MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 605f71ec40753fc1ed109e605c82d7817754acf6f2ad10adf0699aec99173609. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	605f71ec40753fc1ed109e605c82d7817754acf6f2ad10adf0699aec99173609
SHA3-384 hash:	31640f75204c8f5dcec0a3b8c6633ed5cf5da6667e164218a17898352a0e3920c39f2d049d01c53a7f753dd8718f63ec
SHA1 hash:	c244a56d0bf282dafa76daa0dae83b42d0562bae
MD5 hash:	5ca240dfc2102f78c9a95a5b38d61577
humanhash:	jersey-minnesota-nine-hot
File name:	Request for Quotation_PDF___________________....exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	632'320 bytes
First seen:	2023-05-16 21:26:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:hxUnJv5JwMSzoTylq/YvEa1cAk9r0hmY34:3UpbwMSzoTylqwcehmu4
Threatray	2'850 similar samples on MalwareBazaar
TLSH	T15FD4D07560DE4A90E41ECBB265BCFC72433170E3EED9C6750729A684CE27F602E48D5A
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	20e4e4c4c5454945 (7 x Loki, 6 x AgentTesla, 4 x SnakeKeylogger)
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

299

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Request for Quotation_PDF___________________....exe

Verdict:

No threats detected

Analysis date:

2023-05-16 21:28:14 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c76d2643-20a8-4ce1-a2ef-40af3422b705

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/390569/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.25438.24089.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

comodo formbook packed remcos

Link:

https://www.filescan.io/uploads/6463f527f1dbf8a7cc9d11f3/reports/32bccbf4-0133-4158-8b9c-2a19ce876c43/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/605f71ec40753fc1ed109e605c82d7817754acf6f2ad10adf0699aec99173609

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/315c8ab9-31fe-4253-bb74-8bb399deaa3e

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1234864

Signature

.NET source code contains potential unpacker

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/605f71ec40753fc1ed109e605c82d7817754acf6f2ad10adf0699aec99173609/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2023-05-16 05:50:21 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mbpxd3caou74d3iqtzqfzawxqf3vjlhw6kwrblpqngnozgixgyeq._file

Verdict:

malicious

Label(s):

formbook

Formbook

2484f3b9e112f39471b0375d98ac190b4ffe3e29a295bcecdb8fd7b71af0094b

Formbook

4c8180c106fdf8c5c144e85b22eae0ce157372378310a1b7252326e6521a1b2c

Formbook

633e769b4943468dd81e9fa530390c4aa40aceb88fb0fb8a3e647faaea56df9f

Formbook

bf7d050627a7bf67ad74bed6cf159d30c88423a1c0ef53f9fdc80b6977e79d9e

Formbook

cd94bb8956e12aa67943b6bb657f17d2680b848b36f8726283a2037d1d588461

Formbook

ef201fa6a83547a8b5a1514e948d4208ee20bd4d37c1fe57d81bb1c2dfb1caf5

Formbook

fc52523013f9198bf95daa7b6f6a597b518273b54c50635784deee1e3c9dd991

Formbook

+ 2'840 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/230516-1aqv5sbg6s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Checks computer location settings

Unpacked files

SH256 hash:

9b21debe11f6aa194fdd1a7618a71d7a3b240f671544a5dd26e901a5110dfb5b

MD5 hash:

a9751fc19892615fa217df414ae9c992

SHA1 hash:

4ca886c15019eb07d9e1bcd86d2ca2d0a71d978b

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/bba3d804-70f4-4be0-8781-3b4826d4428d/

Parent samples :

4c835aea417aae501813df52306ed19c591869eee045da1fc7ede6b7946aebce
605f71ec40753fc1ed109e605c82d7817754acf6f2ad10adf0699aec99173609
e0b295c6ff8b659d36af3e6b48ce997d4e094d8f50bd14ec71c309a46024dad5
1bdb8590762f40393359ab5a12face2f6affce13834fb427d800e4eb2fdb0e63
032454dace97a2e1d466b0a2749f8a3fbaac125c110a89f43a1ecac98aa05b49

SH256 hash:

d9bdc9ff83f9a6b14cabd68d2fdc880c49cb0c9aaa548334d27e1cb809f704a2

MD5 hash:

49285c96182b78cd550e17ba061fea7c

SHA1 hash:

fed1be6a91d86ec2d50fcf8cb460dfaa3b3ed5bd

Link:

https://www.unpac.me/results/bba3d804-70f4-4be0-8781-3b4826d4428d/

SH256 hash:

d6b5488b15683a8557aae6c049895d4c76a40aa114803c57f44c26490d23f77f

MD5 hash:

cfb1d8a17325bd8b38dccef0b66bb5d0

SHA1 hash:

aef102758656087033f6f16af6e2a50e9d94f062

Link:

https://www.unpac.me/results/bba3d804-70f4-4be0-8781-3b4826d4428d/

SH256 hash:

16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d

MD5 hash:

fb4ed205b442f470bbf10913128efdcb

SHA1 hash:

9a0a4c5ae429769e3253a9a3daefa24270b87a5b

Link:

https://www.unpac.me/results/bba3d804-70f4-4be0-8781-3b4826d4428d/

Parent samples :

ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e

SH256 hash:

034f68ef9b66266c0f43a1aee0da82e0c76ce3086e91d1e5701a2d0d49ca1d44

MD5 hash:

e1b646e26b15631b9519e4a02ab9feb5

SHA1 hash:

8557d957f3d5be93eac9f13cbfcf2c3039a22671

Link:

https://www.unpac.me/results/bba3d804-70f4-4be0-8781-3b4826d4428d/

SH256 hash:

a7485443b331c2fca54197f53638cb11a8c82bac339b66f35b95d0ad0aceb438

MD5 hash:

dfca41d2838170cb07ef445bb7d9c987

SHA1 hash:

7622672bed23f065cafdf2a17879ebf5926aba8b

Link:

https://www.unpac.me/results/bba3d804-70f4-4be0-8781-3b4826d4428d/

SH256 hash:

605f71ec40753fc1ed109e605c82d7817754acf6f2ad10adf0699aec99173609

MD5 hash:

5ca240dfc2102f78c9a95a5b38d61577

SHA1 hash:

c244a56d0bf282dafa76daa0dae83b42d0562bae

Link:

https://www.unpac.me/results/bba3d804-70f4-4be0-8781-3b4826d4428d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/605f71ec40753fc1ed109e605c82d7817754acf6f2ad10adf0699aec99173609

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/390569/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample