MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e7173102d77a6ed527fc3e783be4aa446e757f4417d3fa1f60f3e9cd0cff4f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e7173102d77a6ed527fc3e783be4aa446e757f4417d3fa1f60f3e9cd0cff4f9
SHA3-384 hash: b7606be42e3e0c95626fdc24dda4d861e88017c1a4935f299ce2e1a9238a84652cd0ca98d1a47800db71acc30744d086
SHA1 hash: 176b8966941a04bf833a19965eb3b8b0a9a9f3f8
MD5 hash: 76661f98b6bd857c7a5aed76da3552ad
humanhash: mississippi-ten-nuts-floor
File name:AGOCO RFQ NO 105017.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:494'211 bytes
First seen:2022-01-20 11:05:35 UTC
Last seen:2022-01-25 14:18:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 6144:3w+P0YpXtS4K92kcBcpBzidnmJFxWPdvDeY4WotPmpRRGptk/BavA0/tvvu:ukRBWvzeEmDeY3uPiRipvAeQ
Threatray 12'809 similar samples on MalwareBazaar
TLSH T1E3B40943C1874A58EA2909F423A95B3E827B7D0BE495192AAF88315057F30F77C359BF
File icon (PE):PE icon
dhash icon 59317159795c9901 (1 x GuLoader, 1 x Formbook)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
218
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/221048/
Detection(s):
SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
DNS request
Sending a custom TCP request
Searching for synchronization primitives
Setting browser functions hooks
Forced shutdown of a system process
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe expand.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/61e94220d32385db630e649a/reports/c9f6cd2e-141c-4b9a-ba32-1c703316863e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/03e243b6-5a4f-4e39-af9e-7d947418a82a
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/924281
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 556762 Sample: AGOCO RFQ NO 105017.exe Startdate: 20/01/2022 Architecture: WINDOWS Score: 100 31 www.investmentselectuk.com 2->31 33 unbouncepages.com 2->33 35 f2d1191311bf4911b5395c9f50831c61.unbouncepages.com 2->35 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 7 other signatures 2->49 11 AGOCO RFQ NO 105017.exe 19 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\gabukzgi.dll, PE32 11->29 dropped 61 Injects a PE file into a foreign processes 11->61 15 AGOCO RFQ NO 105017.exe 11->15         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 18 explorer.exe 15->18 injected process9 dnsIp10 37 airpods-case.com 23.227.38.32, 49794, 80 CLOUDFLARENETUS Canada 18->37 39 hk850.pc51.com 156.240.119.109, 49790, 80 Africa-on-Cloud-ASZA Seychelles 18->39 41 2 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 22 svchost.exe 18->22         started        signatures11 process12 signatures13 53 Self deletion via cmd delete 22->53 55 Modifies the context of a thread in another process (thread injection) 22->55 57 Maps a DLL or memory area into another process 22->57 59 Tries to detect virtualization through RDTSC time measurements 22->59 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8e7173102d77a6ed527fc3e783be4aa446e757f4417d3fa1f60f3e9cd0cff4f9/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-01-20 11:06:15 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rzyxgebno6to2ut7yptyhpskurdoov7uif6t7ipwb47jzugp6t4q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
26b24cfe3b0bb84b26fc83ce689b74728ac61f32391772dcc76eab04cc7042b5
Formbook
3662913e3004f6e3811499a9877265b55fd4b99400607d2f4b4168dc2621f1ab
Formbook
4c5887639c1dfcc0349690d98e9c8034029a6fa2f2e6bdbba96371bf23ce3301
Formbook
5ab3abbaaa772885b083fd8bd8d5855e8c6578c4a7cbaeef2cf68c1a3f4c1e11
Formbook
5dad6b254fb40bb4c090f5048e07da656821a4b6b163c6548287c3d91dcfda45
Formbook
6c0e85b84f2b1dfdb580a168386ad91efe7f734066ff3a12a0d359fcb4711dca
Formbook
6cd342f13d56b8bc1d8b1346e3289f7feab428a0a75cfcea4bb31a8c452adf01
Formbook
85601ede72b1c348db5663e3782e7b3f3157c2356e2c90b769bb2afc2d476e4c
Formbook
bc09ecf5cb6364f4d053ec0420282fa6e7a1649a8a5ca2af2ca933aa27f8b90c
Formbook
+ 12'799 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:r3hg rat spyware stealer trojan
Link:
https://tria.ge/reports/220120-m7ebqahfe6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Formbook Payload
Formbook
Unpacked files
SH256 hash:
fb4082a719f22428b864ac82848e600214d36a37127a82b48c4c38effb20b668
MD5 hash:
d0116f73efdc719982834985c1c18728
SHA1 hash:
721be97f5c4eccfba557f12b493dfe4ce3c381d8
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/865a415f-750f-4fb8-8318-c4d5eb2f263f/
Parent samples :
8e7173102d77a6ed527fc3e783be4aa446e757f4417d3fa1f60f3e9cd0cff4f9
4d67b72f0172aa0aea973269146344863ba0f662a7a06eb399d0dfbbeccd66f8
d2d2107ce64f31669e2c8dbe31da2cc683087050492fa4e8e31940e30f33ff04
38332124b868eaf5142c44b3c6e997de25b13415a8b7b83f708026429c9ffd7a
e149c419c1e3da9f42da46d4ba594ec7b97fc9a333bea11d1693b6750edf603b
14f417212aefc7dabfcb9585ffcf24081ae68584c68732c69e4bf6ebc1a9aeff
SH256 hash:
6d0f7d611eba1ec879b3bd6b3a46d8678b762619f2edf97e7540a28e89cd6a6c
MD5 hash:
90c9fe8c9302fea5e2d82203e6c3f647
SHA1 hash:
e0d178a78ef2b216f5d4080ca4c9d01ea2d14104
Link:
https://www.unpac.me/results/865a415f-750f-4fb8-8318-c4d5eb2f263f/
SH256 hash:
8e7173102d77a6ed527fc3e783be4aa446e757f4417d3fa1f60f3e9cd0cff4f9
MD5 hash:
76661f98b6bd857c7a5aed76da3552ad
SHA1 hash:
176b8966941a04bf833a19965eb3b8b0a9a9f3f8
Link:
https://www.unpac.me/results/865a415f-750f-4fb8-8318-c4d5eb2f263f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8e7173102d77a6ed527fc3e783be4aa446e757f4417d3fa1f60f3e9cd0cff4f9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 8e7173102d77a6ed527fc3e783be4aa446e757f4417d3fa1f60f3e9cd0cff4f9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/221048/

Comments