MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 702ccb0e15a20fc60f883eb8c2c89df3575c40f3ef202a6470c608536a27bc3f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 702ccb0e15a20fc60f883eb8c2c89df3575c40f3ef202a6470c608536a27bc3f
SHA3-384 hash: 71c90078f56400f79f20f36e74febb9b4a28644e43e6016e723c35e2bf6adae845b807052c783bea527773aad60e080e
SHA1 hash: 54cdc6c43635a0797b70b496a09d6f61616eac31
MD5 hash: 2335cfbbefcd4c5c251dbbbdd6de4269
humanhash: uniform-ink-echo-cat
File name:QUOTATION REQUEST FOR JUNE.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:606'208 bytes
First seen:2022-05-30 14:01:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:v/bxEn27g6gmNMdf983l+8g43RaSrVJ2tXMs4Fn:v1jvg8MdfJI3RaS5J
Threatray 15'959 similar samples on MalwareBazaar
TLSH T11ED4AE84732E7CBEE41BD473A5548C14AB60246FA7ABC123915F258EA85C747CFF0972
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter GovCERT_CH
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
1
# of downloads :
331
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
QUOTATION REQUEST FOR JUNE.exe
Verdict:
Malicious activity
Analysis date:
2022-05-30 14:04:30 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/60775c19-bb9f-4755-aa43-816a25f7ca07

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/275508/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1359.12873.17252.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Searching for synchronization primitives
DNS request
Sending an HTTP GET request
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit obfuscated packed
Link:
https://www.filescan.io/uploads/6294ce5b6eb3ff326340470b/reports/dcc7f2cf-9761-449b-b708-604251a89c7b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9355dfd8-d8a8-42d7-a3f7-bfe7f59f5c1c
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1003736
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd or bat file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/702ccb0e15a20fc60f883eb8c2c89df3575c40f3ef202a6470c608536a27bc3f/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-05-30 08:58:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oawmwdqvuih4md4ih24mfse56nlvyqht54qcuzdqyyefg2rhxq7q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
027fb037ecddcf556e91cd6eeb42b270d27cdb668e85a5838f530a7f946ee1b5
Formbook
151572bec6e274bad481a8c0736a4888931c086f3fdf890be9811eae7c0c0c36
Formbook
24760feea3c8f265f0af7e459844b8b793b6f572b890ce692a47cb6d6141a50a
Formbook
3bdf54d6b07a96a026ed34f1db8d5cc442c1a211d02ff888659d7263ccc77c4c
Formbook
3caaa84ffcbd28e8f6a95a11a8101508c06ee47dd00a93b0d52960e351e4a97c
Formbook
4a03cbfeb260c4c92a31e3c5e9d2ef539122ee9b7dc087a9d4db6073959de557
Formbook
bc1c5ae3fff0af129ab74ef27cbf0d9c2dfbebebef2857f21161ae3539e88db2
Formbook
ddc510c3b697c0c9d361f7ef5d62cb101d134a81dd76a25a4c08031afb6e936a
Formbook
f04f07bbeffe4e7ea71dabc192759db670f2407c8d46fd7f40ac91020f7161dc
Formbook
+ 15'949 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:p24o loader persistence rat spyware stealer suricata
Link:
https://tria.ge/reports/220530-rb4nysgcb7/
Behaviour
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Unpacked files
SH256 hash:
3c5e4555bd1252117fef7258cd82eaeaa36b4e8e853690a1211fbf0a283e78de
MD5 hash:
ecb4f282309ad3eecdeb56d596b96b68
SHA1 hash:
f257df6c833addfc6f81b42f551e6d3e9f82f92e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/e1214e7b-12b7-44e8-bed8-ba4a14f6cad6/
SH256 hash:
79823e47436e129def4fba8ee225347a05b7bb27477fb1cc8be6dc9e9ce75696
MD5 hash:
39f524c1ab0eb76dfd79b2852e5e8c39
SHA1 hash:
428018e1701006744e34480b0029982a76d8a57d
Link:
https://www.unpac.me/results/e1214e7b-12b7-44e8-bed8-ba4a14f6cad6/
SH256 hash:
b6ecb71c659fadd95a485bb4c247069a9cfd00be1a53e8e1defaee3d62654c81
MD5 hash:
ea632d08e0ebe1e07c269c6df1b1462e
SHA1 hash:
21933deae70acdd9009d96d592f9f38c008f6689
Link:
https://www.unpac.me/results/e1214e7b-12b7-44e8-bed8-ba4a14f6cad6/
SH256 hash:
702ccb0e15a20fc60f883eb8c2c89df3575c40f3ef202a6470c608536a27bc3f
MD5 hash:
2335cfbbefcd4c5c251dbbbdd6de4269
SHA1 hash:
54cdc6c43635a0797b70b496a09d6f61616eac31
Link:
https://www.unpac.me/results/e1214e7b-12b7-44e8-bed8-ba4a14f6cad6/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/702ccb0e15a2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.71
Link:
https://yomi.yoroi.company/submissions/702ccb0e15a20fc60f883eb8c2c89df3575c40f3ef202a6470c608536a27bc3f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 702ccb0e15a20fc60f883eb8c2c89df3575c40f3ef202a6470c608536a27bc3f

(this sample)

  
Dropped by
xloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/275508/

Comments