MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c4eb7a47ebe8538d3373cd1e4ae873bd331f91e2bf7730444754354667abbf5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 17

Intelligence 17 IOCs YARA 3 File information Comments

SHA256 hash:	7c4eb7a47ebe8538d3373cd1e4ae873bd331f91e2bf7730444754354667abbf5
SHA3-384 hash:	7afd52860a925d5584b1b265e8923e7ac0408b295ab293bfba4cbe09227bc5bc1dcf5b8b44f15666e617924688debc47
SHA1 hash:	b3aacfc4c496eb0060cfa67b99d86a48b7b8047c
MD5 hash:	6b9d43cca5f06d05cd484a885f7ac329
humanhash:	helium-zulu-pennsylvania-lactose
File name:	RFQ - Request for Quotation.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	278'283 bytes
First seen:	2022-04-15 12:47:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	56a78d55f3f7af51443e58e0ce2fb5f6 (730 x GuLoader, 452 x Formbook, 295 x Loki)
ssdeep	6144:HNeZmkJ3w/ijXozqscTuNvmgI+hpdz3i6hxw+Hgy8vU:HNli3w/iboz3cCwgIuiWRhX
Threatray	14'910 similar samples on MalwareBazaar
TLSH	T17244125A7094C0B7D7B301732E78F72B5EA9D34205BD460FA7A09E0DB8A0795DA0CF29
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

361

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

RFQ - Request for Quotation.exe

Verdict:

Malicious activity

Analysis date:

2022-04-15 12:47:48 UTC

Tags:

formbook trojan stealer

Link:

https://app.any.run/tasks/796cd7b8-2612-4a47-b4d9-16eb6874b3ab

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/263986/

Detection(s):

SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Searching for the window

Launching a process

Сreating synchronization primitives

Launching cmd.exe command interpreter

Searching for synchronization primitives

Sending a custom TCP request

Setting browser functions hooks

Unauthorized injection to a recently created process by context flags manipulation

Unauthorized injection to a system process

Unauthorized injection to a browser process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/13966/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control.exe formbook overlay packed python shell32.dll

Link:

https://www.filescan.io/uploads/6259694bffe27d5119da6d33/reports/29f0ae51-183a-46e5-969b-ee86da0ed84d/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8842bab8-a5e1-44a7-ba56-f434a5aca695

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/977397

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7c4eb7a47ebe8538d3373cd1e4ae873bd331f91e2bf7730444754354667abbf5/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2022-04-15 08:34:37 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=prhlpjd6x2ctruzxhti6jluhhpjtd6i6fp3xgbceovbvizt2xp2q._file

Verdict:

malicious

Label(s):

formbook

Formbook

156b5c448e30912d7d21ca87fbb01a5c9006a3093c236e05809a4b4ecacd7400

Formbook

1c2f6b38af555e63c11d8dd6bebf23031802d079556720108ba51d5d87418fdc

Formbook

3056c88b6d73015ca9efba7befa2e9a1ef2b692d2457df9bda21ae161b326b03

Formbook

51ca9a86ecb638b2805cd27a752159a05d4a3317c11ea43fb0f0cca78601c8dc

Formbook

75a17cb26bd616c7d7b48b0b3add3033b6cd8656d8d20a0618734a3850072632

Formbook

83ade97bc0f693761767e687204e11ba7bda7956db304f4a63ca56cab467bd1c

Formbook

bc2ddac40ce341d13e48f7d4bf82d31a6a150339e1928e64ecd3d71522874fee

Formbook

c657108efc3f78a3052d15e5f2e8593181566f45c2c3e3316437bf7d6632095c

Formbook

f2d973372cb16c6b4a4ea6a6dd1d2bc5382218528e084b233becb39ce8278201

Formbook

+ 14'900 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:b62r rat spyware stealer suricata trojan

Link:

https://tria.ge/reports/220415-pz8lpshgdr/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

Formbook Payload

Formbook

suricata: ET MALWARE FormBook CnC Checkin (GET)

Unpacked files

SH256 hash:

aa649acf6e95dbfa5bca3a7015ab59d6c8264f2a5f758e2fb281382723003c54

MD5 hash:

a660502bf956c719c7fdc9f0eed6406c

SHA1 hash:

0e7ea0c0a9ae6cf6a7be0fe8fde58126ecdd3312

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/765e207b-f545-4cc6-b50f-aff19816545a/

Parent samples :

3056c88b6d73015ca9efba7befa2e9a1ef2b692d2457df9bda21ae161b326b03
bc2ddac40ce341d13e48f7d4bf82d31a6a150339e1928e64ecd3d71522874fee
28242eb537cb3a15a1d074732d47690314011774d0079417d60c3839cdd2656c
4e1d9845294ff5a1e29444f88f6467db7404c814706227560f8f820c207f0e6e
9c0ca1e3db304f86a5e7675145babc8d1a9e918560f898d6d3ea4dc090dfe714
32fe0c94afc43b13bb24eee8bb1e28ca68c069c8868a22a2c107d86eeb746db3
7c4eb7a47ebe8538d3373cd1e4ae873bd331f91e2bf7730444754354667abbf5
8460d2cd681af4844bf52644f5c004fda2d3891f48e4d152ef160b99aaff7ff7

SH256 hash:

1d8cada548218669e1b6cb7b1486314af7a3d5b8806dbfb8d3031c8f2fa1a5e2

MD5 hash:

a1740725322ae8ab663509ab7dff1bbe

SHA1 hash:

1e15f8e78e070c6bf9c36a4e76e065a2162b78e0

Link:

https://www.unpac.me/results/765e207b-f545-4cc6-b50f-aff19816545a/

SH256 hash:

7c4eb7a47ebe8538d3373cd1e4ae873bd331f91e2bf7730444754354667abbf5

MD5 hash:

6b9d43cca5f06d05cd484a885f7ac329

SHA1 hash:

b3aacfc4c496eb0060cfa67b99d86a48b7b8047c

Link:

https://www.unpac.me/results/765e207b-f545-4cc6-b50f-aff19816545a/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7c4eb7a47ebe/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7c4eb7a47ebe8538d3373cd1e4ae873bd331f91e2bf7730444754354667abbf5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	malware_Formbook_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	t0_1 Create hunting rule

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/263986/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample