MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d83498b9c6024ab916f54e78a7af7cac3f2e2fa3a9b8a347c32e0dd946ac753. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5d83498b9c6024ab916f54e78a7af7cac3f2e2fa3a9b8a347c32e0dd946ac753
SHA3-384 hash: 77b3d28646e65b5a11b145bc20f136031d126dce9860a4f50c864950e552c50a603d068b2c7ae9b26c145c523b269916
SHA1 hash: b55b9f567223d8f93b6beccbcd8e69dfa4f27f6e
MD5 hash: f9cedb14027bc52ad967ade78d3ed988
humanhash: kansas-magnesium-early-bluebird
File name:RFQ 01.300.TRGVH.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:827'392 bytes
First seen:2022-10-22 09:39:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:jZfEu5xEkDuHvFwzmqWpzZSauZMxmCS7zijqj6oPHhxSPNYO:s1PFwKdqauZMxfwiO6oJxOqO
Threatray 16'755 similar samples on MalwareBazaar
TLSH T1AB055AB626D11217E42972759083E6F326FBAE506041E1C3A1D74F6FBC851BBD62338B
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
186
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ 01.300.TRGVH.exe
Verdict:
Malicious activity
Analysis date:
2022-10-22 09:43:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/86796a32-86f8-4a3f-9380-56701f1e4ae2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/322603/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6353ba72898b0652a4b95797/reports/40de98d5-6f47-430c-802c-856563ae02fe/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2984f521-e716-493e-9949-816f354b7427
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1095429
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netstat to query active network connections and open ports
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 728070 Sample: RFQ 01.300.TRGVH.exe Startdate: 22/10/2022 Architecture: WINDOWS Score: 100 27 www.metodotorresmiguel.site 2->27 29 www.catsyproxy.com 2->29 35 Malicious sample detected (through community Yara rule) 2->35 37 Antivirus detection for URL or domain 2->37 39 Antivirus / Scanner detection for submitted sample 2->39 41 7 other signatures 2->41 9 RFQ 01.300.TRGVH.exe 3 2->9         started        signatures3 process4 file5 25 C:\Users\user\...\RFQ 01.300.TRGVH.exe.log, ASCII 9->25 dropped 55 Injects a PE file into a foreign processes 9->55 13 RFQ 01.300.TRGVH.exe 9->13         started        16 RFQ 01.300.TRGVH.exe 9->16         started        signatures6 process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 13->57 59 Maps a DLL or memory area into another process 13->59 61 Sample uses process hollowing technique 13->61 63 Queues an APC in another process (thread injection) 13->63 18 explorer.exe 13->18 injected process9 dnsIp10 31 www.madhavropa.com 162.213.249.67, 49731, 80 NAMECHEAP-NETUS United States 18->31 33 www.tpc-tt.site 18->33 43 System process connects to network (likely due to code injection or exploit) 18->43 45 Uses netstat to query active network connections and open ports 18->45 22 NETSTAT.EXE 13 18->22         started        signatures11 process12 signatures13 47 Tries to steal Mail credentials (via file / registry access) 22->47 49 Tries to harvest and steal browser information (history, passwords, etc) 22->49 51 Deletes itself after installation 22->51 53 2 other signatures 22->53
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5d83498b9c6024ab916f54e78a7af7cac3f2e2fa3a9b8a347c32e0dd946ac753/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-20 09:28:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
28 of 40 (70.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lwbutc44maskxelpkttyu6xxzlb7fyx2hknyund4glqn3fdky5jq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3d9766bbf57730b0aa1d3d43a8ce30d7f7b0798b82f32d235a06af5cdbb6ab6c
Formbook
3eca58af30a24d1b5697c4079be161499ec28e5ec399738619c640633b6d1781
Formbook
756afd5279f32f281ffd21bdfa2079123cee745c813d3b07d0f3508c129a2bd6
Formbook
91c69e984e53cc30d77e21fcb1a44044fff62368ee2740f04b3b26bfb82f2967
Formbook
a942ff27c44b844b9b4b6c77a43fc5d454c009c8dc649cd381ca7d3a9e23792b
Formbook
d2f322cb15f591ef314eda3cb164f8ab0ca0048f89c8694cf9bc6ca39a2785fb
Formbook
eacbd3784763b4f97f35d08baa9c11c48fcb08fbec721f1d52543ce2d036d5f5
Formbook
f281fed414237c484d936802d8bc112995ba6df5c9485207a284b8fc31edf2e6
Formbook
+ 16'745 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:uymo rat spyware stealer trojan
Link:
https://tria.ge/reports/221022-lmnh8acbd6/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ee7de397-29a0-44d3-a9bf-38c9dfcadf4a
Unpacked files
SH256 hash:
4a0f25ba5bfa58f0da9d5d8b3a5fcb8410768dba642d1ed49055992ba6b424b7
MD5 hash:
61124d94be8974bcce5368650b3e6628
SHA1 hash:
96108297e87b81bb05e725ef111822d47d866978
Detections:
XLoader
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/cf08ebc0-f216-46cc-8027-0e77ee99aa36/
Parent samples :
9a5edc79c2643926c35c6e83248b6c196c5cd081f74b3b689ae9f02be6b18369
fbc14992308d88c7a33989479793655a4ff4c9caeb3c011f6e95b11c55f675ef
91c69e984e53cc30d77e21fcb1a44044fff62368ee2740f04b3b26bfb82f2967
e3ac8c8b67752d68d7c6b20ceee1fd8d60d8506b0da5cd589c6e5976ecf8b0c1
310b4ffa559e06b739ba7b4d7cd12f47286aec7352a8aa5296955f0a7f49b190
c09cee65ae5836198280c323cb525a699721d2c02c8c83ba0ff61189592774f4
5d83498b9c6024ab916f54e78a7af7cac3f2e2fa3a9b8a347c32e0dd946ac753
SH256 hash:
cc8d00bd20e65f242e9dd5f769d3f4db614b79dfd8866d9782a0c6cef1e304b4
MD5 hash:
0ceb5c1d97b423df5f236c7ff088942b
SHA1 hash:
d5ff267189a16c064d3bd20c45faa086d9379cc6
Link:
https://www.unpac.me/results/cf08ebc0-f216-46cc-8027-0e77ee99aa36/
SH256 hash:
97355487597e5e2e018b2dfceaa151b3cfa8e4b792df928e8a2f4d924424c173
MD5 hash:
6dca9d83f52c3d005da81af3af165410
SHA1 hash:
a2239361b76432fa879485e56ffdecf619da7e16
Link:
https://www.unpac.me/results/cf08ebc0-f216-46cc-8027-0e77ee99aa36/
SH256 hash:
17d448c7a0aa7070040c4795a326313d12d4b87e5425f423d5894ff5a82ba3c9
MD5 hash:
ce50d63e985fba6c77ae0422608533b5
SHA1 hash:
8e6adf4337330d31ff7adbf9bfa6a0fa0ad1c029
Link:
https://www.unpac.me/results/cf08ebc0-f216-46cc-8027-0e77ee99aa36/
SH256 hash:
678d527fc01a0eaa1be366ca97b0ad5a3fe890b1ef8267d2fc981ff43c4d08e5
MD5 hash:
2da433d67db4775d8f02a8fed4b31bf3
SHA1 hash:
235fe8f2076f3b5cfffacc574825550cee8e61e9
Link:
https://www.unpac.me/results/cf08ebc0-f216-46cc-8027-0e77ee99aa36/
SH256 hash:
edadc813f4440ada276da601d8f31780e5e138b8ee392e3f49a509322a1fb51e
MD5 hash:
574597554c69083c1af2b742a97a92b6
SHA1 hash:
043eea660b8650c5a0042f842fd8db3516d37a2c
Link:
https://www.unpac.me/results/cf08ebc0-f216-46cc-8027-0e77ee99aa36/
SH256 hash:
a9e86f7abf11badc27487d02b8f28ec0db23f01154080ac0118fdd01dbe03a35
MD5 hash:
add66eb31056e7383f37d06303ad4aa5
SHA1 hash:
296cf1046e7efc5b8f810f83dc308142916b61bc
Link:
https://www.unpac.me/results/cf08ebc0-f216-46cc-8027-0e77ee99aa36/
SH256 hash:
5d83498b9c6024ab916f54e78a7af7cac3f2e2fa3a9b8a347c32e0dd946ac753
MD5 hash:
f9cedb14027bc52ad967ade78d3ed988
SHA1 hash:
b55b9f567223d8f93b6beccbcd8e69dfa4f27f6e
Link:
https://www.unpac.me/results/cf08ebc0-f216-46cc-8027-0e77ee99aa36/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/5d83498b9c6024ab916f54e78a7af7cac3f2e2fa3a9b8a347c32e0dd946ac753

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 5d83498b9c6024ab916f54e78a7af7cac3f2e2fa3a9b8a347c32e0dd946ac753

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/322603/

Comments