MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75772375acbcfb6cb668fc2449671a6a83afe1434184ac7c01fd895825fcf5e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 75772375acbcfb6cb668fc2449671a6a83afe1434184ac7c01fd895825fcf5e6
SHA3-384 hash: b41961fb48b2e616d5fc70eaef42ef907c18e3da65169b70bc025c951d381e0e4ff5c424fac358eaed91cb9f4cdeb775
SHA1 hash: 9985a65e0aa690308454632223393d8d18a1c744
MD5 hash: 48043c9a21d0547478331c1613660595
humanhash: stairway-hamper-nine-uniform
File name:QUOTE_PRICE_REQUEST.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:258'720 bytes
First seen:2021-09-29 02:37:51 UTC
Last seen:2021-09-29 04:06:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:F8LxBsQpdS5YvokAIez44IpuctJDq2xs3FIN5fo25WHZEhnsxV:/86YvokAIez4xpltJi25Q20HZW6
Threatray 9'705 similar samples on MalwareBazaar
TLSH T17F4423556982CDF3CAE366301571ABBAFE77C01421357A0B2FB85E330D7294A5B2335A
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter GovCERT_CH
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
2
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ab.exe
Verdict:
Malicious activity
Analysis date:
2021-09-29 02:18:00 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/5f90a523-38d2-466a-9ef1-62d5d45bff8f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/192746/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.10913.12446.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
DNS request
Reading critical registry keys
Connection attempt
Sending an HTTP GET request
Possible injection to a system process
Stealing user critical data
Unauthorized injection to a system process
Deleting of the original file
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a1a82979-ad13-4f87-8a3a-e80d1ce5c8dc
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/860475
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 492904 Sample: QUOTE_PRICE_REQUEST.exe Startdate: 29/09/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 6 other signatures 2->42 10 QUOTE_PRICE_REQUEST.exe 17 2->10         started        process3 file4 28 C:\Users\user\AppData\Local\...\vogxk.dll, PE32 10->28 dropped 54 Detected unpacking (changes PE section rights) 10->54 56 Tries to detect virtualization through RDTSC time measurements 10->56 58 Injects a PE file into a foreign processes 10->58 14 QUOTE_PRICE_REQUEST.exe 10->14         started        signatures5 process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 14->60 62 Maps a DLL or memory area into another process 14->62 64 Sample uses process hollowing technique 14->64 66 Queues an APC in another process (thread injection) 14->66 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.ha0313.com 168.76.75.131, 49848, 80 ULTRANETSERVICOSEMINTERNETLTDABR South Africa 17->30 32 soolls.com 109.106.254.90, 49823, 80 NETNET-ASRS Serbia 17->32 34 12 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 cscript.exe 17->21         started        signatures10 process11 signatures12 46 Self deletion via cmd delete 21->46 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/75772375acbcfb6cb668fc2449671a6a83afe1434184ac7c01fd895825fcf5e6/
Threat name:
Win32.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2021-09-29 01:56:04 UTC
AV detection:
13 of 45 (28.89%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ov3sg5nmxt5wznti7qseszy2nkb27ykdigcky7ab7wevqjp46xta._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2728dc98fdebc00823b877eba49ace782c17db8a07074634aafca9dc00277776
Formbook
2fc82f206abb0d6d6b4d7a916be93b408ab78f848531917b3968b066a5a31023
Formbook
326a1e669385d8e241375e9eca9f915440f1d0d3f803e6d1648f30102cbedaa6
Formbook
45f5e2a682896ac3380522e26a0398b8112bafc42948666c9fecafa3dcab69e3
Formbook
50c6754cbbd313acc6a250182439a1191d8f8318f0794feea75bd647b6205f7a
Formbook
5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8
Formbook
95b6ba2be30399f87d20e021bee29f0eb46773b67407f3ed9987d22610d5249d
Formbook
a0d1e3fbe11fcbbea9dcad1880e23ea531c01c20fbbf383174cd420349657a01
Formbook
c10f872ac7d56c5c8d5151eb8d5c3aba275f83bd55700c0dc38776a04b275175
Formbook
c4c9d27ea805c32e7f0e66dc0d9534d8fbd87f4c1327727b2e1e9ae937f02c45
Formbook
+ 9'695 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:m6rs loader rat suricata
Link:
https://tria.ge/reports/210929-c4rgrsdebl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.litediv.com/m6rs/
Unpacked files
SH256 hash:
fae6a3048e91247206a42ee5f9261b9602afc2bd7fd8665f5a08b82c517a1789
MD5 hash:
1fea91e3debf7c3115cd97b8be64da57
SHA1 hash:
dc1fd88108a94cea7d802f9e8ab20c8d120c7602
Link:
https://www.unpac.me/results/6f66d6bf-679e-453d-b9e3-950b47673970/
SH256 hash:
75772375acbcfb6cb668fc2449671a6a83afe1434184ac7c01fd895825fcf5e6
MD5 hash:
48043c9a21d0547478331c1613660595
SHA1 hash:
9985a65e0aa690308454632223393d8d18a1c744
Link:
https://www.unpac.me/results/6f66d6bf-679e-453d-b9e3-950b47673970/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.47
Link:
https://yomi.yoroi.company/submissions/75772375acbcfb6cb668fc2449671a6a83afe1434184ac7c01fd895825fcf5e6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 75772375acbcfb6cb668fc2449671a6a83afe1434184ac7c01fd895825fcf5e6

(this sample)

  
Dropped by
xloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/192746/

Comments