MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80b8b1f20535fa3c733679f5f6afcd2d8e3757ec424e332e01cb0037b70df154. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 80b8b1f20535fa3c733679f5f6afcd2d8e3757ec424e332e01cb0037b70df154
SHA3-384 hash: 3f26405e77c600db6af4df69b0fcbfc941840b423cad0a9f4658f1b99292e9a9cb9e12055b306666456617bcca86c7ea
SHA1 hash: e73ea03c0eb02df53174fe29f5ec7b256f8cdbc1
MD5 hash: ee8704b53daeab3de3fe710d1e4ab2a3
humanhash: mississippi-kentucky-beer-twelve
File name:RFQ-PR. No.1599-Rev.2.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:311'639 bytes
First seen:2022-10-14 10:15:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (719 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 6144:QbE/HUBRBcwLt8USzTpll3TbXZXFVz93kZGsDmsxPW7yZLx:QblRSAt8UGpl5bx93qGncPW7yZLx
Threatray 17'955 similar samples on MalwareBazaar
TLSH T108641210F64580F7D87603335A7A977E5EB6CC2C8191FB4F23C42A6A7D21591C12F76A
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d2e8ecb2b2a2b282 (106 x AgentTesla, 106 x Formbook, 24 x RedLineStealer)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/320326/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for synchronization primitives
Launching a process
DNS request
Sending an HTTP GET request
Reading critical registry keys
Sending a custom TCP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/43108/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/634936e248a09eabde1107e9/reports/b059d2a9-b91c-47d9-b506-d4d2877dc30d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ffef3524-5fae-4f9b-a6fe-57ba186382f4
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1090649
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found hidden mapped module (file has been removed from disk)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 723259 Sample: RFQ-PR. No.1599-Rev.2.exe Startdate: 14/10/2022 Architecture: WINDOWS Score: 100 33 www.somethingyourselves.com 2->33 49 Snort IDS alert for network traffic 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for dropped file 2->53 55 5 other signatures 2->55 9 RFQ-PR. No.1599-Rev.2.exe 18 2->9         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\gpfwnssmn.exe, PE32 9->29 dropped 12 gpfwnssmn.exe 2 9->12         started        process6 file7 31 C:\Users\user\AppData\Local\Temp\7883.tmp, PE32 12->31 dropped 67 Machine Learning detection for dropped file 12->67 69 Found hidden mapped module (file has been removed from disk) 12->69 16 gpfwnssmn.exe 12->16         started        19 WerFault.exe 23 9 12->19         started        21 conhost.exe 12->21         started        signatures8 process9 signatures10 41 Modifies the context of a thread in another process (thread injection) 16->41 43 Maps a DLL or memory area into another process 16->43 45 Sample uses process hollowing technique 16->45 47 Queues an APC in another process (thread injection) 16->47 23 msiexec.exe 13 16->23         started        26 explorer.exe 16->26 injected process11 dnsIp12 57 Tries to steal Mail credentials (via file / registry access) 23->57 59 Tries to harvest and steal browser information (history, passwords, etc) 23->59 61 Modifies the context of a thread in another process (thread injection) 23->61 63 Maps a DLL or memory area into another process 23->63 35 www.mariefrank.shop 91.195.240.117, 49701, 49702, 49703 SEDO-ASDE Germany 26->35 37 9jashopmall.org 68.65.120.126, 49704, 49705, 49706 NAMECHEAP-NETUS United States 26->37 39 2 other IPs or domains 26->39 65 System process connects to network (likely due to code injection or exploit) 26->65 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/80b8b1f20535fa3c733679f5f6afcd2d8e3757ec424e332e01cb0037b70df154/
Threat name:
Win32.Trojan.GenericML
Create hunting rule
Status:
Malicious
First seen:
2022-10-14 06:56:56 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
22 of 42 (52.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qc4ld4qfgx5dy4zwph27nl6nfwhdov7mijhdglqbzmadpnyn6fka._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0cf04aa0803e2075837ea0ff69ba2b7d50884eff30677baa63770b467d952415
Formbook
4eaa6cbb07ff01de61ba87d140ca4dcd5c4054f9796bc6c15e6946ef484991ff
Formbook
5eacddfba11e9ce3946802e55e8abb159eb51a3bd27c7a92a68b8b23dcee79c8
Formbook
5ef60b3981c6f69e4dc216f6dc71c4f43a918b625f6a3d9bfbce2067016ddfa7
Formbook
7ca3b28aa32d6b9bd972c430c47691db7212f9fd7b713c3ff2fab8b10a0bd66a
Formbook
806a765203bdd0a1e4c715bf6022dce830d04ae041ef978b3b2890b158a7e180
Formbook
c4d1c39814d1e2d2aff5e0bd608585c6ff9c932c3480d73eb30310cf3c4be029
Formbook
e9f669028697238e2a9a181b9e409909695d03eccd09a35db30729fb51952527
Formbook
+ 17'945 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:fkku rat spyware stealer trojan
Link:
https://tria.ge/reports/221014-masg3saggp/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3f12fbef-2e8e-446c-91f3-cd8abe2c8190
Unpacked files
SH256 hash:
09d52ad95dcd0d1d03a0f6e970d2c03fbbe43fa226ce34080edbe2da18a7524e
MD5 hash:
b886b761605f686d7dea741ebf59d399
SHA1 hash:
ec19c967fa0256632b3684881e485c4a86b1d837
Link:
https://www.unpac.me/results/a1665ce3-782d-4bc1-ad6b-b33f676aa5d9/
SH256 hash:
dd3a61c899c10a7cf4f85a197e4a270eeb367fe4950e924d5da18e92c567112d
MD5 hash:
caadce6a0b7843b155bf6a2a6b68a625
SHA1 hash:
a22be42daba99dc587bd528ebd635f88bcaa9c68
Link:
https://www.unpac.me/results/a1665ce3-782d-4bc1-ad6b-b33f676aa5d9/
SH256 hash:
80b8b1f20535fa3c733679f5f6afcd2d8e3757ec424e332e01cb0037b70df154
MD5 hash:
ee8704b53daeab3de3fe710d1e4ab2a3
SHA1 hash:
e73ea03c0eb02df53174fe29f5ec7b256f8cdbc1
Link:
https://www.unpac.me/results/a1665ce3-782d-4bc1-ad6b-b33f676aa5d9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/80b8b1f20535fa3c733679f5f6afcd2d8e3757ec424e332e01cb0037b70df154

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_Formbook_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 80b8b1f20535fa3c733679f5f6afcd2d8e3757ec424e332e01cb0037b70df154

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/320326/

Comments