MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87945ecb2a81ea654a98c72800f03a4202873f30f58212cdec3d6d577be04d4d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87945ecb2a81ea654a98c72800f03a4202873f30f58212cdec3d6d577be04d4d
SHA3-384 hash: f0627d09134128cc3798b3e78f7d41aa191ec2a53e7e5c89d776e56e9586ce906f614c9015af543e11c71e36cb699992
SHA1 hash: 7e790f1f9250c78afed30f1ab29f75269938dadf
MD5 hash: 84c61a7293e34986b51bbe02160005a1
humanhash: ohio-quebec-carpet-kentucky
File name:QUOTE_8392.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:572'416 bytes
First seen:2022-05-09 04:18:27 UTC
Last seen:2022-05-09 04:38:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:9B+HUXPlo53VjOgA0/l9AX2+RZofoRnBcE:9BtXO/y10/vAcE
Threatray 15'383 similar samples on MalwareBazaar
TLSH T187C4F0CAF65496A1EC395BB62536C93012B33C3E9975E80C2DCF3CB73AB76519402993
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon d4c4c4d8ccd4f0c4 (63 x Formbook, 23 x AgentTesla, 8 x RemcosRAT)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
248
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
QUOTE_8392.exe
Verdict:
Malicious activity
Analysis date:
2022-05-09 04:20:17 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/612bba06-2e92-4cd7-b114-613b6977f96f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.16973.4586.2307.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/6278963740f9dd937eeab61a/reports/21cc86f6-7eda-4bff-bd2f-115c936fee82/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b3faa0f9-b19b-4cae-a378-3108e86163ea
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/989933
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 622429 Sample: QUOTE_8392.exe Startdate: 09/05/2022 Architecture: WINDOWS Score: 100 32 www.bam777.com 2->32 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 50 8 other signatures 2->50 11 QUOTE_8392.exe 3 2->11         started        signatures3 process4 file5 30 C:\Users\user\AppData\...\QUOTE_8392.exe.log, ASCII 11->30 dropped 62 Tries to detect virtualization through RDTSC time measurements 11->62 64 Injects a PE file into a foreign processes 11->64 15 QUOTE_8392.exe 11->15         started        signatures6 process7 signatures8 66 Modifies the context of a thread in another process (thread injection) 15->66 68 Maps a DLL or memory area into another process 15->68 70 Sample uses process hollowing technique 15->70 72 Queues an APC in another process (thread injection) 15->72 18 explorer.exe 15->18 injected process9 dnsIp10 34 www.dauthy.net 188.114.97.10, 49838, 80 CLOUDFLARENETUS European Union 18->34 36 coatweather.com 31.170.164.53, 80 AS-HOSTINGERLT United States 18->36 38 2 other IPs or domains 18->38 52 System process connects to network (likely due to code injection or exploit) 18->52 22 help.exe 12 18->22         started        signatures11 process12 dnsIp13 40 www.coatweather.com 22->40 42 coatweather.com 22->42 54 Self deletion via cmd delete 22->54 56 Modifies the context of a thread in another process (thread injection) 22->56 58 Maps a DLL or memory area into another process 22->58 60 Tries to detect virtualization through RDTSC time measurements 22->60 26 cmd.exe 1 22->26         started        signatures14 process15 process16 28 conhost.exe 26->28         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/87945ecb2a81ea654a98c72800f03a4202873f30f58212cdec3d6d577be04d4d/
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2022-05-09 04:19:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q6kf5szkqhvgksuyy4uab4b2iibiopzq6wbbftpmhvwvo67ajvgq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0cd606362bbe747f3d0c0193675ce46ea2920fba28580b784f50a2969bbb0c27
Formbook
1358d88e078f1c59b546256968179bf213928f1e6f4e7afa255681b2cd8f92a2
Formbook
3230e570068c3d5d6d0017a368fd6e5b179eadbfec7a8d5eb9b10308fa22c637
Formbook
46eb08598db36bbd56aa97a864deb6e81b1a4f335cab69c02a163c7621f1d7e4
Formbook
5f75a4cd779707129db4deb97e834d4fe3e7d41d576d9a2078b855c790736c74
Formbook
721c03c3cc73dddfcf27e473fc9d1962dd59b3cc7f7b70cdc17d2d6a049aed8e
Formbook
da2458789c338c2719661254515dba2fc92c21ef91a11da3d192a6542ca56814
Formbook
da9e890626946b96039a20cc107a0f7f0bc13440d9ede74799b6f9a2514e3759
Formbook
+ 15'373 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ky13 rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220509-exhbmacch7/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
7ef3b8bd3782f639b20371cbbc81e488efa76fc401fc786254830b953b9ac98f
MD5 hash:
0dbc653c405cc7620470520559ea5ba8
SHA1 hash:
8e89713f9312bc28a3dea4df33cd3b9db6dc7e78
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/68abe52e-f5ba-476b-a57e-88621085a6e5/
Parent samples :
6c072202b1317248aa9654a34913ddd82a99633f5eb364d41f939bc7bc3b26f0
3230e570068c3d5d6d0017a368fd6e5b179eadbfec7a8d5eb9b10308fa22c637
87945ecb2a81ea654a98c72800f03a4202873f30f58212cdec3d6d577be04d4d
98555514bbd11ff97bc555c553087b857314f4da0488e2235080651ee71a0f0f
13e6fbc0a4ca130a7410f6b3446cc6bb776ff729b43e2fd3c54495885bd2b2b6
SH256 hash:
e00a370638be7347c75419052cf87e8fc9113ff4f97778ba1d371680f4d50c0b
MD5 hash:
274beb22e47e41f9627d6bc202554154
SHA1 hash:
9702fc12ade321b615c711e3b3a10fa690a2dbe0
Link:
https://www.unpac.me/results/68abe52e-f5ba-476b-a57e-88621085a6e5/
SH256 hash:
58d1ca1a6f52d009f70f3d6a82580c81c3b0db158c792f5847623964ddb33faa
MD5 hash:
945cb5e162baae4e1517ef8f34b6df8c
SHA1 hash:
3e88fc715bdb9a6094962b7399c052788e600438
Link:
https://www.unpac.me/results/68abe52e-f5ba-476b-a57e-88621085a6e5/
SH256 hash:
0ec61274d4ca30a23dd993a0da865341e93bc7294a0c1a0848d5679986600922
MD5 hash:
208c5fbbe709e9a52d4e8a4c357d5cd7
SHA1 hash:
3577bd25ffc4d08bf658f9abc04212445ced2b1d
Link:
https://www.unpac.me/results/68abe52e-f5ba-476b-a57e-88621085a6e5/
SH256 hash:
87945ecb2a81ea654a98c72800f03a4202873f30f58212cdec3d6d577be04d4d
MD5 hash:
84c61a7293e34986b51bbe02160005a1
SHA1 hash:
7e790f1f9250c78afed30f1ab29f75269938dadf
Link:
https://www.unpac.me/results/68abe52e-f5ba-476b-a57e-88621085a6e5/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/87945ecb2a81/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/87945ecb2a81ea654a98c72800f03a4202873f30f58212cdec3d6d577be04d4d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 87945ecb2a81ea654a98c72800f03a4202873f30f58212cdec3d6d577be04d4d

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment

Comments