MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 485ad83319a3a7d9ad350442b92d97ff3900021a6cc49e745b3905beb1d5daa2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 485ad83319a3a7d9ad350442b92d97ff3900021a6cc49e745b3905beb1d5daa2
SHA3-384 hash: 34f1140833993cd656cb26e33f7ce73d22423069b9ea78021cbcc5e09f1a475555a39a42ce9acb75c81bacde6705d41a
SHA1 hash: 3be7192e75763fecf2ce9fec2099605c153b9dd3
MD5 hash: 3bd15d06dfd6b00133cf568a802fd6df
humanhash: eleven-carpet-india-sierra
File name:REQUEST_FOR_QUOTE_00989_RFQ.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:209'408 bytes
First seen:2021-09-03 09:26:45 UTC
Last seen:2021-09-05 10:06:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash aa2b72693aae6a6c6f24564ac3d32728 (4 x Formbook, 2 x RemcosRAT, 2 x AgentTesla)
ssdeep 6144:YQEfD/i1lkemVTtuASZNaEz2pjoLlhGiH:mmetufNhLb
Threatray 8'979 similar samples on MalwareBazaar
TLSH T10324F636B781F42EE482447DBA09EFA55464393029A8C453F7C1AF1B38715EBDA25F0B
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
296
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
REQUEST_FOR_QUOTE_00989_RFQ.exe
Verdict:
Malicious activity
Analysis date:
2021-09-03 09:33:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a568368e-8f64-4d7d-a74d-42e90a1b984f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185151/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Launching cmd.exe command interpreter
Sending a UDP request
Unauthorized injection to a system process
Malware family:
Dimnie
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c3202a1b-353f-48a8-bae8-6027140f47d5
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/844687
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 477116 Sample: REQUEST_FOR_QUOTE_00989_RFQ.exe Startdate: 03/09/2021 Architecture: WINDOWS Score: 100 29 www.qoqdigital.com 2->29 31 www.exurbanpress.com 2->31 33 2 other IPs or domains 2->33 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 3 other signatures 2->49 11 REQUEST_FOR_QUOTE_00989_RFQ.exe 14 2->11         started        signatures3 process4 dnsIp5 41 img.neko.airforce 167.172.239.151, 443, 49705 DIGITALOCEAN-ASNUS United States 11->41 63 Maps a DLL or memory area into another process 11->63 65 Tries to detect virtualization through RDTSC time measurements 11->65 15 REQUEST_FOR_QUOTE_00989_RFQ.exe 11->15         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 Queues an APC in another process (thread injection) 15->73 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.8992799.com 192.155.108.157, 49729, 80 VELIANET-ASvelianetInternetdiensteGmbHDE United States 18->35 37 ashliehein.com 98.129.229.113, 49728, 80 LIQUIDWEBUS United States 18->37 39 11 other IPs or domains 18->39 51 System process connects to network (likely due to code injection or exploit) 18->51 53 Uses ipconfig to lookup or modify the Windows network settings 18->53 22 ipconfig.exe 18->22         started        signatures11 process12 signatures13 55 Self deletion via cmd delete 22->55 57 Modifies the context of a thread in another process (thread injection) 22->57 59 Maps a DLL or memory area into another process 22->59 61 Tries to detect virtualization through RDTSC time measurements 22->61 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/485ad83319a3a7d9ad350442b92d97ff3900021a6cc49e745b3905beb1d5daa2/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-09-03 08:23:06 UTC
AV detection:
13 of 43 (30.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jbnnqmyzuot5tljvarblslmx744qaaq2ntcj45c3hec35mov3kra._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0f09b5a5ad2bf792ed543e2b170d969e40591157ed92b5766c3cc3ab7deb2df1
Formbook
31a34d40d07e19268aaf8abeeae2716655969ebe2aaabfdc1b122318507c2e4e
Formbook
35010478a1deb14596e40b68bff541fdf1567b67116de6c8b3146f7352159420
Formbook
647c043687621e012ac9c04a69fe8590198d8e8e369431723dc848436438939a
Formbook
88ceee260ee9b4baa66e0aeb88821c2edbfebdb3f946cb8e1d3c4850ab0a0365
Formbook
9b795b925c16454a770214d5ef56ee695a5f562498d4d276cf160fbc13162c15
Formbook
a47054787772fce1a96257aa9f1a70356fb752ba73ee714beed7826796db3a13
Formbook
abb1db77386f0eb3cd2c68603ee8817d6d1015287422182845345dad70503564
Formbook
f8efe3e66289ce15fd9b0f85a3e0d90660cae9f12385f69e81cfb6f2e3ece3c7
Formbook
+ 8'969 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:a6hg loader rat suricata
Link:
https://tria.ge/reports/210903-lerkxagagn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.cammininelmondo.com/a6hg/
Unpacked files
SH256 hash:
485ad83319a3a7d9ad350442b92d97ff3900021a6cc49e745b3905beb1d5daa2
MD5 hash:
3bd15d06dfd6b00133cf568a802fd6df
SHA1 hash:
3be7192e75763fecf2ce9fec2099605c153b9dd3
Link:
https://www.unpac.me/results/41fa794f-c38c-468a-9113-92dc89887df4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/485ad83319a3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/485ad83319a3a7d9ad350442b92d97ff3900021a6cc49e745b3905beb1d5daa2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 485ad83319a3a7d9ad350442b92d97ff3900021a6cc49e745b3905beb1d5daa2

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/185151/

Comments