

Formbook

851ee4f67cc28e3634b0062d77f62222d026c4e9674a894bcdd5b6c6e6bda376

Formbook

c59d79d86f4d301a0d7c94df257fb8ab803bc69517bc6642e5d6ad4410a7a8bb

Formbook

+ 7'444 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer suricata trojan

Link:

https://tria.ge/reports/210805-zy6cav1rya/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

Formbook

suricata: ET MALWARE FormBook CnC Checkin (GET)

Malware Config

C2 Extraction:

http://www.nouolive.com/wt5i/

Unpacked files

SH256 hash:

b631cbec8797356a20c9cc7fefe132f40eb822309fa77d5b293e79eb39a3cfa8

MD5 hash:

afe3532e924ae2ca6e39dac05e8ef1c6

SHA1 hash:

953d10b9554315b957cb76a60a2eb207f43cdb7e

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/ae5e5cee-bf07-457d-917a-bf1e53e4d0e2/

Parent samples :

24e635e80cecd03066225b27fdb524c4542586b22dc820e05f8a02072008c674
c59d79d86f4d301a0d7c94df257fb8ab803bc69517bc6642e5d6ad4410a7a8bb
7f3e97e42369a76be6688dc29fe71b83b0754acc7df08a6253460e23da7d1ce7
30c70e6852155344b71c74dc919b365847a12ef299cda58501051f706e7bbbf4
1f9b5c120efbd32491158582492dc17322b805c955626fbe43f2136a77b1812a
4b1dcf9d1e2518e912abcee672aadcaed51f1aa435e3dc1b3fb43d047ec24f1e

SH256 hash:

aed00f82f1772e5a403cce9c1349202c8371e67ed9ef19a33cac0bf2a411f3c1

MD5 hash:

c273f926e2a29bd62cc8f27b569a0b2a

SHA1 hash:

e08d302cab3e11d776599a6b0537207fce6f9c51

Link:

https://www.unpac.me/results/ae5e5cee-bf07-457d-917a-bf1e53e4d0e2/

SH256 hash:

bbd9d42412741ac2a713432e2125cc40dd09522745e6d077a47271536142ea3d

MD5 hash:

7681b7d7b812110f19a7c60a8a62feaf

SHA1 hash:

958dab14c2fc238d4d2bcc9b7a20a4c7b84c2cc2

Link:

https://www.unpac.me/results/ae5e5cee-bf07-457d-917a-bf1e53e4d0e2/

SH256 hash:

1f9b5c120efbd32491158582492dc17322b805c955626fbe43f2136a77b1812a

MD5 hash:

18856c5e2a81b29efb2e77dec6b50387

SHA1 hash:

27a42dd0e7d2711bf0cd8a96159ff521542115d7

Link:

https://www.unpac.me/results/ae5e5cee-bf07-457d-917a-bf1e53e4d0e2/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/1f9b5c120efb/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1f9b5c120efbd32491158582492dc17322b805c955626fbe43f2136a77b1812a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Formbook Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 1f9b5c120efbd32491158582492dc17322b805c955626fbe43f2136a77b1812a

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/176612/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample