MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90462bba4bd8ee1b0e442050d6e8f6880daa7ce74d0cd9da1c6e4067e8a16221. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	90462bba4bd8ee1b0e442050d6e8f6880daa7ce74d0cd9da1c6e4067e8a16221
SHA3-384 hash:	22ee6578b1f26ec2ceea0e716ff3f74b2011eb65bcdc14c767118227f0fc849abeef7093a5fcd532c630e7d25ddc24f8
SHA1 hash:	abcfc40dc50525df06af7f3f43571bd09cd29a07
MD5 hash:	e5f55bd69cf18b9cf2374353a186dff0
humanhash:	carolina-lion-low-hotel
File name:	Requisitions.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	608'768 bytes
First seen:	2022-03-18 10:41:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	8855fa9c9366af3805198d563d544234 (2 x AveMariaRAT, 1 x Formbook, 1 x RemcosRAT)
ssdeep	12288:leGezcWTwVTIdGk7R2A67pdTSJKsAR6TqI6F3HAh:j+kVT1kfINkt3qTHAh
TLSH	T115D47CEAF7E1C832D05325349C9EA2B89826BEA5FE149C46F6E43D8C7B3E3427115153
File icon (PE):
dhash icon	e0e4a3a6a4b8b8a8 (37 x Formbook, 9 x AZORult, 9 x Loki)
Reporter	GovCERT_CH
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

232

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

RE Quote best price.msg

Verdict:

Malicious activity

Analysis date:

2022-03-18 13:17:10 UTC

Tags:

trojan formbook stealer

Link:

https://app.any.run/tasks/81b2aab0-5968-4e74-bdb0-ae5449b18fea

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/252485/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader44.46763.13865.23111.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Running batch commands

Creating a process with a hidden window

Launching a process

Launching cmd.exe command interpreter

Launching the process to interact with network services

Creating a file in the %AppData% subdirectories

Reading critical registry keys

Creating a file in the %temp% directory

Searching for synchronization primitives

Using the Windows Management Instrumentation requests

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/9690/overview

Behaviour

MalwareBazaar

CheckScreenResolution

CheckCmdLine

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control.exe keylogger remote.exe

Link:

https://www.filescan.io/uploads/623461e5dfdfa8501cb5155f/reports/bff69ac3-12f4-4d07-ae43-5d0f1849a109/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bd2498de-78c6-4395-83cf-dbc2f3e6a261

Result

Threat name:

FormBook DBatLoader

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/959403

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Detected FormBook malware

Drops PE files to the user root directory

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Application Executed Non-Executable Extension

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Sigma detected: Execution from Suspicious Folder

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Suspicious Program Location with Network Connections

Sigma detected: Suspicious Rundll32 Without Any CommandLine Params

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected DBatLoader

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/90462bba4bd8ee1b0e442050d6e8f6880daa7ce74d0cd9da1c6e4067e8a16221/

Threat name:

Win32.Trojan.Delf

Status:

Malicious

First seen:

2022-03-18 09:16:55 UTC

File Type:

PE (Exe)

Extracted files:

108

AV detection:

22 of 27 (81.48%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sbdcxosl3dxbwdseebinn2hwrag2u7hhjugntwq4nzagp2fbmiqq._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/220318-mrp4aahfar/

Unpacked files

SH256 hash:

82c6df58281ae7cc2374f3cb500a03483c5e5f1b53b84f8f96223eb7c50bdb44

MD5 hash:

189fa04bd7b35f265ab6ff4d7e25787c

SHA1 hash:

815b241eb9128ae75c1b187b39e95434eb780499

Detections:

win_dbatloader_w0

Link:

https://www.unpac.me/results/dab096ca-38bf-4146-99a7-45579c41efb5/

Parent samples :

b9ed36a21e09ff33bef163a4b8f5f041bcc51ef24b12b66e4192a3dc529ba5f5
a37011f4db99b06727ee861d1931ea2b0cd1d048aadce2e51485983dd83d8a99
77e99afc3316611a03c302e162838a45df001ec4eac0d4533aba69e98c3becf6
c498aa9cf4e79784433902911692b917a1990fa009515ca307b675eb9f34077b
8da279ac96b229e5cf9e94b6d3a50ad3a3c048960d072f503565305deee84654
741c817dd6bc5c718770d5903d3d0bbb0038408cd6bc6321c1fe364649e38ffb
18c5126639d2d4f5f95f8579f783e56f1ee0dc385f1ef2a6404b9ca70399285f
a54f3a94b5d82060b575d85b0ab779f32f532c96beef3081783f838e687bfcfc
50dba2f344aa086c034ce37a3aea4e70629a0eeaa8c59b2b6f6395b4969b7dc1
f917034d08d7cc2d2af50ff28d1b52944691fba6bb96965e18948cf7473bbd80
1777cad58e9516ffbeb10b73f8b751d8689a71712266f223e2281a425ed09551
ea5a2cf2a4c8ddc7f01d6b8a573efa20b7dd35fe633e0d1413b0d41e2cd31874
708af0a1312a0b416011df2aa5d4c7aa52f4ff483e9e0f4795e0e98eddc5a781
f0a3b64a941e0abb7fbc40e63dbc2cc1efe0822739280c0f6fab6b877bdf711d
8fd2d590487f9c781d57cf53186e0e713e06095bf7c71cc442ec349f6a1f5c9b
6fc9563d971fe534d3b73811ed493784a02bab6f4a0c13362c762a33eb59300b
ef808aede6f70068b433647ba15f37e8b2b207b3bf1bd2e8d623ca0b18a64f5f
c536b84ee17abfc596058bf5aca74f161cc372669760aba80804d497bb256bfa
6e0e8d1cb340a26f3e8294c7b07ce486b56afcabfb90b7e20e4331b6384a85ce
f72d7e445702bbf6b762ebb19d521452b9c76953d93b4d691e0e3e508790256e
b161e9594ef8849e7a1c09a801b5d248cfff6b08c65ed6459dda75b25fdeafee
d1d9a1e96a6f7b46b3634ec6454c07043c26fdc8455c949738e51b712340022a
8fb9ddc78aef013fcbc8ff38135972fdacf66a871cc4b42f719efefe2255219f
89ca1ae6afd4451562d33f381d21e085245ebe1047d4a812d818fcf0a2e01393
fd56e2246a9054a8981dd48ce0858a9dc5aa92115b0d27d1192e9005cd27f7e9
7397f5b9dcb22b5032f825681a1158f362b3485a120f0fecbc51f1b1c5ca6a52
67e27b7d6665351e8cfef328924fa39f06ca60d4cb40287936293d4f2daff84e
2a46c9193e41e7e908edfd45c08368959abf9155d056305eed43a46f882d6866
a65520867c851b43c93d5e7c390bb4fedef94a648c70631bc02f396e4dbff522
341d113b8a3f61a729b14f38483a48d610e80757a50068c1683e10d7381a299d
319d243495674c304b394ebaf3e7265ac58f7e7f6ef0e727fd4cab977d939586
df89b24a6d5aa863a8f74587615c997510a46dc5fe6dc52389047b8d0753b1f2
b0d39dfb3b1d61b324e915ac84465e694988fa179c988798eb8d9dabacf58712
031e877589f97a23fae025f6f7ff04b31f5a4341fed57933191e1645b43cab32
ae51f5b12195c2ce67b7bcb6f2f97844b7abd02ea94026a60080ba5060a19a18
4bb146afde30f4c68237fa83d0235813b9548d4b4800e9a4ca7bfc57f49c6ebf
41052b2fbebd33434878b18c4b3fdedcc71ed062357fff97a97737440b633853
42bed45454511067a6358d37aaab96c745722d990125bd1951bb42346ff3717f
a84bdf209b862ffbdf3d963611eec3c1c2d70024e24041727a49bc618d6ff4cd
8db76bfdd2666649dc2be8ef188d9548971f1edbe4d45c0d689a4700f7ff8169
2c3d0dfe94f6ee36822a79a0d6bc22efbd964781a984dec679acbb5029ce1493
b08dd02223a62d1f9dae7ecd8770288acb32dcfafcfa5a58095b495dd43e3f1a
39ce700e582c22bf87f67241aa5537b74991a30d016878bdd6c2dfd6dc114f9d
a6cea446b135529f57315da655e5329e267f80a67940edbf949196536b212c5b
9ac0322714806d2e922280dc9d59622656f1d0f682cf093df8505022cd631da0
efdd97e52e2d4a47a66abeb6073c2be21ce056da12256a2f74a5e9c6a8fe1916
d6fd4c8c1b20fd3d8c8e9e9c951a7975bb332655e83a9c8f8dd23742331186db
3d5d161635b1d409b28564bb95c9006687b720caa5bfb6ed8679b87e889baf3a
199cc04b9d617b58a11715354df9a83c93416a3906a352aeb21181d65021fdfd
d385c24887eb6e83869c401aefa83135165cd196e5b959e369c5d520c71ab016
56ac1555cc21d3400c4168a52da00cab97bfb205f0b43ab417fbaa85e02def9c
c8f1d68423b8b8f43600ad0fb409f71283cd5a9c732d7b1e641b414f6313625e
ca0cfe500b3f6a17dd31e684c1b32c9190b08480cfc630c23d1ce6cb6164918d
9e5ede8160535eae10bd05d831b9276301611620d7b82e38ea1c8d75edcbd7eb
f1c91bc11ffe14c373f0165d7876db47b1768c326f4d46a270fb6247ca11b1f0
90462bba4bd8ee1b0e442050d6e8f6880daa7ce74d0cd9da1c6e4067e8a16221
d6f3a14495623a92c292f7285b1879575c34a135bc9bfef37b8d778d5de450e7
5852bf7347b25ab7e1f19cd1ce6e09a5c0fd0a6bf3282db4273e0a2446476af7
2b0c03ec624b83fbdc97d1b026c8274b13e2aeff02165d4464375518f217ae56
8d5f75029a8b18b50f6d17ff20cb510d60fcea55b7ea49b9bb3f18dc1424db8a
834bbca917e33d612d4989b3b68ab2aec2d6f5ac27494514238eba9f579d9a95
df4529d0592f28fbe9ad1918f19fc78db86e7abbca15b24cd016e5f34774bdcc
82c6df58281ae7cc2374f3cb500a03483c5e5f1b53b84f8f96223eb7c50bdb44

SH256 hash:

90462bba4bd8ee1b0e442050d6e8f6880daa7ce74d0cd9da1c6e4067e8a16221

MD5 hash:

e5f55bd69cf18b9cf2374353a186dff0

SHA1 hash:

abcfc40dc50525df06af7f3f43571bd09cd29a07

Link:

https://www.unpac.me/results/dab096ca-38bf-4146-99a7-45579c41efb5/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/90462bba4bd8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/90462bba4bd8ee1b0e442050d6e8f6880daa7ce74d0cd9da1c6e4067e8a16221

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 90462bba4bd8ee1b0e442050d6e8f6880daa7ce74d0cd9da1c6e4067e8a16221

(this sample)

Dropped by

formbook

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/252485/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample