MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28a122178f71a0ca434c0a957eb604f00c62255a49a38a07a3ca0e936112b069. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 28a122178f71a0ca434c0a957eb604f00c62255a49a38a07a3ca0e936112b069
SHA3-384 hash: 02745f746e5e40191b1fbe1e1cd0da5c121009953f16598582920704ced514ef325c6de8f979ef0a15a2737f55f8a45e
SHA1 hash: fb807df4cf112fca7aa7c9ac2c9b165582a4efac
MD5 hash: db67de3b3f3e25e11a0ed58fc3319d3c
humanhash: cola-paris-lamp-hot
File name:Quotation.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'078'512 bytes
First seen:2021-02-01 14:27:57 UTC
Last seen:2021-02-01 16:29:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 699c56e4bac62bd316332ce2372bf95c (1 x Formbook, 1 x NetWire)
ssdeep 12288:bsbH80N0+CcJTs+5n9LECu3OXQUP41WVj4V688nOfoHN+3x7y6Mx+QXX1x6tcn:bAnCcbneCUFU5jXJ9+DM4QVpn
Threatray 3'721 similar samples on MalwareBazaar
TLSH 14358E61A2504536F0336B78E81B16D466A57B3F3E285F49EAE8194E0F3F2807C651BF
Reporter James_inthe_box
Tags:exe FormBook

Code Signing Certificate

Organisation:Symantec Time Stamping Services CA - G2
Issuer:Thawte Timestamping CA
Algorithm:sha1WithRSAEncryption
Valid from:Dec 21 00:00:00 2012 GMT
Valid to:Dec 30 23:59:59 2020 GMT
Serial number: 7E93EBFB7CC64E59EA4B9A77D406FC3B
Intelligence: 85 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 0625FEE1A80D7B897A9712249C2F55FF391D6661DBD8B87F9BE6F252D88CED95
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Quotation.exe
Verdict:
Suspicious activity
Analysis date:
2021-02-01 14:31:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4058cffa-8319-488b-83a7-298c8a800f82

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/114958/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Sending a UDP request
Creating a file
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/595410
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Detected FormBook malware
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Steal Google chrome login data
Sigma detected: Suspicious Program Location Process Starts
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 346743 Sample: Quotation.exe Startdate: 01/02/2021 Architecture: WINDOWS Score: 100 50 www.theselfcaremenu.com 2->50 76 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->76 78 Found malware configuration 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 10 other signatures 2->82 11 Quotation.exe 1 18 2->11         started        signatures3 process4 dnsIp5 58 cdn.discordapp.com 162.159.130.233, 443, 49733 CLOUDFLARENETUS United States 11->58 46 C:\Users\Public\Libraries\Rckifzen.exe, PE32 11->46 dropped 48 C:\Users\Public\Libraries\Rckif, ASCII 11->48 dropped 106 Creates multiple autostart registry keys 11->106 108 Writes to foreign memory regions 11->108 110 Allocates memory in foreign processes 11->110 112 2 other signatures 11->112 16 ieinstal.exe 11->16         started        file6 signatures7 process8 signatures9 60 Modifies the context of a thread in another process (thread injection) 16->60 62 Maps a DLL or memory area into another process 16->62 64 Sample uses process hollowing technique 16->64 66 Queues an APC in another process (thread injection) 16->66 19 explorer.exe 2 16->19 injected process10 dnsIp11 52 www.myvlclothing.com 212.32.237.101, 49759, 49760, 49761 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 19->52 54 www.anonymousrecovery.net 19->54 56 website-rendering.jouwweb.nl 35.204.150.5, 49762, 49763, 49764 GOOGLEUS United States 19->56 84 System process connects to network (likely due to code injection or exploit) 19->84 23 wscript.exe 1 18 19->23         started        27 Rckifzen.exe 19->27         started        29 Rckifzen.exe 19->29         started        31 6 other processes 19->31 signatures12 process13 file14 42 C:\Users\user\AppData\...\355logrv.ini, data 23->42 dropped 44 C:\Users\user\AppData\...\355logri.ini, data 23->44 dropped 86 Detected FormBook malware 23->86 88 Tries to steal Mail credentials (via file access) 23->88 90 Creates multiple autostart registry keys 23->90 104 3 other signatures 23->104 33 cmd.exe 2 23->33         started        92 Multi AV Scanner detection for dropped file 27->92 94 Writes to foreign memory regions 27->94 96 Allocates memory in foreign processes 27->96 36 ieinstal.exe 27->36         started        98 Creates a thread in another existing process (thread injection) 29->98 100 Injects a PE file into a foreign processes 29->100 38 ieinstal.exe 29->38         started        102 Tries to detect virtualization through RDTSC time measurements 31->102 signatures15 process16 signatures17 68 Tries to harvest and steal browser information (history, passwords, etc) 33->68 40 conhost.exe 33->40         started        70 Modifies the context of a thread in another process (thread injection) 36->70 72 Maps a DLL or memory area into another process 36->72 74 Sample uses process hollowing technique 36->74 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/28a122178f71a0ca434c0a957eb604f00c62255a49a38a07a3ca0e936112b069/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2021-01-31 11:38:55 UTC
File Type:
PE (Exe)
Extracted files:
48
AV detection:
21 of 46 (45.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fcqsef4pogqmuq2mbkkx5nqe6aggejk2jgryub5dzihjgyiswbuq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
38dac51ef91ec8f45bdb2749e2eec758b07e7b9855f2b9b25d2e59783ba9ff41
Formbook
5248643a130c832416245ea6b33ab3724a81c4e4a36b2ea424dd1a5fc1dd7ac2
Formbook
64ec03c92b5fbbb63420e370ff8f879454ddd61c88f3ff41e2f5ce09eabab5f2
Formbook
87d8ef6a4c6bf661d7957a62b9e8e9ea6627f80227f9ea88502bf601b94a960e
Formbook
894f564c6c023c4baf66d72f13578bbfcd992b21f42f3f732887933d438ddbb7
Formbook
8f61dce0f0bc33e2ccefc5ef5fd22ced3466ae4c5d2832bfa5d05d97b7e6a51f
Formbook
ba41656ca5e0e243cff9f6a536c43998a9dbc492f5e813a0022e84359b2e0ef8
Formbook
cf5a2454c16d739c04939e84f71d62772620f7d0f90df49266e8493393da7167
Formbook
ee40683e96581996668cca3117c6c9759c590aab40cc4871a6f60275f725ab6e
Formbook
fb1b538251b7c9a011807fee199f1446b68c40e9caed0709389eac91e311bf1e
Formbook
+ 3'711 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210201-ln64839xvn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
c7385cf608325b7521aec35e1cc1d096ee6d1523f06677ee9761d5b52e9e56b6
MD5 hash:
7f252ebbd7f09b34f16e03f806db27c0
SHA1 hash:
c44771e4a7123d45261b0a87851f69f8c9d6eef6
Link:
https://www.unpac.me/results/0e288a84-3ce8-410a-9b1a-597a827472db/
SH256 hash:
28a122178f71a0ca434c0a957eb604f00c62255a49a38a07a3ca0e936112b069
MD5 hash:
db67de3b3f3e25e11a0ed58fc3319d3c
SHA1 hash:
fb807df4cf112fca7aa7c9ac2c9b165582a4efac
Link:
https://www.unpac.me/results/0e288a84-3ce8-410a-9b1a-597a827472db/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/28a122178f71a0ca434c0a957eb604f00c62255a49a38a07a3ca0e936112b069

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/114958/

Comments