MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a1b2093240b008b261eead28a9a024f7f74ee2d725893d3f78954c899d73105. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a1b2093240b008b261eead28a9a024f7f74ee2d725893d3f78954c899d73105
SHA3-384 hash: d3a8d12688700d6e5cda4f0ab6477dfad3c47225af74946224c5e1e4627678404a41bb1b8ad9e596baad77bf46901c84
SHA1 hash: 3b290e1ce059cb932cf403600e9740f51e71f3a4
MD5 hash: 03716b90f325dba991ba6ab0c2f0d1ac
humanhash: massachusetts-high-ohio-neptune
File name:Quotation.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:927'712 bytes
First seen:2021-02-15 10:39:25 UTC
Last seen:2021-02-15 12:59:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f228986deddd0a2624405de57a5157a5 (3 x RemcosRAT, 1 x Formbook, 1 x AgentTesla)
ssdeep 12288:KMndyoft/z3WuigCItGkRzowJ/mYCoDaMycZ+wvt51d:KMd7/DhHoEchYtDocLF51d
Threatray 47 similar samples on MalwareBazaar
TLSH 7615D5F2E94A8E31F05B153DE48AF6341836BCF1391D886A5EE47F06AA6336C35114B7
Reporter madjack_red
Tags:FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Quotation.exe
Verdict:
Suspicious activity
Analysis date:
2021-02-15 10:40:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e7fc5c33-bb8d-471d-827c-367166abc775

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/607957
Signature
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a1b2093240b008b261eead28a9a024f7f74ee2d725893d3f78954c899d73105/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-02-15 06:40:02 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rinsbezebmaiwjq65ljivgqcj57xj3rnojmjhu7xrfkmrgoxgecq._file
Verdict:
malicious
Similar samples:
08c39e0ca34ceb7834c367901d68c40c0c5b7429f7636395e456415e1c5addc7
Formbook
0b3369216c127cc53e7c1050cc5e240101c1282ca0c0bf974f7e1c3be0009cca
Formbook
20fe5347a7254b7f5d75c7fce2542b88abdb8d1939afe621544c61d35e45bdee
Formbook
2a914a931b749d964e9087d25ec502a25c22118c24e0239e7b9a73af3d4a6779
Formbook
2f3c9eec055b5c11f8bbd794fde194e68a7c27cad4112d131ae999b953759ac0
Formbook
66eb53699937b049b917bbcfa13b9b5d2f8449753dcbbf9e35405a766cdc9a70
Formbook
6cf485e9d0c0f8ffbe0c4d8776adfd121f4de33fd73262d642739cc3491cac13
Formbook
969c356e48ffb2e13979513881838131bf9f61f5bfbe14e4314fece49d9e01ad
Formbook
b8226d8eecce8bfdf11e59092c4e1b24fe6c232e566bb2b665530834f3e2a12c
Formbook
d626c26da5fdcaa9fa9e5fe3d1f704b3002c48a8259018466e6b25f0f21f2a0f
Formbook
+ 37 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/210215-ycp6qzcnks/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.liyingyiyad.com/rgc/
Unpacked files
SH256 hash:
6c5faf9784abeff03bdbe2522b9da9862ac8eb9d333f608f8ef28719565968df
MD5 hash:
dff8986eae6a2b85730955c35b506f1a
SHA1 hash:
0b20d24bdd350524c25f5d513d1b3f8e4315c989
Link:
https://www.unpac.me/results/642e1654-8fe7-4dac-82a1-661075d840c2/
SH256 hash:
8a1b2093240b008b261eead28a9a024f7f74ee2d725893d3f78954c899d73105
MD5 hash:
03716b90f325dba991ba6ab0c2f0d1ac
SHA1 hash:
3b290e1ce059cb932cf403600e9740f51e71f3a4
Link:
https://www.unpac.me/results/642e1654-8fe7-4dac-82a1-661075d840c2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Cryptor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8a1b2093240b008b261eead28a9a024f7f74ee2d725893d3f78954c899d73105

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments