MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 46956dd9cd5e3f62c79127e5e8bcd3b420695a0112df256aa07364bc6a32e697. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 46956dd9cd5e3f62c79127e5e8bcd3b420695a0112df256aa07364bc6a32e697
SHA3-384 hash: cafbf6e7dfeab40388e0ac1112f834a9e23e7b398b7cb2703acb0e715bb65a1edbb843ad5b4ee6a159492bc4ad99b342
SHA1 hash: 73261dbe9e9369a4765f3c447a14cc49eb85398b
MD5 hash: e7e3d4ccef5bc7edf16b739d2602ebc5
humanhash: oven-oregon-mockingbird-carpet
File name:Inquiry.doc05102022.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:907'264 bytes
First seen:2022-05-10 04:31:24 UTC
Last seen:2022-05-10 05:41:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:CmdDfxt7J0On0C9MvhvNC+nXJqUfYNLOhYwzzWY3dQgIYc:x2Ozs1C+nXsUfYodz/eg
Threatray 15'285 similar samples on MalwareBazaar
TLSH T10B158C10B3D8ED99E42A12B1C975C4F00771BE4AD5B2D70F299A7D8E38B33426166F1B
TrID 54.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
23.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.8% (.EXE) Win64 Executable (generic) (10523/12/4)
4.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.3% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f26efec4b6c2c00c (24 x AgentTesla, 14 x Loki, 12 x Formbook)
Reporter GovCERT_CH
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
2
# of downloads :
255
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Inquiry.doc05102022.exe
Verdict:
Malicious activity
Analysis date:
2022-05-10 04:34:06 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/5055b248-2571-407a-af6c-77418c656104

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Scr.Malcodegdn34.14701.24668.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6279eaddb119a5f609b636d0/reports/c81a8548-e3c1-4fef-9500-a05ee2af30da/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/751001ff-fc5e-4dee-a1bd-a790352f1df4
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/990689
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 623185 Sample: Inquiry.doc05102022.exe Startdate: 10/05/2022 Architecture: WINDOWS Score: 100 36 www.wukuns.com 2->36 38 www.hh1137.xyz 2->38 40 2 other IPs or domains 2->40 48 Snort IDS alert for network traffic 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 7 other signatures 2->54 11 Inquiry.doc05102022.exe 3 2->11         started        signatures3 process4 file5 34 C:\Users\user\...\Inquiry.doc05102022.exe.log, ASCII 11->34 dropped 68 Tries to detect virtualization through RDTSC time measurements 11->68 70 Injects a PE file into a foreign processes 11->70 15 Inquiry.doc05102022.exe 11->15         started        signatures6 process7 signatures8 72 Modifies the context of a thread in another process (thread injection) 15->72 74 Maps a DLL or memory area into another process 15->74 76 Sample uses process hollowing technique 15->76 78 Queues an APC in another process (thread injection) 15->78 18 explorer.exe 1 15->18 injected process9 dnsIp10 42 www.nathanlou.top 142.234.236.174, 49840, 49841, 49842 LEASEWEB-USA-SEA-10US United States 18->42 44 www.giblingse.com 66.29.155.228, 49813, 80 ADVANTAGECOMUS United States 18->44 46 4 other IPs or domains 18->46 56 System process connects to network (likely due to code injection or exploit) 18->56 22 systray.exe 1 12 18->22         started        signatures11 process12 signatures13 58 Tries to steal Mail credentials (via file / registry access) 22->58 60 Self deletion via cmd delete 22->60 62 Creates autostart registry keys with suspicious names 22->62 64 4 other signatures 22->64 25 cmd.exe 2 22->25         started        28 cmd.exe 1 22->28         started        process14 signatures15 66 Tries to harvest and steal browser information (history, passwords, etc) 25->66 30 conhost.exe 25->30         started        32 conhost.exe 28->32         started        process16
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/46956dd9cd5e3f62c79127e5e8bcd3b420695a0112df256aa07364bc6a32e697/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2022-05-10 00:50:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
38
AV detection:
19 of 26 (73.08%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i2kw3wonly7wfr4re7s6rpgtwqqgswqbclpsk2vaonsly2rs42lq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
002ea0849da3c63ce6c09c084567e9470c3616084ef19402316e9d52f35c62a7
Formbook
365513da20efb05517fcb10a348acb39e3391a5ec8cb44c8a6f15253e661b401
Formbook
3bdf54d6b07a96a026ed34f1db8d5cc442c1a211d02ff888659d7263ccc77c4c
Formbook
513624286483a4e172511b412b82445a06eefc904d54de75da656ec1a6f8ae99
Formbook
574fa65d6f75e60274434f27f9f28f439c093ba8ba7eb8303a441a5e851d70c8
Formbook
a3eb9cb4b46ef56131c171edab5015355e63f8c2f94bc8f5bc23ed0a48ea3d7f
Formbook
b1864b93f536f9f345949786b9d7229a56745506750c886abd462f07cb92a93b
Formbook
bea7dde650c823aa2887bc7065abd818c02e573c041ea69c1ea60c43fe1a79df
Formbook
cb4f0f68dacf3b0deddf62a86e6d8d4963ba941f6aadf2f874ece8ee3768ab54
Formbook
+ 15'275 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader campaign:83g4 loader persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220510-e5ynksehf2/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Xloader Payload
Formbook
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
4191fbba733adde528188abb317f9d0f0f80c46d8acdd2c1a97db155cf319845
MD5 hash:
b2e6e76aba1fc5db4cae28fd2146d5da
SHA1 hash:
3c94465d694d624cdfd8beee07bb13212f7c469e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/63a48a41-ea0f-4e15-a3d7-97cd6debf39c/
Parent samples :
46956dd9cd5e3f62c79127e5e8bcd3b420695a0112df256aa07364bc6a32e697
345642b76b3a499884c227983fb3a9f9c9ea9078b34cd577ee674d260aa1ccf6
SH256 hash:
5d3bd5c9f223d2cd0e8123b7b0eea33ca8b61d5a00288134884e4d61bdc0c42f
MD5 hash:
3919181ff812b200d89a9547e5fb2635
SHA1 hash:
d66b3c860ba35b2f03daa3ba40b793cc5bc43edf
Link:
https://www.unpac.me/results/63a48a41-ea0f-4e15-a3d7-97cd6debf39c/
SH256 hash:
17b44b83626fe7c9439c4c90dd8be91ce47eeb628fa5e73a36a0a1c2adf18050
MD5 hash:
b5d693958fde64de49c36332f81862dc
SHA1 hash:
9ee8649defd3d398ebf582238ac1b093e30cb530
Link:
https://www.unpac.me/results/63a48a41-ea0f-4e15-a3d7-97cd6debf39c/
SH256 hash:
a37d47a3424a5eeaebbe5a54834e1bc762548cb4431f2703cd23ef0c99f034e0
MD5 hash:
1e102823c924b9ea0544d466791a35f6
SHA1 hash:
454d4fb6d4400bcc6d3007d686a88a2e209e7a28
Link:
https://www.unpac.me/results/63a48a41-ea0f-4e15-a3d7-97cd6debf39c/
SH256 hash:
46956dd9cd5e3f62c79127e5e8bcd3b420695a0112df256aa07364bc6a32e697
MD5 hash:
e7e3d4ccef5bc7edf16b739d2602ebc5
SHA1 hash:
73261dbe9e9369a4765f3c447a14cc49eb85398b
Link:
https://www.unpac.me/results/63a48a41-ea0f-4e15-a3d7-97cd6debf39c/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/46956dd9cd5e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/46956dd9cd5e3f62c79127e5e8bcd3b420695a0112df256aa07364bc6a32e697

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 46956dd9cd5e3f62c79127e5e8bcd3b420695a0112df256aa07364bc6a32e697

(this sample)

  
Dropped by
xloader
  
Delivery method
Distributed via e-mail attachment

Comments