MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 320f7bf0fe5297d7735fc088454b523107d87d011a332e0362da98df35b5d8c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 1 File information Comments

SHA256 hash:	320f7bf0fe5297d7735fc088454b523107d87d011a332e0362da98df35b5d8c3
SHA3-384 hash:	20d6cc29207a510c86aca570295ef0f5fd3c81ecedb9a1cc2fbd20dfdeb7139ae08942579e43115a3096d1e6bf742969
SHA1 hash:	d6ac4a8c120ff0bba626a88cfab92a09a677d8d2
MD5 hash:	c505fbcaf1940fe5c01c43626f17c47a
humanhash:	harry-arkansas-oregon-indigo
File name:	Contract & Inquiry.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	427'930 bytes
First seen:	2022-10-31 10:10:50 UTC
Last seen:	2022-10-31 10:11:15 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	29b61e5a552b3a9bc00953de1c93be41 (174 x Formbook, 82 x AgentTesla, 81 x Loki)
ssdeep	6144:FweEwTKu1gRtv6cWGqP+D5rElT0Cx6Yx74cNqVmWtqyiigLPsDCt:Mv6cxqP+dETEYxUcIVdLbgLEDCt
TLSH	T17594BE19D5449ED6D202B238E5FCFF1D46108FA6722EAB49D935BD0278727CF242AC8D
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	9f197f3767531b47 (39 x Formbook, 12 x AgentTesla, 2 x RemcosRAT)
Reporter	cocaman
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

364

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

Contract & Inquiry.exe

Verdict:

Malicious activity

Analysis date:

2022-10-31 10:12:10 UTC

Tags:

formbook trojan stealer

Link:

https://app.any.run/tasks/1433b67e-2905-4f57-aa11-517149e4f42e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/326329/

Detection(s):

SecuriteInfo.com.Trojan.Siggen18.65215.25828.23749.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a process from a recently created file

Сreating synchronization primitives

Launching a process

Searching for synchronization primitives

Sending a custom TCP request

DNS request

Sending an HTTP GET request

Reading critical registry keys

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Stealing user critical data

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/46957/overview

Behaviour

MalwareBazaar

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/635f9f38791bb7e48afde7ac/reports/8ccc080e-1fcd-41ec-8f33-7066eedd31bb/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9909d5f1-e419-400d-b7fb-f3e75cabfeef

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1101555

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

System process connects to network (likely due to code injection or exploit)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/320f7bf0fe5297d7735fc088454b523107d87d011a332e0362da98df35b5d8c3/

Threat name:

Win32.Trojan.GenericML

Status:

Malicious

First seen:

2022-10-28 08:19:15 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gihxx4h6kkl5o427yceeks2sged5q7ibdizs4a3c3kmn6nnv3dbq._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:docv rat spyware stealer trojan

Link:

https://tria.ge/reports/221031-l7x86aafa8/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Formbook

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/493f26f6-d3f4-40fe-8433-c42643cd4f5d

Unpacked files

SH256 hash:

2374dae887ec717c748faf816dc37896f7f1d063203101d6aadc04dd413af870

MD5 hash:

98bf319ec325584aa76ff21e47581bf1

SHA1 hash:

d54f7969d03e859b87db59251ba7006e163d6a06

Detections:

XLoader

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/620ff9a7-a011-4b83-8438-68e1bf2348e6/

Parent samples :

320f7bf0fe5297d7735fc088454b523107d87d011a332e0362da98df35b5d8c3
9c093643caa5d9e0a314fdd8bad4c6b44d64793f36d7627a7219080f29de4ccb
8ddd2ba01927bb631eda5dee78b63f8cdb91db44e9418fd4eb313b6b4847f6d7
b48635778fb14d1746af5e53f73c843362de073e5839003586f8d7d4cf0a6df5
91de74dad55c2b232479de6bb60f68a3c3a260aad21bfb00a10c1e53d25f934a
dff25372f8a0a3b43b9de36be64239d4cb3c722b95d416cd48b44c734689d20c

SH256 hash:

341832198859b433367fb2773aa592cc9373c45ad1770f6a5caabdc19547bc1e

MD5 hash:

c4361046f8be6d85c77eb487b25d3662

SHA1 hash:

d925a30d022684b9df18237c22638d387392682f

Link:

https://www.unpac.me/results/620ff9a7-a011-4b83-8438-68e1bf2348e6/

SH256 hash:

320f7bf0fe5297d7735fc088454b523107d87d011a332e0362da98df35b5d8c3

MD5 hash:

c505fbcaf1940fe5c01c43626f17c47a

SHA1 hash:

d6ac4a8c120ff0bba626a88cfab92a09a677d8d2

Link:

https://www.unpac.me/results/620ff9a7-a011-4b83-8438-68e1bf2348e6/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/320f7bf0fe52/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.18

Link:

https://yomi.yoroi.company/submissions/320f7bf0fe5297d7735fc088454b523107d87d011a332e0362da98df35b5d8c3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.