MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 446e8f3053729fa97bba0a0eca6913448184349f63cf409c23ca5d68ac164bb3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 446e8f3053729fa97bba0a0eca6913448184349f63cf409c23ca5d68ac164bb3
SHA3-384 hash: 57ff29bdc8d378ae125e4fde3dc87e192703171ceb8334ac342dc365cf5e070e346e663a0ab059b32fea1bfe7d3c74e9
SHA1 hash: 8309d1a58ee3435a2f53dcdcd66c249df050676b
MD5 hash: c4e59d5a230ac556ae33d6be30a8954a
humanhash: mango-delaware-thirteen-north
File name:RFQ 6M0141.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:776'192 bytes
First seen:2022-07-29 18:06:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:7tUMfbvDzc93oyREMdBy56uPuSddLkqgvHT0jtftyaIB94x4tBPPm2XQnxwPJx8c:03ogdo56uPNjg1HT0jtFBsFtZdMwxAxu
TLSH T1DCF4C02539ED521AF172AF7515D0F9A3AB7EBE333922E14D2890338B4533681CDA153B
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
447
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/295145/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed wacatac
Link:
https://www.filescan.io/uploads/62e422435c07b66577d615eb/reports/ce43e6ca-7e8c-454e-a4df-2861af6378cc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/22a34953-b102-433f-b5bc-0b099470d58e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1043293
Signature
.NET source code contains very large strings
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 675787 Sample: RFQ 6M0141.exe Startdate: 29/07/2022 Architecture: WINDOWS Score: 100 31 www.jxdqyx.com 2->31 33 ftgsx.ganqi.net 2->33 35 www.thebestlifeapp.com 2->35 43 Snort IDS alert for network traffic 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for URL or domain 2->47 49 8 other signatures 2->49 11 RFQ 6M0141.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\RFQ 6M0141.exe.log, ASCII 11->29 dropped 59 Injects a PE file into a foreign processes 11->59 15 RFQ 6M0141.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 18 explorer.exe 15->18 injected process9 dnsIp10 37 www.platinumflooringaustralia.com 202.124.241.178, 49806, 80 NETREGISTRY-AS-APNetRegistryPtyLtdAU Australia 18->37 39 name.waaza.com 44.242.90.38, 49818, 80 AMAZON-02US United States 18->39 41 3 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 22 cmmon32.exe 18->22         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/446e8f3053729fa97bba0a0eca6913448184349f63cf409c23ca5d68ac164bb3/
Threat name:
ByteCode-MSIL.Trojan.NetWired
Create hunting rule
Status:
Malicious
First seen:
2022-07-29 13:44:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=irxi6mctokp2s652bihmu2itisayine7mphubhbdzjowrlawjozq._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader campaign:ouvk loader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220729-wqarmsbgh2/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Xloader payload
Formbook
Xloader
Unpacked files
SH256 hash:
17ba4ac36617ebbab083a09d64750d6eb2542973f6b5f205b14ef5041fc6f89f
MD5 hash:
9b7f453e225692c39b1beb42fe56bba5
SHA1 hash:
2d9826abfb94463156f25c4428ce6afe56f49076
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
XLoader
Create hunting rule
Link:
https://www.unpac.me/results/ed8a0a5e-78a1-4abc-9457-739f51f996e9/
Parent samples :
ffa56449f84c15094bd1d4c93fe2a6e472005df760d3b8af816d7b523fef7b65
b704daa4a8ddc8d03b453d35507dc2c77a42cd96b5ee0fce810a51dc00fdee6c
c337a7a825db681ba33f4ddc9ba9cf108572d554f36708031c5909f3f5ffaae5
446e8f3053729fa97bba0a0eca6913448184349f63cf409c23ca5d68ac164bb3
SH256 hash:
39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807
MD5 hash:
db51fe170a9e5d6ec5429a2fbd9d0353
SHA1 hash:
e30a58125fc41322db6cf2ccb6a6d414ed379016
Link:
https://www.unpac.me/results/ed8a0a5e-78a1-4abc-9457-739f51f996e9/
SH256 hash:
044aec9a09cec3a326e94e943593cb26bb7dea99bd11c5cd3a4acd7f70106bc8
MD5 hash:
fa8615543353f5df9b47a6271920f6e8
SHA1 hash:
a3678a458105eadf14895cdcd77f4f97b14f43d8
Link:
https://www.unpac.me/results/ed8a0a5e-78a1-4abc-9457-739f51f996e9/
SH256 hash:
f8599743a56a573b715d4c98fb87d308aa388a01c6acc91056a9b018a1bf2daa
MD5 hash:
ba16a6e82ca1ec7e2ae27158e93df00c
SHA1 hash:
9b0449f10737bcf044d233caf4f7cc9206d242c4
Link:
https://www.unpac.me/results/ed8a0a5e-78a1-4abc-9457-739f51f996e9/
SH256 hash:
13ca2f7a55b98e1890983122e67935c97e6d9df4429279d49a1324c6d56f0451
MD5 hash:
8b3a92a3409ae046bf3dc0753fcf8685
SHA1 hash:
4455c3efa2bf569f6d180063bb1e104a22581d61
Link:
https://www.unpac.me/results/ed8a0a5e-78a1-4abc-9457-739f51f996e9/
SH256 hash:
446e8f3053729fa97bba0a0eca6913448184349f63cf409c23ca5d68ac164bb3
MD5 hash:
c4e59d5a230ac556ae33d6be30a8954a
SHA1 hash:
8309d1a58ee3435a2f53dcdcd66c249df050676b
Link:
https://www.unpac.me/results/ed8a0a5e-78a1-4abc-9457-739f51f996e9/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/446e8f305372/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/446e8f3053729fa97bba0a0eca6913448184349f63cf409c23ca5d68ac164bb3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/295145/

Comments