MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 715aa59e7d1e568ad1e76c6ede8c762ec5d671723439d131f6b638c025fd7cb6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 715aa59e7d1e568ad1e76c6ede8c762ec5d671723439d131f6b638c025fd7cb6
SHA3-384 hash: 494ea8ae9b3823b54126cc7073716581e0992d373e126081818a92bdd40141849a18c7f113d2e1f400510455ce21d873
SHA1 hash: 3a7d5fd64d1ffc7271187893f6afa8ecb17103ab
MD5 hash: 84768f999455afd498c45d9a11e2c240
humanhash: pip-emma-yellow-oxygen
File name:RFQ.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'194'443 bytes
First seen:2023-02-21 08:47:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (389 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 24576:ETbBv5rUVGgovq8oUv52+oiYqfPBvfG0BC3+speeCjV/YY2JqBKMPd:2B0ov/vtvZPFG4C3Rh3Ib
Threatray 2'025 similar samples on MalwareBazaar
TLSH T1B6451202BAC1C6B2C26309726966AB24667C7D601F79CEDF7384369DDE311D0DB31B92
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0f033131313d0f0 (3 x Formbook, 1 x AsyncRAT)
Reporter cocaman
Tags:exe FormBook RFQ

Intelligence

File Origin
# of uploads :
1
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
RFQ.exe
Verdict:
Malicious activity
Analysis date:
2023-02-21 08:50:08 UTC
Tags:
stealer trojan formbook
Link:
https://app.any.run/tasks/98b557f7-8520-4162-a6f2-e9b96c86de79

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/368570/
Detection(s):
Win.Dropper.Nanocore-9980570-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Launching a process
Creating a process from a recently created file
Creating a file
Launching the process to change network settings
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/71918/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm anti-vm autoit greyware keylogger nanocore overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/63f485442fa3ab63401f39f3/reports/da17fab7-0ecc-4a10-bc3a-d89a1e79512e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/715aa59e7d1e568ad1e76c6ede8c762ec5d671723439d131f6b638c025fd7cb6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fedd33e1-d738-4909-86ea-9e7df7e20967
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1179607
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
Starts an encoded Visual Basic Script (VBE)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM autoit script
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 812443 Sample: RFQ.exe Startdate: 21/02/2023 Architecture: WINDOWS Score: 100 54 Snort IDS alert for network traffic 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus detection for URL or domain 2->58 60 4 other signatures 2->60 12 RFQ.exe 79 2->12         started        process3 file4 46 C:\Users\user\AppData\Local\...\kngcvh.exe, PE32 12->46 dropped 80 Starts an encoded Visual Basic Script (VBE) 12->80 16 wscript.exe 1 12->16         started        signatures5 process6 process7 18 kngcvh.exe 1 3 16->18         started        file8 44 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 18->44 dropped 62 Antivirus detection for dropped file 18->62 64 Multi AV Scanner detection for dropped file 18->64 66 Writes to foreign memory regions 18->66 68 3 other signatures 18->68 22 RegSvcs.exe 18->22         started        25 RegSvcs.exe 18->25         started        signatures9 process10 signatures11 70 Modifies the context of a thread in another process (thread injection) 22->70 72 Maps a DLL or memory area into another process 22->72 74 Sample uses process hollowing technique 22->74 27 explorer.exe 5 2 22->27 injected 76 Queues an APC in another process (thread injection) 25->76 process12 dnsIp13 48 imaginiquecreations.com 108.167.143.136, 49709, 49710, 80 UNIFIEDLAYER-AS-1US United States 27->48 50 www.wtpovalderama.com 46.30.211.38, 49719, 49720, 80 ONECOMDK Denmark 27->50 52 9 other IPs or domains 27->52 78 System process connects to network (likely due to code injection or exploit) 27->78 31 raserver.exe 13 27->31         started        34 kngcvh.exe 1 27->34         started        36 explorer.exe 27->36         started        signatures14 process15 signatures16 82 Tries to steal Mail credentials (via file / registry access) 31->82 84 Tries to harvest and steal browser information (history, passwords, etc) 31->84 86 Modifies the context of a thread in another process (thread injection) 31->86 88 Maps a DLL or memory area into another process 31->88 90 Writes to foreign memory regions 34->90 92 Sample uses process hollowing technique 34->92 38 RegSvcs.exe 34->38         started        40 RegSvcs.exe 34->40         started        process17 process18 42 WerFault.exe 38->42         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/715aa59e7d1e568ad1e76c6ede8c762ec5d671723439d131f6b638c025fd7cb6/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-02-21 01:10:23 UTC
File Type:
PE (Exe)
Extracted files:
103
AV detection:
20 of 39 (51.28%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ofnklht5dzlivuphnrxn5ddwf3c5m4lsgq45cmpwwy4majp5ps3a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
4b01d8e4729b07277f8f71037f9fbda1f8d817d9688850d941e7832727bb0276
Formbook
860942d3b0190341282f2ae2d76d65f0374698fc48852aeda79966130bd68216
Formbook
8ddd2ba01927bb631eda5dee78b63f8cdb91db44e9418fd4eb313b6b4847f6d7
Formbook
95eea6606746af642726f423f651e78b52dc8652033b9ca6439a95248df0fde2
Formbook
9d1ee961410bd91109f256fa8d0976d53e2c317e8ef55ad244063adf7865afe1
Formbook
b15e539ba1801af269c976fa743708a0fc474fcdf6ba3a7433a08dfbf9eb1425
Formbook
bec4ef3573fb041d4a688c353f4682186f2bfe3918e9add4b9c5ceda5ec2627c
Formbook
d3d3c216728f58044cae30180c84e75db170ea200860ae9415004f3a0f167ec3
Formbook
dcef53803395ab07ecfa4230ae586003b507e875cd93bae17648c47b536a7622
Formbook
f51bdb3c0026435904048abffb411be8b57143de59d0e66a3e2dfa3f2e5692ad
Formbook
+ 2'015 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230221-kqfgcaga7w/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
4fa4356a8081f6d8733f114e5d2b0b8dc82386b623d1197566ecaec9b22bf9a0
MD5 hash:
e3b61401c6cc0d89a1d023620139f8d8
SHA1 hash:
7276973bab0dbee30d141b7ed0e1b99bc3b0962b
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/6ac5feb6-1387-435d-b973-ae2c470bdb01/
SH256 hash:
fe4385e32eb928884f25182f14eff6c61f6ea9f60b3ba6fbc299232928b3670f
MD5 hash:
be2ed6c64fde0de7ccb49536a4679a23
SHA1 hash:
2cfec14bc9dc6d07111be3ae543afa3f333e5cd4
Link:
https://www.unpac.me/results/6ac5feb6-1387-435d-b973-ae2c470bdb01/
SH256 hash:
e44b78e36d2a892742effdc732441c37b6f78385e6a3f4dda0cca8393d47d1a5
MD5 hash:
44ad70ede04324f93756307216a4803c
SHA1 hash:
c698fa024c3258f664eebfe1f9d3b6c651c84d2b
Link:
https://www.unpac.me/results/6ac5feb6-1387-435d-b973-ae2c470bdb01/
SH256 hash:
715aa59e7d1e568ad1e76c6ede8c762ec5d671723439d131f6b638c025fd7cb6
MD5 hash:
84768f999455afd498c45d9a11e2c240
SHA1 hash:
3a7d5fd64d1ffc7271187893f6afa8ecb17103ab
Link:
https://www.unpac.me/results/6ac5feb6-1387-435d-b973-ae2c470bdb01/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/715aa59e7d1e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/715aa59e7d1e568ad1e76c6ede8c762ec5d671723439d131f6b638c025fd7cb6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar b77d7e3f55d98f60010d5ceadfc90f0f4058db7a12955e2b9f093e953e4a3f90

Formbook

Executable exe 715aa59e7d1e568ad1e76c6ede8c762ec5d671723439d131f6b638c025fd7cb6

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 b77d7e3f55d98f60010d5ceadfc90f0f4058db7a12955e2b9f093e953e4a3f90
Cape
Cape
https://www.capesandbox.com/analysis/368570/
  
Dropped by
MD5 95bba62f525d875ef361e143af7c7e18

Comments