MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5032a3dbc97f17dba5cf4a7dc67a6c9ae6293a344d9d9433d63e8cd180226927. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5032a3dbc97f17dba5cf4a7dc67a6c9ae6293a344d9d9433d63e8cd180226927
SHA3-384 hash: 56af1bba0c17fe445facfbe2398e33475b943bf735fc3aaa71a615f7139dead7204f512b531c91b9f67f19eedc8a404c
SHA1 hash: d933aac89872b6a5f60901563b19c6715a0d007a
MD5 hash: 59d24bcc44a883d21a48b2d368a1ff45
humanhash: hydrogen-blossom-queen-happy
File name:Quotation.pif
Download: download sample
Signature Formbook
Create hunting rule
File size:1'014'784 bytes
First seen:2022-09-26 12:51:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'746 x AgentTesla, 19'628 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:dHeyEXo6MY++34Ot1UzDMHvRJUHoPYFoBMmTA0+bB/jIyBXRsZZ4wiPWL1QORWl5:m/DkM1nHvRJ9PYqs0+5FXk+P41Q7BBz
Threatray 14'724 similar samples on MalwareBazaar
TLSH T1A72501371BEA8B07D152767885D1C7FAE3A9DC11E467C6976BCA6C1FF08A0619B30321
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter malwarelabnet
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
243
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/313587/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.389.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Creating a process with a hidden window
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/6331a073e2ddbcc5eca6d181/reports/b8df9423-4b87-4aea-bd19-0e37cbdec60c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c98d7b34-4c62-4cbf-aea7-57982ab43f37
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1077345
Signature
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 709891 Sample: Quotation.pif.exe Startdate: 26/09/2022 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for dropped file 2->50 52 8 other signatures 2->52 8 Quotation.pif.exe 7 2->8         started        process3 file4 32 C:\Users\user\AppData\...\OJGfLeUSALnpf.exe, PE32 8->32 dropped 34 C:\...\OJGfLeUSALnpf.exe:Zone.Identifier, ASCII 8->34 dropped 36 C:\Users\user\AppData\Local\...\tmp10B9.tmp, XML 8->36 dropped 38 C:\Users\user\...\Quotation.pif.exe.log, ASCII 8->38 dropped 58 Uses schtasks.exe or at.exe to add and modify task schedules 8->58 60 Writes to foreign memory regions 8->60 62 Adds a directory exclusion to Windows Defender 8->62 64 Injects a PE file into a foreign processes 8->64 12 RegSvcs.exe 8->12         started        15 powershell.exe 20 8->15         started        17 schtasks.exe 1 8->17         started        19 RegSvcs.exe 8->19         started        signatures5 process6 signatures7 66 Modifies the context of a thread in another process (thread injection) 12->66 68 Maps a DLL or memory area into another process 12->68 70 Sample uses process hollowing technique 12->70 72 Queues an APC in another process (thread injection) 12->72 21 explorer.exe 12->21 injected 25 conhost.exe 15->25         started        27 conhost.exe 17->27         started        process8 dnsIp9 40 fonasa.info 50.31.174.103, 49734, 49735, 49736 SERVERCENTRALUS United States 21->40 42 jh-osaka.com 163.43.80.77, 49707, 49708, 49709 SAKURA-BSAKURAInternetIncJP Japan 21->42 44 19 other IPs or domains 21->44 54 System process connects to network (likely due to code injection or exploit) 21->54 56 Performs DNS queries to domains with low reputation 21->56 29 rundll32.exe 13 21->29         started        signatures10 process11 signatures12 74 Tries to steal Mail credentials (via file / registry access) 29->74 76 Tries to harvest and steal browser information (history, passwords, etc) 29->76 78 Modifies the context of a thread in another process (thread injection) 29->78 80 Maps a DLL or memory area into another process 29->80
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5032a3dbc97f17dba5cf4a7dc67a6c9ae6293a344d9d9433d63e8cd180226927/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-09-26 05:38:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
25 of 39 (64.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kazkhw6jp4l5xjopjj64m6tmtltcsorujwozim6wh2gndabcnetq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1ce69faea59302ed3bc44d2ec28481fa664a4d57506172e92cd4a9c62a9fcdaf
Formbook
2e6b14e41b3f871355635c7427cb1531a9b61a37e137f90a590d21eab7648f2f
Formbook
649e67dfa9829d849ab0e2e5dd9c40702dbb89cf5a8a02ad111c5f2df79c411f
Formbook
78d04244289fe215008b2c7d8937813b740228e5b60092287346e66e29c8182d
Formbook
7ca3b28aa32d6b9bd972c430c47691db7212f9fd7b713c3ff2fab8b10a0bd66a
Formbook
96cf18e2a423b74f89f810553f9b4ba3859bd2f71172facfc8911c6cf6221881
Formbook
ba162d7df1cd1beb851a29a69054491959d8ee6ad27f18b3e9dc57a3f6df1122
Formbook
e7104f2261f0eac61f2f5c3e316f32475d10b1e4a0df6323f400d1446807d4a0
Formbook
f5e4fe8ba1f482c650dfe0122078475da2330edf2a0bab3357ff071d27fa1a36
Formbook
+ 14'714 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:nhg6 rat spyware stealer trojan
Link:
https://tria.ge/reports/220926-p32ybscacq/
Behaviour
Creates scheduled task(s)
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e3e45e35-c4c4-4c81-9b3c-b53737269f1d
Unpacked files
SH256 hash:
0fe9987f49193699ae7f0f0d3f3cbbbf3d6f49ef9974f9996eabb65b96b79fad
MD5 hash:
86a1f76afd106fb440250d7db6e36127
SHA1 hash:
78d7cf2ac79de13df0284b1fdda8723399363c46
Detections:
XLoader
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/122001cc-5cef-4652-9caf-a03b48db63c3/
Parent samples :
db1446aa0758623a0dcebe15dd6742166f391ed938914b3e8339188b21513ebc
5032a3dbc97f17dba5cf4a7dc67a6c9ae6293a344d9d9433d63e8cd180226927
89af280045471592c70e1c139db75bbe28354d08370ac05dff4ea8245f2088b5
c85a06161a28fcfcc80891d618c37d37b72e970be0be060fec72925424412044
SH256 hash:
43d845107cb087ae980d87f2d03b60bd18cf92395ea0b10894680817144a0240
MD5 hash:
ee9ef71b76eb8c2d1099ad65b0527e7f
SHA1 hash:
59bb60e81e1f15aacf2c8daceafcfa18a8f371c2
Link:
https://www.unpac.me/results/122001cc-5cef-4652-9caf-a03b48db63c3/
SH256 hash:
0b82358a412bc8b7c7e7722963e98d70ac9eb49e5c70f9cad0c86ee51cf89755
MD5 hash:
232b074f9e9acd4afb680f242dd5ddcb
SHA1 hash:
f08f2761a298d5d4e36ad108c0af8f2b45b5b16a
Link:
https://www.unpac.me/results/122001cc-5cef-4652-9caf-a03b48db63c3/
SH256 hash:
9df41ddc11765adef648ffdc7bce5c72ca1bab9528bda19385deb0c8f3cfc6a9
MD5 hash:
c93de51b98dcf84d81155a8e5f1f5682
SHA1 hash:
a7c45def26c05aa8ea886640be29e0530b7184d1
Link:
https://www.unpac.me/results/122001cc-5cef-4652-9caf-a03b48db63c3/
SH256 hash:
2470b39032f6182252039c88199016566b0de30c6aa02163a143427afedd12af
MD5 hash:
c3a1924684ca30ed22234ce1d9111dfc
SHA1 hash:
7347706241422758c06440fd6044ae4e042b456b
Link:
https://www.unpac.me/results/122001cc-5cef-4652-9caf-a03b48db63c3/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/122001cc-5cef-4652-9caf-a03b48db63c3/
SH256 hash:
5032a3dbc97f17dba5cf4a7dc67a6c9ae6293a344d9d9433d63e8cd180226927
MD5 hash:
59d24bcc44a883d21a48b2d368a1ff45
SHA1 hash:
d933aac89872b6a5f60901563b19c6715a0d007a
Link:
https://www.unpac.me/results/122001cc-5cef-4652-9caf-a03b48db63c3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5032a3dbc97f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5032a3dbc97f17dba5cf4a7dc67a6c9ae6293a344d9d9433d63e8cd180226927

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/313587/

Comments