MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b61335080ce37e107d3798d34f7e281c66238a0bf63d08b846a7b81d2969fcf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b61335080ce37e107d3798d34f7e281c66238a0bf63d08b846a7b81d2969fcf
SHA3-384 hash: 9ee78b7d032dc2507289650326f6c92e9639dea01ad394a3435e5ec9bda051280bb0ca8eb686e805cc2b61be59e0cbfb
SHA1 hash: 2cdc8d7f687f1bfd64b456a5bee3fec610b7c0a1
MD5 hash: 67eba99fc8eb8a27dece4580ea87b88b
humanhash: bakerloo-magnesium-robin-ack
File name:rINQUIRYFORQUOTATION.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:543'744 bytes
First seen:2023-09-16 13:20:20 UTC
Last seen:2023-09-16 13:20:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:jC7eXbYvswJDaCYbeJDnWoz/u0U3fkaafu:jweXo0eJTPlafkfu
Threatray 1'934 similar samples on MalwareBazaar
TLSH T1FFC423D1F6D80836CB783AB804E79D04637EF2999FE1AE7F17C874371264BA562006D2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter FXOLabs
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
362
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
rINQUIRYFORQUOTATION.exe
Verdict:
Malicious activity
Analysis date:
2023-09-16 13:21:47 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/286d5573-31a1-471b-a83f-0febc69c4b7e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/449046/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2360.32100.2022.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6505abbf1edabd99829b8ef2/reports/16bda097-6d29-4c82-b5dc-c6c40070334a/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/8b61335080ce37e107d3798d34f7e281c66238a0bf63d08b846a7b81d2969fcf
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f7ee12ed-6ca2-4f2b-929a-ecda6cf5449e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1309459
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1309459 Sample: rINQUIRYFORQUOTATION.exe Startdate: 16/09/2023 Architecture: WINDOWS Score: 100 64 Snort IDS alert for network traffic 2->64 66 Multi AV Scanner detection for domain / URL 2->66 68 Found malware configuration 2->68 70 12 other signatures 2->70 10 rINQUIRYFORQUOTATION.exe 7 2->10         started        14 djEHvAnplmxJ.exe 5 2->14         started        process3 file4 46 C:\Users\user\AppData\...\djEHvAnplmxJ.exe, PE32 10->46 dropped 48 C:\Users\user\AppData\Local\...\tmp1A39.tmp, XML 10->48 dropped 78 Uses schtasks.exe or at.exe to add and modify task schedules 10->78 80 Adds a directory exclusion to Windows Defender 10->80 82 Tries to detect virtualization through RDTSC time measurements 10->82 16 rINQUIRYFORQUOTATION.exe 10->16         started        19 powershell.exe 21 10->19         started        21 schtasks.exe 1 10->21         started        84 Antivirus detection for dropped file 14->84 86 Multi AV Scanner detection for dropped file 14->86 88 Machine Learning detection for dropped file 14->88 23 djEHvAnplmxJ.exe 14->23         started        25 schtasks.exe 1 14->25         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 16->56 58 Maps a DLL or memory area into another process 16->58 60 Sample uses process hollowing technique 16->60 62 Queues an APC in another process (thread injection) 16->62 27 explorer.exe 3 1 16->27 injected 31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        35 conhost.exe 25->35         started        process8 dnsIp9 50 www.bvty1749.com 27->50 52 donukotokurtarma.com 142.132.254.26, 49716, 80 UNIVERSITYOFWINNIPEG-ASNCA Canada 27->52 54 15 other IPs or domains 27->54 90 System process connects to network (likely due to code injection or exploit) 27->90 37 wlanext.exe 27->37         started        40 WWAHost.exe 27->40         started        signatures10 process11 signatures12 72 Modifies the context of a thread in another process (thread injection) 37->72 74 Maps a DLL or memory area into another process 37->74 76 Tries to detect virtualization through RDTSC time measurements 37->76 42 cmd.exe 37->42         started        process13 process14 44 conhost.exe 42->44         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8b61335080ce37e107d3798d34f7e281c66238a0bf63d08b846a7b81d2969fcf/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-09-15 15:33:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
16 of 35 (45.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rnqtgueazy36cb6tpggtj57cqhdgeofax5r5bc4enj5yduuwt7hq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
238864be2d731bc5838b95c8bb50b961d19f04b6b64d3daf323db967266fa458
Formbook
244be6e97ebec790a323a32fc4fe43dade04804c07ae684191c4d527f5312ad0
Formbook
651a4c3e35b647788a3eb33862d90bc7d58912e6e99ffb8a7bd4c759634fe67b
Formbook
677d8f0356d1a1afde7e90e35a132cc47eb2c1568648c1c90c237921df11a15a
Formbook
6a57e513b61e8a308a00109c55555b710dcaa64629a25982ddcf3c4433fed248
Formbook
9a6f5a458aa652a41435afc6e89cf46302b02a5bb5fbfa049362b317f446fa54
Formbook
b28c7e4510175a83aa87b5511c73319de27fc894ffc28d561d4689c3ca27d1f9
Formbook
d0822780e14edb57b8f46ebf39b402b90b12b4a9ee7a5537412302815982351a
Formbook
ebaa46d302bc220922a76189a85e48f24587ccab47f674d37b02cf4e605c4755
Formbook
eea29ccf59fa6a6aa5a3c14360db6068144f14601d987ec37ea21a35cdac9430
Formbook
+ 1'924 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:a0e6 rat spyware stealer trojan
Link:
https://tria.ge/reports/230916-qlmyhsag2s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
6b4a3bc98ec893c40cfe722c0f48731f7608fe22dcc734d5c9ce48e2dc9abf89
MD5 hash:
ea08f7a9e50a363e3fed5136a65e4274
SHA1 hash:
39c3513aead1fce85f308db6eb67b9ea1334d14d
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/3f50e9bc-c73b-4551-97c2-e25098b1bf4c/
Parent samples :
8b61335080ce37e107d3798d34f7e281c66238a0bf63d08b846a7b81d2969fcf
7889ddde3b3df39bc42c7498aeee8809aeeded17b50e7fb7d3d0e6027ab55ada
SH256 hash:
f7e621a550175188df8b53c140fd71eaa63bb9a7f45f7a716bddac5b48e33316
MD5 hash:
dbedfcf94e526e2833398b82643141af
SHA1 hash:
f0fdd864ae3aaae4c01a12913df1610634ddf31c
Link:
https://www.unpac.me/results/3f50e9bc-c73b-4551-97c2-e25098b1bf4c/
SH256 hash:
0cc2d545cdbc9aca7ac5732fc2e1858bae1b8c575e67f0b4b8077610c5597806
MD5 hash:
604ba9fe5293c6b09155e9593e5fe8b4
SHA1 hash:
c9ca531c5c50091dcdeabea6af26643e897fe3f8
Link:
https://www.unpac.me/results/3f50e9bc-c73b-4551-97c2-e25098b1bf4c/
SH256 hash:
0630b864e828fff2d66f33ab7d00fad231df4c00fc0bbad313ee0d12ca503198
MD5 hash:
f559a9abbd849eb977d262d597d6e4fd
SHA1 hash:
0a8769b40b026852690c89b913c2812817ef43c8
Link:
https://www.unpac.me/results/3f50e9bc-c73b-4551-97c2-e25098b1bf4c/
SH256 hash:
8b61335080ce37e107d3798d34f7e281c66238a0bf63d08b846a7b81d2969fcf
MD5 hash:
67eba99fc8eb8a27dece4580ea87b88b
SHA1 hash:
2cdc8d7f687f1bfd64b456a5bee3fec610b7c0a1
Link:
https://www.unpac.me/results/3f50e9bc-c73b-4551-97c2-e25098b1bf4c/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8b61335080ce/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8b61335080ce37e107d3798d34f7e281c66238a0bf63d08b846a7b81d2969fcf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 8b61335080ce37e107d3798d34f7e281c66238a0bf63d08b846a7b81d2969fcf

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/449046/

Comments