MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b0d428152973c0f0bb8279f50524cbe0f2d809593fc6095bff2c29ab581fe2f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b0d428152973c0f0bb8279f50524cbe0f2d809593fc6095bff2c29ab581fe2f
SHA3-384 hash: a44d43e67fdf7c8a32d52eb346868a46d829691ca03b0dd567415f55075536394682fcf400d7380c1cbaa9cf7251bde6
SHA1 hash: fa4ede169fe5b8d282916dd6212eae200345e28e
MD5 hash: ba0b7470605cbf686796c0bfa1aa89dd
humanhash: princess-xray-pasta-virginia
File name:RFQ-02.scr
Download: download sample
Signature Formbook
Create hunting rule
File size:370'597 bytes
First seen:2022-02-10 05:18:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 6144:GwUJKkh9af1h9NrNt+shUKMfY3atsAmBonmvmL6iap44NG4mes:Qs1h9ND+CemPYNL6iC4MU
Threatray 3'383 similar samples on MalwareBazaar
TLSH T1EB7412BAA4D94787C6174D70E2AE3A2E4B31CC1A45965907C71D3FFB23F22839724693
File icon (PE):PE icon
dhash icon 125ad212e9cd3682 (40 x AgentTesla, 21 x Loki, 19 x Heodo)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ-02.scr
Verdict:
Malicious activity
Analysis date:
2022-02-10 05:28:29 UTC
Tags:
installer trojan formbook stealer
Link:
https://app.any.run/tasks/3c558ec9-1dcc-4c9a-a6f1-13e8f67d172b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Searching for synchronization primitives
DNS request
Reading critical registry keys
Sending an HTTP GET request
Unauthorized injection to a recently created process by context flags manipulation
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6204a00f36f99219183592cf/reports/f3299c40-4303-429d-be05-36104bb46a62/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7584da71-1e21-4a37-9c7a-6a4692167976
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/937524
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspect Svchost Activity
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 570001 Sample: RFQ-02.scr Startdate: 10/02/2022 Architecture: WINDOWS Score: 100 36 www.bewitchedkit.com 2->36 38 www.a-great-intl-voip-phones.zone 2->38 40 ext-cust.squarespace.com 2->40 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Multi AV Scanner detection for domain / URL 2->52 54 Found malware configuration 2->54 56 7 other signatures 2->56 12 RFQ-02.exe 19 2->12         started        signatures3 process4 file5 34 C:\Users\user\AppData\Local\...\qiijzwmha.exe, PE32 12->34 dropped 15 qiijzwmha.exe 12->15         started        process6 signatures7 64 Multi AV Scanner detection for dropped file 15->64 66 Tries to detect virtualization through RDTSC time measurements 15->66 18 qiijzwmha.exe 15->18         started        process8 signatures9 42 Modifies the context of a thread in another process (thread injection) 18->42 44 Maps a DLL or memory area into another process 18->44 46 Sample uses process hollowing technique 18->46 48 Queues an APC in another process (thread injection) 18->48 21 explorer.exe 18->21 injected process10 process11 23 svchost.exe 21->23         started        signatures12 58 Modifies the context of a thread in another process (thread injection) 23->58 60 Maps a DLL or memory area into another process 23->60 62 Tries to detect virtualization through RDTSC time measurements 23->62 26 cmd.exe 1 23->26         started        28 explorer.exe 2 148 23->28         started        30 explorer.exe 123 23->30         started        process13 process14 32 conhost.exe 26->32         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8b0d428152973c0f0bb8279f50524cbe0f2d809593fc6095bff2c29ab581fe2f/
Threat name:
Win32.Trojan.GenericML
Create hunting rule
Status:
Malicious
First seen:
2022-02-10 05:18:10 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rmgufakss46a6c5ye6pvausmxyhs3aevsp6gbfn76lbjvnmb7yxq._file
Verdict:
unknown
Similar samples:
0cd606362bbe747f3d0c0193675ce46ea2920fba28580b784f50a2969bbb0c27
Formbook
25d303b079d2552fdd0eb50124a7e9d62ff58dabddea0ac49739b6f2f6e90a24
Formbook
836696cddebff5d522acb2c105a404ceeb635df69b3c9544b5bebcef13bc3e86
Formbook
9af4d9ef8b2a850854ae23411d44d3603147c26898bca1010fd2f9b16f6d456e
Formbook
bcd3370b658c2247fd8bd07cddecc9e81025ffd7585a8f7ad5d0614ecc2ef08d
Formbook
c65cf48fc08b19589a00110bc5c3c8eab2b3f41018ca606616b0d10fece7b2f8
Formbook
d16f89c837232783bc9047364818714d786ba3dd382f62bcbe77ac416f4d4bda
Formbook
d8722ea25b272799308ed667084a5080de6cce80ca8820c2685bf631aacbf8cf
Formbook
+ 3'373 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  4/10
Tags:
n/a
Link:
https://tria.ge/reports/220210-fzb33aebg7/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Enumerates physical storage devices
Drops file in Windows directory
Unpacked files
SH256 hash:
46e09aa8f1d737799195f4baf4d4bc2c12f51d81656ccc3448f4d1af6b6e3e25
MD5 hash:
8b09b3046673f2354802096d6217e392
SHA1 hash:
50083ef5695b64704b4f50a7bf7a24cab5d746be
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/51cba04a-6e30-430e-8385-54c45436aea7/
Parent samples :
719d886691ce91e7cbf30951199fb337e7ed2d1bae4c381a57da2d3802594be2
ba47d548d20732c621ab2fa56d5276a838de12667e1c0355bcf3dbb1466889b3
c0c29923af2f1b96665b03ba9ad6b7d68a0c1b8cfb4e42767656d9d3b0a5dec0
f75fa96a8fe88dc2fffd64208705d26fb980db33afff6b872f34e1f9034e0363
d36d73e78b048c34b8ed4b2c1035f27c0c1857ae8eb5f1167942981139138b35
d89ceaf1e34dd42cef063ecb6b8e219479f276c6cc30e2ab6ae8c881a8d60633
ed6f5a03bca21156bbdd4119ab88c31234eb1a3114552451a7d8af201279e908
07bed83b3f7c13154a148f82ceac3fe9f68a7995ed5a939e91427e611bfaa863
4ad33db217cd28e94e816da762375ed676740f21eee05f60be7785b27665cfbd
86fe5597dcc6944c5615838866eb7d68d212bc87200c9ea1a2e244755d8fe410
21e0f4a6f5733e2bfb4ba603957244392e641f596d9df3f6900d5efa5b895afd
ce80df3a4bc48726d4cb9365247b06678da7972d8473a159b1db32fb66f48a82
2bfa8e78bd3e83e2f442a4c560af71c366044893a85b15aff2f3d7d4c67636cf
d9fbe8e59e8dcf5231168ed35a3ad0c8c448eb888eca02c9b898d5961899e839
37381387ba545bb59dfd52eca6574b037020b32ffb1eb9d97419791ac6832b2e
4748460c7c757eda69a0340104939b382231567cf559315494901fe2b122900c
8b0d428152973c0f0bb8279f50524cbe0f2d809593fc6095bff2c29ab581fe2f
95bc06b53614e506be16b2ab8b0841e48fbb95796e86c2052e104d0a485a1b91
d65780164a77ce22c797194c56063b03c1c4975987604aa4a35184d62f0b068a
f35b19f498e527a1a8eca51ec82221c55c2f969efb59b2c0b6cff0f3e0e852f6
5c443a90ff238f83c70b95defcd8dc990289072c42e47ec7749905037add8040
799b39cfe67e2f5219fcdb37a5e82ab96e3456273b05d8ccf2eab60aa2ca6fa8
e5b723d9a13e6fec23839823866253128dbe758c31082616ca89cf55d35a3998
c34886d629b199ebcda6f6fef7fcbf5f48ba3153c6789708639b0c37d4ac5487
a6d8e8caf01f8c13d014eb8b8bf7f55b453d7084d709efa0e98d43c8290feed8
d28d578ee53e1d9bd5eaad8bd5772098ad8909f8ccb3c22a47da9a53857637f9
bb2c94169afa24fc9d064b5fd6878c9547693eb917850844c417716ec5269718
fba3315dff9db2942ea64b91b77cf06855e83b1eed9199cfed679b08f65f9f69
SH256 hash:
7c02b5c816a47d5b0c09bc4018b1ace546ff7cfa4b3d4c1003834f83866e60d1
MD5 hash:
286fa3e048c117be0f4a59a50f39b51d
SHA1 hash:
d3300610570f7ca1e7ae2451be6016722f77b687
Link:
https://www.unpac.me/results/51cba04a-6e30-430e-8385-54c45436aea7/
SH256 hash:
8b0d428152973c0f0bb8279f50524cbe0f2d809593fc6095bff2c29ab581fe2f
MD5 hash:
ba0b7470605cbf686796c0bfa1aa89dd
SHA1 hash:
fa4ede169fe5b8d282916dd6212eae200345e28e
Link:
https://www.unpac.me/results/51cba04a-6e30-430e-8385-54c45436aea7/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8b0d42815297/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 8b0d428152973c0f0bb8279f50524cbe0f2d809593fc6095bff2c29ab581fe2f

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments