MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6bcdb1b6795c22308aee5d390cfae409d21a3238a304466dd54c1dee43570afd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6bcdb1b6795c22308aee5d390cfae409d21a3238a304466dd54c1dee43570afd
SHA3-384 hash: b4fc8b87324be989f4ecb2c3e8289b0cd22c761bab235739601af1da01e2f53eb97c9129aa53ec19aceeb9a9f1116844
SHA1 hash: 31c68914c047d1bb761aee297af12461d37e4fa3
MD5 hash: c32ab169dd005d75f00197aab455078c
humanhash: music-bulldog-foxtrot-michigan
File name:Quotation-Pepper Fuchs- Asia Pte. Ltd..exe
Download: download sample
Signature Formbook
Create hunting rule
File size:867'328 bytes
First seen:2021-09-20 06:17:25 UTC
Last seen:2021-09-20 07:00:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:8BGiY6HeFuYqLAEq56bIzLdn6pgkF0me8bCW3s7KGrIWCtmtiK5oSklG:8A6+FuYqcEM0wxEF0mPt87B4+FoSks
Threatray 9'389 similar samples on MalwareBazaar
TLSH T1CC05C0202264826AE1F7E73DD46294718B3FF987A036DA9A5DC3D9CA0D31341D51BF2B
File icon (PE):PE icon
dhash icon a6591878d162e41b (9 x AgentTesla, 7 x Formbook, 2 x SnakeKeylogger)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Quotation-Pepper Fuchs- Asia Pte. Ltd..exe
Verdict:
Malicious activity
Analysis date:
2021-09-20 06:18:08 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/261b9d00-40fa-4abd-9384-962c02411b32

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189215/
Detection(s):
SecuriteInfo.com.PWS-FCSUC32AB169DD00.22763.20904.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a window
Enabling autorun with the shell\open\command registry branches
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e344a6e1-7b54-4d31-8f88-73dbb0e43785
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853757
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 486185 Sample: Quotation-Pepper Fuchs- Asi... Startdate: 20/09/2021 Architecture: WINDOWS Score: 100 31 ic-54113400-0a7b2f-windowsupdate48.s.loris.llnwd.net 2->31 37 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->37 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 9 other signatures 2->43 11 Quotation-Pepper Fuchs- Asia Pte. Ltd..exe 3 3 2->11         started        signatures3 process4 file5 29 Quotation-Pepper F...a Pte. Ltd..exe.log, ASCII 11->29 dropped 55 Injects a PE file into a foreign processes 11->55 15 Quotation-Pepper Fuchs- Asia Pte. Ltd..exe 11->15         started        signatures6 process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 15->57 59 Maps a DLL or memory area into another process 15->59 61 Sample uses process hollowing technique 15->61 63 Queues an APC in another process (thread injection) 15->63 18 explorer.exe 15->18 injected process9 dnsIp10 33 www.furgorejotas.com 54.36.145.173, 49779, 80 OVHFR France 18->33 35 www.whitmereliye.com 99.83.175.80, 49775, 80 AMAZON-02US United States 18->35 45 System process connects to network (likely due to code injection or exploit) 18->45 22 explorer.exe 18->22         started        signatures11 process12 signatures13 47 Self deletion via cmd delete 22->47 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6bcdb1b6795c22308aee5d390cfae409d21a3238a304466dd54c1dee43570afd/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 01:06:10 UTC
AV detection:
8 of 45 (17.78%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=npg3dntzlqrdbcxolu4qz6xebhjbumryumcem3ovjqo64q2xbl6q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
25644ff35da89545c702b633182c4ff1f649dd64c9c8249be9afe7090359d87d
Formbook
66f95fa3d4fb8e27a1beca62098133d93bf58ca36b83f58fced7f808ba1f282a
Formbook
7e0c1f10cfd225b16e83ecf7bc37a782441b8a96225fff827572bc3a81421bb9
Formbook
91ac1f88bb93a354dc3403e85d3f72ed3e699755ec8b3fbfc1d7eb03c0b67d50
Formbook
ae33000cbdc7cc10a8d86ce07727c8159d66a6707e2a453d996dc61c709de96f
Formbook
b38eadc0a59ed8405656c9445912f644724ed07ce9086e0183a6b086460f20e6
Formbook
b5ac8902c4d239f5f72366876e99a586d3aaafe45c9a9e098c8ded9a2db7615c
Formbook
bb21e5cc104a482d8d806a79b75f20781bde73dfb3ac59d6cd58fed12e9757e5
Formbook
d0116b0ea676a655b1d55a2b7a79fb2585c1d04803e9d1d6f9cd1da15f789138
Formbook
f8f02165547227a6692d503cf1203dcaf2d43b58219bb78cb0e42895f49a8121
Formbook
+ 9'379 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:im8r rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/210920-g2lwqafgdn/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.mashup.agency/im8r/
Unpacked files
SH256 hash:
08dd4b9dbfab34a687b2e3317c4a2d7d17546005b8bd57bad8fba973cbc638c8
MD5 hash:
a60c503e7d91d20e596e53db2e70ea1c
SHA1 hash:
87905808f532bcef32a61b43044378b1131f102b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/70664371-8482-4e06-a584-2d2548602d1a/
Parent samples :
6bcdb1b6795c22308aee5d390cfae409d21a3238a304466dd54c1dee43570afd
f34b081e06b7cfcdabd9055fad7790bc66a20d62846172a24f914bf2d5298432
SH256 hash:
cac8b347040a359c02ae5e658d3d76230c7dd7eb33505605ed0b9bc49ff268c7
MD5 hash:
71a894ff252c767b80d65ab1e54fda2b
SHA1 hash:
bcc4ff628585ca28b8b0f2c30e63049b910d4d49
Link:
https://www.unpac.me/results/70664371-8482-4e06-a584-2d2548602d1a/
SH256 hash:
38fd98cecb612f5b644f740bdd424df52c14eba038c3a36bd623c77e15938286
MD5 hash:
ae988a8a1fc0b7ef3454760c749be268
SHA1 hash:
7414343f890bce4eec2942ec476e912992277c0a
Link:
https://www.unpac.me/results/70664371-8482-4e06-a584-2d2548602d1a/
SH256 hash:
9c9e15c1e7ba0b6c2e5e9b6bfdcf253f9232f888ef3653cd799a8031f6ee15c4
MD5 hash:
8f0f2c242df3d6aa2f30d149c9e66a36
SHA1 hash:
11041b4fb18c17073a23218bc5a3d007c8c9c0c3
Link:
https://www.unpac.me/results/70664371-8482-4e06-a584-2d2548602d1a/
SH256 hash:
6bcdb1b6795c22308aee5d390cfae409d21a3238a304466dd54c1dee43570afd
MD5 hash:
c32ab169dd005d75f00197aab455078c
SHA1 hash:
31c68914c047d1bb761aee297af12461d37e4fa3
Link:
https://www.unpac.me/results/70664371-8482-4e06-a584-2d2548602d1a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/6bcdb1b6795c22308aee5d390cfae409d21a3238a304466dd54c1dee43570afd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 6bcdb1b6795c22308aee5d390cfae409d21a3238a304466dd54c1dee43570afd

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/189215/

Comments