MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f46b17d1db8bdb30b33dfa8ed5335149bb4f920780e349b6b02155e337c8b57. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f46b17d1db8bdb30b33dfa8ed5335149bb4f920780e349b6b02155e337c8b57
SHA3-384 hash: 3fcadcb45475de715f64677e2b6e4e0e5d2650cd57025c999fdda9302fa05ade1d16d8a69d94ea2183cd3698dc22fce9
SHA1 hash: 65d99ebb9c66bd65738c318727617e145cb7a331
MD5 hash: e27c0c55beced8afe48593bfd8bf330a
humanhash: jupiter-spaghetti-dakota-pluto
File name:RFQ 6000066536.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:382'306 bytes
First seen:2023-07-04 08:11:44 UTC
Last seen:2023-07-05 13:59:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:vYa6fNfrzvw86FftvVMUVHS0ldyYcpco7Kk02gtZvvFcijeWUofUVkdyZ4:vYVNo86fSUVy0ObBivFtSdofeW
Threatray 3'222 similar samples on MalwareBazaar
TLSH T1BC8413D597C0C053FEE31B311F3A5BE36EB6A813286EDB160B419B5D3921752AA5C332
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter cocaman
Tags:exe FormBook RFQ

Intelligence

File Origin
# of uploads :
4
# of downloads :
303
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ 6000066536.exe
Verdict:
Suspicious activity
Analysis date:
2023-07-04 08:14:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/aee3e35f-4bfe-4251-a096-f0e8b358da49

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/406312/
Detection(s):
SecuriteInfo.com.Gen.Variant.Nemesis.22782.7400.18897.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Restart of the analyzed sample
Сreating synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/95487/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/64a3d4531989c03c1e4b1fd9/reports/36f4e141-7d74-498f-97bf-dc6ef071aafa/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/4f46b17d1db8bdb30b33dfa8ed5335149bb4f920780e349b6b02155e337c8b57
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/91b32240-71fd-434f-b2a5-e31cba304466
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1266464
Signature
Detected unpacking (changes PE section rights)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1266464 Sample: RFQ_6000066536.exe Startdate: 04/07/2023 Architecture: WINDOWS Score: 100 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Yara detected FormBook 2->51 53 Machine Learning detection for sample 2->53 9 RFQ_6000066536.exe 1 21 2->9         started        13 mvfbkgpyu.exe 19 2->13         started        process3 file4 35 C:\Users\user\AppData\...\mvfbkgpyu.exe, PE32 9->35 dropped 37 C:\Users\user\AppData\Local\...\egicixibq.dll, PE32 9->37 dropped 71 Detected unpacking (changes PE section rights) 9->71 73 Maps a DLL or memory area into another process 9->73 15 RFQ_6000066536.exe 9->15         started        39 C:\Users\user\AppData\Local\...\egicixibq.dll, PE32 13->39 dropped 18 mvfbkgpyu.exe 13->18         started        signatures5 process6 signatures7 79 Maps a DLL or memory area into another process 15->79 81 Sample uses process hollowing technique 15->81 83 Queues an APC in another process (thread injection) 15->83 20 mvfbkgpyu.exe 19 15->20         started        process8 file9 33 C:\Users\user\AppData\Local\...\egicixibq.dll, PE32 20->33 dropped 55 Multi AV Scanner detection for dropped file 20->55 57 Detected unpacking (changes PE section rights) 20->57 59 Machine Learning detection for dropped file 20->59 61 Maps a DLL or memory area into another process 20->61 24 svchost.exe 13 20->24         started        27 mvfbkgpyu.exe 20->27         started        signatures10 process11 signatures12 63 Tries to steal Mail credentials (via file / registry access) 24->63 65 Tries to harvest and steal browser information (history, passwords, etc) 24->65 67 Modifies the context of a thread in another process (thread injection) 24->67 69 Maps a DLL or memory area into another process 24->69 29 explorer.exe 1 24->29 injected process13 dnsIp14 41 www.fuzzpos.xyz 203.161.55.148, 49721, 49722, 49723 VNPT-AS-VNVNPTCorpVN Malaysia 29->41 43 3xin5.zhanghonghong.com 122.10.20.248, 49727, 49728, 80 DXTL-HKDXTLTseungKwanOServiceHK Hong Kong 29->43 45 4 other IPs or domains 29->45 75 System process connects to network (likely due to code injection or exploit) 29->75 77 Performs DNS queries to domains with low reputation 29->77 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4f46b17d1db8bdb30b33dfa8ed5335149bb4f920780e349b6b02155e337c8b57/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-04 07:19:57 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j5dlc7i5xc63gczt36uo2uzvcsn3j6japahdjg3laikv4m34rnlq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1a82b5f2c6d3897569544939dfae30457d05924c8811f009d0cd1540319ea90c
Formbook
2106aa8235bc1e05d367bae1e65c50bf8d11c4b4106ceebde0f9307ffcf273c0
Formbook
323f73b7cd367686fdc28a770469e6f6b3b1e45b6f375ef836bd3636880a102c
Formbook
47d1e16275d98873c63ed2cfe032b171513ff063ccc19399815846d950ed09d6
Formbook
7806b747871480b540e81ab255b9f18a97d7fd8ee150b2c85484acf08174b5ca
Formbook
8bdd2be4252011abdf68e5db8180c2e89988209789a204ed01c5d9c9a84aa66a
Formbook
b0302231ae277b08e383cef527b093307edf552a1777b5c9a088e2e1c61ad6fe
Formbook
c81c83ab1925106c70d6393edc0fcc117a4cb12ac96383ad28ceabe54c12fb4f
Formbook
ebce15ad53b98d7aba7f7544ee947e88f58d696e22ca4bc5d15b2ded37b577ac
Formbook
+ 3'212 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230704-j3tztsbf35/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
c3e2459954ece4f7d7b83677d1df9862e720d595e8a9aba7b214b833725a172d
MD5 hash:
51e4407fcf08cbc3f0d03b1628a80770
SHA1 hash:
55920b7b63e775c58e8cc611ee849702610c35f6
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/b6dedaef-53d7-43bd-b60d-395a1c2b7da9/
Parent samples :
4f46b17d1db8bdb30b33dfa8ed5335149bb4f920780e349b6b02155e337c8b57
c433841d01e8b7901e45455592fd6db08dd48b4caf2682d3222078018475de60
5adf7d2d4f1364dade98a5c7b94421458d87391204bf0123563766180e7524a0
SH256 hash:
ed64a7477371b98b059c283dde9eb172902d718f935e404333eabf67e855d11e
MD5 hash:
18bfc9443cbd1df7df3767e14c0ea0c7
SHA1 hash:
eaf5779203c7b8eabf571e6972e6449e2b4d9730
Link:
https://www.unpac.me/results/b6dedaef-53d7-43bd-b60d-395a1c2b7da9/
SH256 hash:
94dcfc7778c2e65c6d565a5ea966a5774667e25c325a932a43cb3da0d97bd98a
MD5 hash:
6335f447e0555fca1d51629ae9a39f35
SHA1 hash:
a3c6efb1e8d5691f92036ef558a45e0f16ca9f9c
Link:
https://www.unpac.me/results/b6dedaef-53d7-43bd-b60d-395a1c2b7da9/
SH256 hash:
c3e2459954ece4f7d7b83677d1df9862e720d595e8a9aba7b214b833725a172d
MD5 hash:
51e4407fcf08cbc3f0d03b1628a80770
SHA1 hash:
55920b7b63e775c58e8cc611ee849702610c35f6
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/b6dedaef-53d7-43bd-b60d-395a1c2b7da9/
Parent samples :
4f46b17d1db8bdb30b33dfa8ed5335149bb4f920780e349b6b02155e337c8b57
c433841d01e8b7901e45455592fd6db08dd48b4caf2682d3222078018475de60
5adf7d2d4f1364dade98a5c7b94421458d87391204bf0123563766180e7524a0
SH256 hash:
ed64a7477371b98b059c283dde9eb172902d718f935e404333eabf67e855d11e
MD5 hash:
18bfc9443cbd1df7df3767e14c0ea0c7
SHA1 hash:
eaf5779203c7b8eabf571e6972e6449e2b4d9730
Link:
https://www.unpac.me/results/b6dedaef-53d7-43bd-b60d-395a1c2b7da9/
SH256 hash:
94dcfc7778c2e65c6d565a5ea966a5774667e25c325a932a43cb3da0d97bd98a
MD5 hash:
6335f447e0555fca1d51629ae9a39f35
SHA1 hash:
a3c6efb1e8d5691f92036ef558a45e0f16ca9f9c
Link:
https://www.unpac.me/results/b6dedaef-53d7-43bd-b60d-395a1c2b7da9/
SH256 hash:
c3e2459954ece4f7d7b83677d1df9862e720d595e8a9aba7b214b833725a172d
MD5 hash:
51e4407fcf08cbc3f0d03b1628a80770
SHA1 hash:
55920b7b63e775c58e8cc611ee849702610c35f6
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/b6dedaef-53d7-43bd-b60d-395a1c2b7da9/
Parent samples :
4f46b17d1db8bdb30b33dfa8ed5335149bb4f920780e349b6b02155e337c8b57
c433841d01e8b7901e45455592fd6db08dd48b4caf2682d3222078018475de60
5adf7d2d4f1364dade98a5c7b94421458d87391204bf0123563766180e7524a0
SH256 hash:
ed64a7477371b98b059c283dde9eb172902d718f935e404333eabf67e855d11e
MD5 hash:
18bfc9443cbd1df7df3767e14c0ea0c7
SHA1 hash:
eaf5779203c7b8eabf571e6972e6449e2b4d9730
Link:
https://www.unpac.me/results/b6dedaef-53d7-43bd-b60d-395a1c2b7da9/
SH256 hash:
94dcfc7778c2e65c6d565a5ea966a5774667e25c325a932a43cb3da0d97bd98a
MD5 hash:
6335f447e0555fca1d51629ae9a39f35
SHA1 hash:
a3c6efb1e8d5691f92036ef558a45e0f16ca9f9c
Link:
https://www.unpac.me/results/b6dedaef-53d7-43bd-b60d-395a1c2b7da9/
SH256 hash:
4f46b17d1db8bdb30b33dfa8ed5335149bb4f920780e349b6b02155e337c8b57
MD5 hash:
e27c0c55beced8afe48593bfd8bf330a
SHA1 hash:
65d99ebb9c66bd65738c318727617e145cb7a331
Link:
https://www.unpac.me/results/b6dedaef-53d7-43bd-b60d-395a1c2b7da9/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4f46b17d1db8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 151cdbd8e7ea19668c94f466447c808fcaec3da966f10b0190747b2fe5f97b0f

Formbook

Executable exe 4f46b17d1db8bdb30b33dfa8ed5335149bb4f920780e349b6b02155e337c8b57

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 151cdbd8e7ea19668c94f466447c808fcaec3da966f10b0190747b2fe5f97b0f
Cape
Cape
https://www.capesandbox.com/analysis/406312/
  
Dropped by
MD5 b6269d141110bd10503251eb4b3e968b

Comments