MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a6b5ff11c2262fe557e43a8a818d22d01a82b6aceed9f1d6a189c8b25b4843b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	8a6b5ff11c2262fe557e43a8a818d22d01a82b6aceed9f1d6a189c8b25b4843b
SHA3-384 hash:	cd5b81f60b97e385ea95fa1a981034c5fb02f73ec6e3a3ed6b7d99682f7bea57d212dadb8c9c902711c57eb5fcb39adb
SHA1 hash:	280cdfeccee5469fd52cb82b357be469fa8f977e
MD5 hash:	38e113e2efa47e6fdb1dd19332fc3f54
humanhash:	victor-mobile-floor-football
File name:	Quotation-9274.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	1'029'120 bytes
First seen:	2021-10-30 13:17:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3f5ed924d88345a5aae215811a2cff84 (6 x RemcosRAT, 4 x Formbook, 1 x DBatLoader)
ssdeep	12288:qXIL69gWfTG2pMP1o6C+8zix8sdaPp62E4J66NuLpjqayC94M0LdEegD:q4uBfTG2pM9o6NN+swhY49MjF9Bey
Threatray	9'232 similar samples on MalwareBazaar
TLSH	T181258D13F7905A76C1627B3C9E26418C8816FD912A28DC8637ED7D0CEBB95C074A68F7
File icon (PE):
dhash icon	e4eee286acb4bcb4 (16 x RemcosRAT, 12 x Formbook, 3 x DBatLoader)
Reporter	GovCERT_CH
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

281

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ab.exe

Verdict:

Malicious activity

Analysis date:

2021-10-30 02:57:21 UTC

Tags:

installer trojan formbook stealer

Link:

https://app.any.run/tasks/9479d173-da87-4169-a313-0662686014bb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Artemis8980A24AEB5D.2064.4196.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Modifying an executable file

Launching the default Windows debugger (dwwin.exe)

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cf7a9295-61e3-4608-a78f-9ab1deea032f

Result

Threat name:

FormBook DBatLoader

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/879808

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Detected FormBook malware

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Execution from Suspicious Folder

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected DBatLoader

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8a6b5ff11c2262fe557e43a8a818d22d01a82b6aceed9f1d6a189c8b25b4843b/

Threat name:

Win32.Trojan.Hesv

Status:

Malicious

First seen:

2021-10-29 13:44:59 UTC

AV detection:

19 of 28 (67.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=rjvv74i4ejrp4vl6ioukqggsfua2qk3kz3wz6hlkdcoiwjnuqq5q._file

Verdict:

malicious

Label(s):

formbook

FormBook

60b7ee7c678553708c9ef357f9922acea8736a66ba9109eed68a7b2680bc8c68

FormBook

7080315530bc6d7ead65034c1587e4596d9dbf0fc17107fbb28f84bf016009f9

FormBook

a192572433f8f1a41f0035e040f0f455608b6eb9695cbb87c9734f3a4bf7d4cc

FormBook

c6dae6493723d83bbbad1d1c66384aea85bc0664ca2bb6f796a6ce02b7a85a33

FormBook

d90b2ee420fc51d84a0c3c3fe2ae4e13b6313cd030be264440538a396dfe7956

FormBook

+ 9'222 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:ck24 persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/211030-qjybgafaa3/

Behaviour

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Reads user/profile data of web browsers

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.rocket-scraps.com/ck24/

Unpacked files

SH256 hash:

9a6d538ce0cdab0d2401771da10ecd6ecfd51140de87dc0b866802e1c4cd3936

MD5 hash:

1125a04e558fc0d4ee7b3190e2547bbc

SHA1 hash:

ffa750c9adea8cd0751231be1580e5d6ff13efd4

Link:

https://www.unpac.me/results/e7d60f60-e9a1-495c-a7f0-19e5f810b345/

SH256 hash:

02f34a83e46d003f98facc6870034e12d69c029939bfc31caac6dd127efff0ae

MD5 hash:

f9335edb836a284ef0a00b0b61ac0904

SHA1 hash:

db078214040ac73f1f8bf32c933244cb3f43d5ff

Link:

https://www.unpac.me/results/e7d60f60-e9a1-495c-a7f0-19e5f810b345/

SH256 hash:

e232e1cd61ca125fbb698cb32222a097216c83f16fe96e8ea7a8b03b00fe3e40

MD5 hash:

f6d3a43210b0ae176ecbbf2fb450d93c

SHA1 hash:

da2a958b6d503853b27456e0a97694f30a73b68d

Detections:

win_temple_loader_w0

Link:

https://www.unpac.me/results/e7d60f60-e9a1-495c-a7f0-19e5f810b345/

Parent samples :

7777398dbc3f599ad36ce53b25d7991898b10168e825285a4dcd21cdd042f93b
1c07a02b2048d98c65295d00be10605198d719e0e0f89e8331ce31ac8f107cd0
bcbd57aad6980bd5734bd1d9cd0b4c88d46202a5b6c92e2421d3ce97678e4561
28771bdeb8fc15fe6c571d0a9ab08c6d2f46b2bc594a4e0395256988d0f8b38e
94c92dd25fe499f5afd0590fcc18cb9ed9a0078fdccbf6021ebaedb21298864f
3045902d7104e67ca88ca54360d9ef5bfe5bec8b575580bc28205ca67eeba96d
567a5fef6b29e55518559e2020951d873a53a73f14feb8e58d9fe746e9f2161b
b3bb5068e9b2b78e445c0c560322c6bf244c7f008fd964394a0ee46ff8e17fda
52b65e7c2b466f1cc0cad7561145209448614999197a881f0f06dc936ecaa992
0ede7febc557ad60a79097e1f1edf2356d2697aaca2142cc64d70240323acd21
e70ca541f94d8cca778993ca8ac74fdfb9dea65e7d450bc6bac9a5b350f1e9f4
b5b4d9ff557a75779e7d90ce17ab8ccb549e10c41be3a67211dae10fe6daec4b
b1685b4946df16daf7ee4ecda64cc48bb48e5d0259eb0bddaca95df314de857d
ddf8299e0a1e35d69a3a0157d5238d754c60e6d1acc944da7345868a9fac2fa6
c397d21c0d43e8142340885612260771f78efd2e97c512293d08fa377f860a5b
93b7a518e97ad29f0c71d0af14a8e1f0db10564300bdeee1d71a2490d34615cc
b8f1babcc7e2cb18330c303f5b3c30811857a015a39932e7e3339893fd813360
d9ca56d191efaa8ac5beee52f508082d6e8efb29045bb61c23851537982fa6bf
a67796ab32ba225ab871923548c5b98147a848edeffb72089724d6131d20dc0c
8a4f39f938cbe854d8c74e2e3f4b067540a127844d2dc66892f65caa4292985f
c3c712f6cafb2e2768423e6e5dd623177962b820e140d1942099090ba67b8100
9e68a0780d3c86c44563ecb3ff063bd0daa87fa141de7e1022fa285f812dacae
27ff7f17af5f02ca3fd208d84c6c7c401f20cd615b5bc15f0825c6f406606f6a
b142625ba28f57154451adec427e264f09d3ab6ab976d27fc8a0638053ff5417
3eb92d82dbb561740df8bcb6bd9098b9ab3a2c11bff100ee82f30b2ac80a4c78
2cbd7b218fee7aaff31980c7f2bb3e42e08471518483071be365d4a36df2e59d
52c4899a67f258c48e17e26574fe854b99c03447d67fc9a6dfab07ce50a92afe
259cffd1c854b49d3b957c410271779f19cf73817fd31ddfcdc04d7cb7b974f7
31ccfd52379f73629cf34d1e2864648befed8f571785811c1936919f36b807c0
082baf651937a61c656a7166f6e672341808068663c21bd4111feccf71b78983
025a2d38afc9db265d6064588e38f6529d289f1549b5b129f2dbc52e72151920
7dba35b377cad91017112d639eb803269ee4b56dec7d0bfbfdab908ff711ff9b
f209e4caf270335b9688781274f169ce1bd46e12c0585295a0c31dcde7e57e8b
988bdc2407982afc0484bd010bee96515d2594d4bd770453c3a74812633075c2
a6ebeec300be5fbf0da778e99ab91f2af1470c5863784212a520cf5d378426e3
0132df77e1dfe29165f39d4fffdf58350fa6e6136ba1fdfd095868d1dc1e6fb0
0ca9bb0c14fad0f33e013afb8894a888cac9cc5cbb5caef4fce1b61f70a0dbae
a0faca6b2272201f92435b1764849ab99bfd22e025605e1e2e71e7328ce306d9
60b7ee7c678553708c9ef357f9922acea8736a66ba9109eed68a7b2680bc8c68
9b4ca94ec5ec101754d54a2d73aa5f84fdfe97bc1021d166f07ddcaf5482c059
4251ebd4c8908b8822ca47a236a24b1e537602917e8ff9b45f0e430a0702922a
8a6b5ff11c2262fe557e43a8a818d22d01a82b6aceed9f1d6a189c8b25b4843b
16ed3359cc5de49c5ceb1770bbde0652438ab15a910ba51814803fff7f68393a
3b87e4ce782e2d6612b48c89a8fe965be84a3cb110db731845101a4243575789
95af4df2aea94c9836fe7a3c8fbb8ef28e2a377c4d9d5c9530825e0cb7a350d6
d72799be34725e6cc9665e17895075ad8c5aa22835440abb4a342a202426379c
e748e76168a7e308c718a4caff95bcee0e5315937c293169015aed60b27ab135
f857f10f0537c3e73d9d180b473bffb3bc43aeec4bf3c71a3b37c66bf199926c
1aa28435e63887b1ee372f54ce2e926888d19f5d3d3ab4d35d39da4b5272d721
b8e835b3ef97bd5ba4f5a1fa76637a11acc301d317ca87dacac8195f19bdce83
068ef52fbc36b06106b0ae63138ecf1cd37b82564dc3909939a0478eb21bc3c9
eda50e4a1eb0d707a898dda7a1919bceff050eb6f528aa907e49f573888a6f2a
e2c2491c8e787f549265256f4d778ac632b7e8e8d8923ddb17772bb926adfe31
230cbdb86d21c1e70ecf946e99178feed5ec21caebfd9695feaa51ab4bbcefe8
1e586ce592f186e4200b8b787ad6b632ba6160f5dcbc8662d27bc0804726cc78
2cabf83aab4b0138620bee4d622ab0b9c5774f5520422fa362257716cf3260bc
fc987865d9443b0a2e9367d07da163a588ef2ec6cef5be08d1ef0bc10f58cd3d
a5f047cd5a1f181b220f8a68e01f7003c3f81d5b6601a4578977b89cf4ea5246
4e74f02c08998baf0273de8e78238f82b271e017a88483413d2527b5e7401151
fc791a24b4250988196f8c8b174d778e0ed1f4ea2a3c8601b25ab4431df56f08
8db032a108bfbc9b5d4d2be6f466add20a81685196253867b99e6456e02adadf
214dc633d8cda71fa724675e530ef5e8b554389ee07268d4bcc54d44c6b1cc81
809848407af2f6ed9a66c96b184a49bcf88496a70d7c200e534739ceb23b97de

SH256 hash:

8a6b5ff11c2262fe557e43a8a818d22d01a82b6aceed9f1d6a189c8b25b4843b

MD5 hash:

38e113e2efa47e6fdb1dd19332fc3f54

SHA1 hash:

280cdfeccee5469fd52cb82b357be469fa8f977e

Link:

https://www.unpac.me/results/e7d60f60-e9a1-495c-a7f0-19e5f810b345/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8a6b5ff11c2262fe557e43a8a818d22d01a82b6aceed9f1d6a189c8b25b4843b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Formbook Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EnvVarScheduledTasks Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

exe 8a6b5ff11c2262fe557e43a8a818d22d01a82b6aceed9f1d6a189c8b25b4843b

(this sample)

Dropped by

formbook

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample