MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 58d325351b79f84d68ef5586de43ec3708fc0e142a83007fddbd7a05c20021ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 58d325351b79f84d68ef5586de43ec3708fc0e142a83007fddbd7a05c20021ce
SHA3-384 hash: a8afcf7d35cb807df26147e903a820e0103c021a0732f67f1f7a9330be27d6140487556acc352b4db5f0ba1167cf0461
SHA1 hash: e6c1fd6591a64ad27300a21feed4d2f041fe8cd2
MD5 hash: ce80f11188752ec28c7e75986d83d396
humanhash: four-batman-east-delta
File name:Quotation.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:667'648 bytes
First seen:2022-05-11 04:17:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:npepFsnFTpwmuVahL+sqo5mD89jX9NFWdCJ6kXtx46JgsSUkZmHTSp:noMnp7uVa9+YQDoX9SxaL4DPUkZt
Threatray 13'957 similar samples on MalwareBazaar
TLSH T12AE4120823E8AB35E2BF2B7951B924096FF9BD16D532E31C5FC4148E29A7BD149047B3
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.3% (.SCR) Windows screen saver (13101/52/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e0d2e25945ba9cf0 (15 x AgentTesla, 9 x Formbook, 7 x Loki)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
284
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/269593/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/627b391892de4ecac4101a89/reports/6561179c-0cfa-4cb8-a4f2-31a3127477d3/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3d3ce3d8-3b24-49e3-9f26-99de848490da
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/991605
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 624101 Sample: Quotation.exe Startdate: 11/05/2022 Architecture: WINDOWS Score: 100 41 www.zhishi12.com 2->41 43 www.happyhoursci.biz 2->43 45 happyhoursci.biz 2->45 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Yara detected AntiVM3 2->55 57 6 other signatures 2->57 11 Quotation.exe 7 2->11         started        signatures3 process4 file5 37 C:\Users\user\AppData\RoamingbehaviorgraphtfbKGF.exe, PE32 11->37 dropped 39 C:\Users\user\AppData\Local\...\tmp6A2B.tmp, XML 11->39 dropped 63 Uses schtasks.exe or at.exe to add and modify task schedules 11->63 65 Adds a directory exclusion to Windows Defender 11->65 67 Tries to detect virtualization through RDTSC time measurements 11->67 15 Quotation.exe 11->15         started        18 powershell.exe 25 11->18         started        20 schtasks.exe 1 11->20         started        signatures6 process7 signatures8 77 Modifies the context of a thread in another process (thread injection) 15->77 79 Maps a DLL or memory area into another process 15->79 81 Sample uses process hollowing technique 15->81 83 Queues an APC in another process (thread injection) 15->83 22 explorer.exe 15->22 injected 26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        process9 dnsIp10 47 happyhoursci.biz 147.182.200.157, 49801, 49807, 80 BV-PUBLIC-ASNUS United States 22->47 49 www.happyhoursci.biz 22->49 59 System process connects to network (likely due to code injection or exploit) 22->59 61 Uses ipconfig to lookup or modify the Windows network settings 22->61 30 ipconfig.exe 12 22->30         started        signatures11 process12 signatures13 69 Self deletion via cmd delete 30->69 71 Modifies the context of a thread in another process (thread injection) 30->71 73 Maps a DLL or memory area into another process 30->73 75 Tries to detect virtualization through RDTSC time measurements 30->75 33 cmd.exe 1 30->33         started        process14 process15 35 conhost.exe 33->35         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/58d325351b79f84d68ef5586de43ec3708fc0e142a83007fddbd7a05c20021ce/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-05-11 04:18:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
15 of 26 (57.69%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ldjskni3ph4e22hpkwdn4q7mg4epydqufkbqa765xv5alqqaehha._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0119c8252290ab1c092ee4ab1d9cd18502909207bf3368491b1448a8f7e14513
Formbook
2ac7632aac460d738f260cbc0913805ca0b3421f7e241b9708688be292600e73
Formbook
2ee32fd5fafe174b2fdfa8dfd614686e9d8bf0552ff8ee78a3a1460566619769
Formbook
7b3be400d99b473afc9f2bdf46477b61736a71db20cd9d1137b0cab4d4aaeff9
Formbook
899615d89ed1fb1460cc0271763148d9fef6286e4714a4028bbdbadb6e6b9a30
Formbook
a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2
Formbook
a8e45b2b0117e0a1e195a054667fca524862223bd2838a17f2ac9f47fe6191cc
Formbook
b0719b23f521e380ea76a06aaee77d34b506ef96890542072101950ccffeac32
Formbook
b28653e85b97fd93c5d893839290ff17e6a6eb748eba11c9ee11ec9884e35410
Formbook
+ 13'947 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:m29n rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220511-ewybfsfgd6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
59f2a7573752d88a8d0faac6facac38742bc121eba43ebe34a726af58ec66148
MD5 hash:
36a06fbe436db1b1ee3d2de4935e65fc
SHA1 hash:
3258d29b34769de16a13216d7be0a5849c6736e9
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/670d5ea6-4968-4b82-a1ab-fab400062c9b/
Parent samples :
58d325351b79f84d68ef5586de43ec3708fc0e142a83007fddbd7a05c20021ce
89a9b77261ed533dbce028de014c1e6b35ffae6419d2c9dc12178bfc49f7e5af
SH256 hash:
c206122a7336385be557580c114ac0923192f61bc8f77aa58c898135438399f9
MD5 hash:
6c9e813248a01432890c476813d210b8
SHA1 hash:
fd54aa3af58fc3a88cb3fd6753d773cd6c51b7f8
Link:
https://www.unpac.me/results/670d5ea6-4968-4b82-a1ab-fab400062c9b/
SH256 hash:
48954a4a6444010c4c786c804eaa976136337d35904aca4f440a8748f7e45652
MD5 hash:
9e0dabb2ddeefdfb8a020c69e595bc87
SHA1 hash:
8f8ecb393d5fb2e15485f545bc7db7046463aadc
Link:
https://www.unpac.me/results/670d5ea6-4968-4b82-a1ab-fab400062c9b/
SH256 hash:
a4be113e7966371fbd767bf31cd849806134e2fd4206e511f4de8546b45b6b8f
MD5 hash:
9979620656ab2a18d1eb08efbbe8269f
SHA1 hash:
5a15c25180457f85cdb2e4833d3024deab7c37c8
Link:
https://www.unpac.me/results/670d5ea6-4968-4b82-a1ab-fab400062c9b/
SH256 hash:
58d325351b79f84d68ef5586de43ec3708fc0e142a83007fddbd7a05c20021ce
MD5 hash:
ce80f11188752ec28c7e75986d83d396
SHA1 hash:
e6c1fd6591a64ad27300a21feed4d2f041fe8cd2
Link:
https://www.unpac.me/results/670d5ea6-4968-4b82-a1ab-fab400062c9b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/58d325351b79f84d68ef5586de43ec3708fc0e142a83007fddbd7a05c20021ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 58d325351b79f84d68ef5586de43ec3708fc0e142a83007fddbd7a05c20021ce

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/269593/

Comments