MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54ca735ff5fee6b29cc940ecb074e3b58c24ad834fee7cfbe56e78a04aa8e085. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 54ca735ff5fee6b29cc940ecb074e3b58c24ad834fee7cfbe56e78a04aa8e085
SHA3-384 hash: bad0889fb613808e403788245337849904dec69d54d4d32b6cb381ea292243aa6984f0966b60ce77aafe4794b9cc95ef
SHA1 hash: ce5376b3ffd19e056ef3991aca703a19f812b27f
MD5 hash: b48a5e362278c2b5c6846760cecd813c
humanhash: victor-johnny-nuts-steak
File name:Quotation.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'099'264 bytes
First seen:2022-03-25 14:22:26 UTC
Last seen:2024-07-24 14:27:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash cca1320226e806cf0d983ee82566105c (5 x RemcosRAT, 3 x Formbook, 1 x NetWire)
ssdeep 24576:+TLmKxzGyM4qG2AakO6fjPViDl1ePdCLHbW:kl4JbsjI0PdCLb
Threatray 11'720 similar samples on MalwareBazaar
TLSH T1A8355B6DB2D0D036C41246345D2A7F7597F67E50DD249802AEECFEC88E36EA03B25297
File icon (PE):PE icon
dhash icon 10808a8c8c8a8010 (77 x Formbook, 51 x AgentTesla, 44 x RemcosRAT)
Reporter GovCERT_CH
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
3
# of downloads :
248
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Quotation.exe
Verdict:
Malicious activity
Analysis date:
2022-03-25 11:23:52 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/63d24a6c-744a-4630-9707-b4307686d537

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/257718/
Detection(s):
SecuriteInfo.com.ArtemisB4B1CF978194.29466.14590.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/11385/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe keylogger replace.exe
Link:
https://www.filescan.io/uploads/623dd04e9253b276b76d36e2/reports/6ba6c62d-c8a2-4126-8200-b781d12459fb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6b4e3547-38e6-4b8d-8060-ef704421e073
Result
Threat name:
DBatLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/964632
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Drops PE files to the user root directory
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 597113 Sample: Quotation.exe Startdate: 25/03/2022 Architecture: WINDOWS Score: 100 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for URL or domain 2->53 55 8 other signatures 2->55 7 Quotation.exe 1 19 2->7         started        12 Yfdepkr.exe 16 2->12         started        14 Yfdepkr.exe 16 2->14         started        process3 dnsIp4 31 onedrive.live.com 7->31 39 2 other IPs or domains 7->39 25 C:\Users\Public\Yfdepkr.exe, PE32 7->25 dropped 27 C:\Users\Public\rkpedfY.url, MS 7->27 dropped 29 C:\Users\Public\Yfdepkr.exe:Zone.Identifier, ASCII 7->29 dropped 57 Drops PE files to the user root directory 7->57 59 Writes to foreign memory regions 7->59 61 Allocates memory in foreign processes 7->61 16 logagent.exe 7->16         started        33 192.168.2.1 unknown unknown 12->33 35 onedrive.live.com 12->35 41 2 other IPs or domains 12->41 63 Multi AV Scanner detection for dropped file 12->63 65 Creates a thread in another existing process (thread injection) 12->65 67 Injects a PE file into a foreign processes 12->67 19 logagent.exe 12->19         started        37 onedrive.live.com 14->37 43 2 other IPs or domains 14->43 21 logagent.exe 14->21         started        file5 signatures6 process7 signatures8 45 Maps a DLL or memory area into another process 16->45 47 Tries to detect virtualization through RDTSC time measurements 16->47 23 explorer.exe 16->23 injected process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/54ca735ff5fee6b29cc940ecb074e3b58c24ad834fee7cfbe56e78a04aa8e085/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-03-25 11:29:10 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
15 of 42 (35.71%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ktfhgx7v73tlfhgjidwla5hdwwgcjlmdj7xhz67fnz4kasvi4ccq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
18c5126639d2d4f5f95f8579f783e56f1ee0dc385f1ef2a6404b9ca70399285f
Formbook
28562d1e97597dbe302d550277e91bd4aa6869bd3d356668bc7c48b2b6eaa3d1
Formbook
4195e6b7bfb7263798034048a5a2d34780ecdddae25576e23e9c6b0df9316ccd
Formbook
8f6c3613cdccfdb0d7fd02b33e0afc8c13c640d305b2fdc3319135a18e3ca73c
Formbook
8f9f3e0d7eebe0304aeb35eb75be87c7bfe13859e00851df037f54d14765cbb9
Formbook
b161e9594ef8849e7a1c09a801b5d248cfff6b08c65ed6459dda75b25fdeafee
Formbook
efdd97e52e2d4a47a66abeb6073c2be21ce056da12256a2f74a5e9c6a8fe1916
Formbook
f8912392c18231844c4e49111d668fab371e0854ce732571e0b171fdbd0758a9
Formbook
fb67e8ad570d57edca0baa8f47ce75a50eedb5df3af97cd141aeb508b8409f3e
Formbook
+ 11'710 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:fhuh loader persistence rat suricata
Link:
https://tria.ge/reports/220325-rp618sdghp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
068cef9c429fbe73f9268463519ad822c22f489853a8f783fe6fbad4f11ffa5d
MD5 hash:
4544f7313ade8dcf258c38b02b7bab1a
SHA1 hash:
d7c23af72bd51789975a93578d559d8b045ccb06
Link:
https://www.unpac.me/results/c0145587-e155-49a5-8936-233b30b69b79/
SH256 hash:
ca2ce40cb878ee57a487ee26e86a6d5be9996171f32d8eea12f19f974bd6dcb8
MD5 hash:
1f2c2df0c24a74f49c5b37a45a92f826
SHA1 hash:
915f340b525a5e4cd5f3aa380c747a925ad1732d
Detections:
win_dbatloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/c0145587-e155-49a5-8936-233b30b69b79/
Parent samples :
8f6c3613cdccfdb0d7fd02b33e0afc8c13c640d305b2fdc3319135a18e3ca73c
496a9fb5d6f7b03a1dff59806fe6b74faf6755a903e82d99980769d0890f2730
6171e04c14e21039e5d518ea5b1129a09ac09d23f8c8169da89ba5fc7e816a35
fb8a339c0426e7443a8a557a8db6745d4510abe1086a0ecad45493bbcab97fca
4ed75b8466a537951e39fcf6a8a024701d41c6ff3be98153dcc81dbff6a75756
f443e1a292f282bb4eefcb9072d2ad429fd5d10983732f8c0b23b1f607e63314
1359549cb60ef5ca5fca53dcc5a47d9552fd5e24afe09ef563f18051417fc4ac
df451e4553398ff8f82e6f516f7bd9b04fb8ea925612f2ab95b98284abb228f7
63f565a5108d757c36e565bd6f4d2ea6410445569d0ecbc70b9c33ba4115f0f8
00d73f1d61efc0d907030191c3953dd239de9aded5c6cc4029262127ce1e209e
fc2cebcda95cb3a39ad6b08289fe3764635bf8bd69a372c05f0140665b57b55a
566804eeaa9725faf35958d6bd0c12ec0715950881d260b6815618fc399f74c5
10cec299494a6aa98989e015fb80ffa0262912a4c2f52d57222fd4e9277e59cb
4860d96e25e9ffa5a288ee4ab81dbda67a521786b2abd2b7a91a3b37e863fe58
a1e618daaaa3133d466df43f3b43ff6b095deb8d2c010f5e35e592800eebc87b
f58399e122dc517bb6594d46903c8ea5f3a913feab06e3038f4a78760bb63ce6
88f2a0b582807e7cb8dce67a8bd81760c0f7f2e6329062c256cb7fe7ec7f3221
a6ccc05556ccbb60a723a57a8a584cc150e2f4819ef7b11c76e947e84dff0e10
a9a86b379236a699c4a6da12df755787d31a8c318e0fb79bfd240896a61f2a51
ba08e639ff6481a49493f7b2c7f5e56500960a32970e29cfdcec98689a3e3451
f29af471bd6ae227e1937769b3bc2341a5906732374a25137ab6d8715bedc874
6a870d79774d97f41d243d912d16c0079b923c64931ad7a93fbf303b0427ee36
4e4e661714c95139dea6c17509411aabe685fa5feada011a232fef5c04244aaf
a6bafb2bb8dc44d9fff66e3301c27fe77c36dde8d0a8a5c95779b2b8770c33f8
fb67e8ad570d57edca0baa8f47ce75a50eedb5df3af97cd141aeb508b8409f3e
a0d70aef1803b9aad25507304eaba337c45d2474dcddd5e52bcb1095087775c7
8f5f58b0b0e95605ad5e5324a75277d25590a13dd9b4e0fb05505b815833a2db
805a169b8f08ee6d903d5ea86178a1e50e65ae3c51a91085227b0e77c04efbea
cb8a598ca7d108efe4e56865bd748cb586b06c2667e5118ffbc22dff3f741648
f4a406b6b21db8b516e579643929b753453ebb4604cc799ec69f712fd7ba42d9
8dfee94c273148e304ce65b2174c1bcf211e31b9fb7074bb03069c831a4b119a
db5a12184d9b6acdf484a88b3e65aa9435f8a9d7eda48418aef2d028b98913d4
54ca735ff5fee6b29cc940ecb074e3b58c24ad834fee7cfbe56e78a04aa8e085
1521b3679443397b8a953666ff6e81b4650a4c3e731bd0ae5c057a29cd238332
e9e0c366653836804dbd66fa13dc4909cb186a2117764679e1e46f29dc9500bc
bf7843608d1b1c3fee60bf8fd4a9410047c8ef059ed1e55e018da081670159c5
01e55c453fc19c5df2c53fa3e1ddf9bc8f8af5ed23d361f3bc30df2e913072a1
a3792b703dde1aa5a935183c6696ce91cdea54579e9045b55848df91e6b312f9
d3bc2b767f795b5fc0859a8a5d3efacb8150a9c272d89701c164d3f703e15ba1
63fef1355c2426329defba3c5fc037b68085c45196ab8bd7ff2991b5dcfc80c0
1e7717a2d798ca288276e378b76ee35a7cdd11e0d32ed32f33670163a08c390c
9d42b1b9280301d54b45752d046405be7e1a632de78723aa46cb20c1cc43c801
204e96b879210c8e42455d3670b69e7c2408bb65324b8243346803ef24af6f9d
1755742f318f26db4bd9a258426cf22e90b27c2dd67e67fcf662659bce8847f0
927dde2c104b2a0d38a5d8c01f2aa5a16a049a19ce3e644a5adedfd670286e57
464fb0b39e6e803f8e032a0380fa66babe20032affda8b5dbf0f8fd687526443
e2c591e76cb0e5c7e5883a4180c2d7286a4a80a5c3c83c062a8f666e0764c1dd
66be852b20b6210134ace4c51802bc9fe3aba2ef95ecb31940066a11dfe57c34
e11e9572f2bc772cb5858c427326c4408520d1eb0f62ed2c9069c3c3dc710a01
f94b77c7de3e47949556c797e2fac84ada108a52ea67a57d9658fe9cc149b148
9380f842781eeb483f61572a8a327221cddc6402ce15807dd6746c31d40c3bb4
56958cbd9007cf88fbf7bbe0ab8cdd745af7c3cb43f495cf12ef37cace388bcb
710092a3d3733568c12c36e742da685e70ac3aeb9a851974c6b07a3d5f1d74c7
b90122d45b3e426cdf4343cc47fd486e67d4d2fe861f6a686f4d29919a327ed3
ed26cf7c1e212b911017851bdd62dbddd9ebeaabc1a7c39a85780cfe2159a66b
15a3f360c7768d11c783c454207c4a278c0855091901dbc985074a8e3b0c68b7
652eb4b75ead907220dc496b91ae07adbbe0e542f6765dfb57c802cdf4ecf23c
6458542795cc0a40d4ab238e2be5fb15546d5ca38e52d1f9c7d4157dca27679a
736a64dd3a9f74117c2e3ed828599c5aa5844146cf75b3a67d7c775bee0df90c
8a032d84d6da1a5b4afb83c4b9cd9be1fbebb29f3933a09eedc5955c899b1fbf
c16b9319edf591f4b75c3b69e09451de772816ed5a7915c9112bb8dd14e4aea3
e9b9b1c8e972c4882a540641d04979d3c7d6c762ee64707a1a2b147d06a43326
bff9f8e4fb678a405e05a729c9649fb5097ecb4c4a02a87ace28401ad22072fc
ab6089eaf0b6e157fd74eb677bdd1e457cbbe9cc1b97699dc7e8dab7989eab2b
99e39ef9a5267ed9790fbef614fa3a0054025c1cb866295e9e320bc95b128280
SH256 hash:
54ca735ff5fee6b29cc940ecb074e3b58c24ad834fee7cfbe56e78a04aa8e085
MD5 hash:
b48a5e362278c2b5c6846760cecd813c
SHA1 hash:
ce5376b3ffd19e056ef3991aca703a19f812b27f
Link:
https://www.unpac.me/results/c0145587-e155-49a5-8936-233b30b69b79/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/54ca735ff5fe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/54ca735ff5fee6b29cc940ecb074e3b58c24ad834fee7cfbe56e78a04aa8e085

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 54ca735ff5fee6b29cc940ecb074e3b58c24ad834fee7cfbe56e78a04aa8e085

(this sample)

  
Dropped by
xloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/257718/

Comments