MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 901e0cc15f4525b844025cc57959ee5dc434844ba318e9f1349589ba965c1f53. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 901e0cc15f4525b844025cc57959ee5dc434844ba318e9f1349589ba965c1f53
SHA3-384 hash: e8d49b2a9d914e6a6f710301b68b688b69b8bd68a764a61cf770fd0971470961a233b13ff80a981e9cd07fed7808fc3e
SHA1 hash: 2de57e4c09011338bb806ddb64d1add8e85bebdf
MD5 hash: ce65397998cca6f206328102580129fb
humanhash: shade-four-nineteen-berlin
File name:QUOTATION 12908.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:756'224 bytes
First seen:2022-11-17 16:56:29 UTC
Last seen:2022-11-17 18:48:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:8jcWZrgQGDWyXAK5x7XGqVQIQpyuU0/W7uAzCaTbu7VqpcO1b:eMnDWhuGCFj0+iOCuy7Mpfb
Threatray 18'633 similar samples on MalwareBazaar
TLSH T1C2F4E1B9A6C50E51CE8C47F894B31A2402BBBD672EB1E21C29D871F70F737D14549B8A
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 6b4b346153455121 (9 x Formbook)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
219
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
QUOTATION 12908.exe
Verdict:
Malicious activity
Analysis date:
2022-11-17 17:05:59 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/cb6a9dc1-b1bb-46c5-ac50-15b7a2f62a33

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/335471/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.20943.26743.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/637667e4f75d59fef0b9b0e6/reports/2171c81d-29e5-4cea-9138-fc6edba2d492/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9d2c3f92-79dc-43b1-9931-734f25b4fd7c
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1116057
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 748768 Sample: QUOTATION 12908.exe Startdate: 17/11/2022 Architecture: WINDOWS Score: 100 62 Malicious sample detected (through community Yara rule) 2->62 64 Antivirus detection for URL or domain 2->64 66 Sigma detected: Scheduled temp file as task from temp location 2->66 68 11 other signatures 2->68 10 QUOTATION 12908.exe 7 2->10         started        14 vGGgFpAyvrKPnU.exe 5 2->14         started        process3 file4 46 C:\Users\user\AppData\...\vGGgFpAyvrKPnU.exe, PE32 10->46 dropped 48 C:\...\vGGgFpAyvrKPnU.exe:Zone.Identifier, ASCII 10->48 dropped 50 C:\Users\user\AppData\Local\...\tmp1866.tmp, XML 10->50 dropped 52 C:\Users\user\...\QUOTATION 12908.exe.log, ASCII 10->52 dropped 72 Adds a directory exclusion to Windows Defender 10->72 74 Injects a PE file into a foreign processes 10->74 16 QUOTATION 12908.exe 10->16         started        19 powershell.exe 21 10->19         started        21 schtasks.exe 1 10->21         started        23 QUOTATION 12908.exe 10->23         started        76 Multi AV Scanner detection for dropped file 14->76 78 Machine Learning detection for dropped file 14->78 80 Tries to detect virtualization through RDTSC time measurements 14->80 25 vGGgFpAyvrKPnU.exe 14->25         started        27 schtasks.exe 1 14->27         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 16->54 56 Maps a DLL or memory area into another process 16->56 58 Sample uses process hollowing technique 16->58 60 Queues an APC in another process (thread injection) 16->60 29 explorer.exe 16->29 injected 31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        35 conhost.exe 27->35         started        process8 process9 37 cmd.exe 29->37         started        40 control.exe 29->40         started        signatures10 70 Tries to detect virtualization through RDTSC time measurements 37->70 42 cmd.exe 1 37->42         started        process11 process12 44 conhost.exe 42->44         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/901e0cc15f4525b844025cc57959ee5dc434844ba318e9f1349589ba965c1f53/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-11-17 02:29:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sapazqk7ius3qracltcxswpolxcdjbclummot4juswe3vfs4d5jq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3a22fb14f837309023971bf41b88cfc9b3ae7d9db44da63257d36d73dbd716ad
Formbook
5d781e4eb5ff900fa98654ed3c4de450539f80dda2f2e03a6303f781937ecbd4
Formbook
78c83e6e7ce1c4708302ea7cd0a51b142b49f1e58e5fdefa07d9891b019683a4
Formbook
794ff32dcb5a26819bea2fa85f82ee36dae53a5d6a6d2e42790801bfb018cda7
Formbook
986c2fabf6b43d085dc49c812cb8514d093c53ac4beccadf311fd8e8d34b8c0a
Formbook
a08b93c63ec431feeda8394aea08bd894bf0b0f2fb82a4bb134e4ec8bad2e67e
Formbook
ab885c190a5cf8f650a0c8ff3b6e0bd2ed857e4126cfde672fa5a70db5616751
Formbook
d6542847f6e753bcb676e6d891d85d88ff5a38fe7150975f53ac5863922a7667
Formbook
e12e92ded58d05cf87a0cdf4323859145f5aa09da69e4dd3ab622e65a9888587
Formbook
+ 18'623 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ci07 rat spyware stealer trojan
Link:
https://tria.ge/reports/221117-vf9ybaah91/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Formbook payload
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/39e15e41-8aae-426a-b5fc-ac1eb146c7a5
Unpacked files
SH256 hash:
df140d439eac7c6b3d92b93f099289a3c5aab8bb2700f76e96fe3cf1a5896c56
MD5 hash:
344610dcf21c8e20223b966898b761fe
SHA1 hash:
d4f36442fd63c9dbb8d70b6bf3f6dc06d2f6dfd5
Detections:
FormBook
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/91c9320f-3be4-4f12-a541-75d2c968d625/
Parent samples :
901e0cc15f4525b844025cc57959ee5dc434844ba318e9f1349589ba965c1f53
794ff32dcb5a26819bea2fa85f82ee36dae53a5d6a6d2e42790801bfb018cda7
8cde8e6a8021c1d4d221179126d6fdd2a2a20a2b24f57fc20202f86640350f96
152d5ef19fdfabb482918d51148804bd5227e44e3eb5007dccc347b0ee8585d2
9405e5517f3a40a2dafc9e86359aa53e211af30c4fe1a7f77b24bd42ccc36354
9d6d28627c34f8d225dde0a78d27418d461ea3a35e6bc4afa0f50e9cb8bc1b21
94950eecd04b39b6b5e9e79f403ff8d5413ffd9d8176d8af0dc059862b720cf1
8ac5dceeed786e06a01cec7ce9d550a0f48c50511ad81db887c69fd5d720ff3e
a78e65c599449ae8f781711a5b432c95fd1c7ebbb4bb1c9353087e79b62f6489
59fe1ecfcc9a304108971209bdd1656f033bf0ef51744babf253394d58b10bbc
f2a813ed5d99e263f28a0b9224ae1d4f484b606cab37305b56c75a70cff31518
SH256 hash:
57b08dff6b5c0140c0e48b7cdc5fbca5bfcd16ad868531362d211e5e0fe0fbaa
MD5 hash:
fdf2ddaee9cff7b8c5c0fe5cd531c88c
SHA1 hash:
b4bd81c35563b1bec5e6f854b2426c941ab027b1
Link:
https://www.unpac.me/results/91c9320f-3be4-4f12-a541-75d2c968d625/
SH256 hash:
cfc16a2dbb933b1b85807d48966e9301b9fc34f4c44e7357713ca88b54bf4ab4
MD5 hash:
aabd0bdc81026ade6c57383f21d5c227
SHA1 hash:
4b26936bb8c03be6d7963184215a5ab594ecb765
Link:
https://www.unpac.me/results/91c9320f-3be4-4f12-a541-75d2c968d625/
SH256 hash:
ead1fe09d02f0b0e3f064ba5d07e20a91b24bfb2b9f0e27641c7546d93866c9b
MD5 hash:
14fcf3e2e75c6ed6cbf3817a9ab04e7b
SHA1 hash:
2bf3852b52e6546bfd293d268a3712f353bbe636
Link:
https://www.unpac.me/results/91c9320f-3be4-4f12-a541-75d2c968d625/
SH256 hash:
2bf9d42c7949ff468245d67890205449d2180ca81eb11ba3e3161501cee5eb62
MD5 hash:
a9d58ec86359bebcbfb740ef2e1b30e2
SHA1 hash:
250530b3e9696179d03ae9ac5b446f779884534c
Link:
https://www.unpac.me/results/91c9320f-3be4-4f12-a541-75d2c968d625/
SH256 hash:
ab19f28c700d64814b0c55df868c30dfb94e0a1f9fb6f7bca05bac6eb78a4e52
MD5 hash:
1f2a6c02dcf9aa00a28a5039fb5b8ce0
SHA1 hash:
1ef480867d39b98368af7586a8e6ba38c0c3893a
Link:
https://www.unpac.me/results/91c9320f-3be4-4f12-a541-75d2c968d625/
SH256 hash:
901e0cc15f4525b844025cc57959ee5dc434844ba318e9f1349589ba965c1f53
MD5 hash:
ce65397998cca6f206328102580129fb
SHA1 hash:
2de57e4c09011338bb806ddb64d1add8e85bebdf
Link:
https://www.unpac.me/results/91c9320f-3be4-4f12-a541-75d2c968d625/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/901e0cc15f45/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 901e0cc15f4525b844025cc57959ee5dc434844ba318e9f1349589ba965c1f53

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/335471/

Comments