MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91218386ed25d62220408973a03c76b8c4fc44512a60eabd0e437b2bbd10e7d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91218386ed25d62220408973a03c76b8c4fc44512a60eabd0e437b2bbd10e7d4
SHA3-384 hash: 49005c46a9849a0c804b4bc2c9495cf1c6a293cafb8a44f87930b7f59ffdc200dff984bb0c123c32b313933e7203d98a
SHA1 hash: 8392408915040e7397d0c5ef8415748fd41ed51c
MD5 hash: f0e4c1267b74749baa333af7b79863e4
humanhash: michigan-six-december-march
File name:Inquiry.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:292'489 bytes
First seen:2022-12-16 11:57:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 97318da386948415d08cef4a9006d669 (71 x Formbook, 35 x SnakeKeylogger, 26 x AgentTesla)
ssdeep 6144:gkwn7X9cBmCuwC8XJDaXdihVmQzohW8ktHVKMZpWK4:NBmn8ZDAdKMQOW7VKIpWK4
Threatray 19'799 similar samples on MalwareBazaar
TLSH T1DB54F122F3D3849AD9924B302B3BDD6D0AB6CDA949F1564B23B83D7DEC773C22445189
TrID 92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon bab0f1ecccce9e98 (17 x Formbook, 4 x SnakeKeylogger, 4 x RemcosRAT)
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
187
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Inquiry.exe
Verdict:
Malicious activity
Analysis date:
2022-12-16 11:58:19 UTC
Tags:
installer formbook xloader trojan stealer
Link:
https://app.any.run/tasks/59abee7d-9e83-4038-bd8e-7aa6664083e0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/346973/
Detection(s):
Win.Trojan.Generic-9938653-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Launching a process
DNS request
Sending an HTTP GET request
Reading critical registry keys
Searching for synchronization primitives
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook nemesis overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/639c5d4a2443142ef33fa915/reports/ce3891fa-ed2a-4d99-9fc7-601d44c43efa/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ce88d3aa-937a-45a1-986a-e7cfc5913fa3
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1135667
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 768397 Sample: Inquiry.exe Startdate: 16/12/2022 Architecture: WINDOWS Score: 100 28 www.vdcinfotech.com 2->28 30 vdcinfotech.com 2->30 46 Multi AV Scanner detection for domain / URL 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus detection for URL or domain 2->50 52 5 other signatures 2->52 10 Inquiry.exe 19 2->10         started        signatures3 process4 file5 26 C:\Users\user\AppData\Local\Temp\iahjg.exe, PE32 10->26 dropped 13 iahjg.exe 10->13         started        process6 signatures7 64 Antivirus detection for dropped file 13->64 66 Multi AV Scanner detection for dropped file 13->66 68 Machine Learning detection for dropped file 13->68 70 Maps a DLL or memory area into another process 13->70 16 iahjg.exe 13->16         started        process8 signatures9 38 Modifies the context of a thread in another process (thread injection) 16->38 40 Maps a DLL or memory area into another process 16->40 42 Sample uses process hollowing technique 16->42 44 Queues an APC in another process (thread injection) 16->44 19 explorer.exe 16->19 injected process10 dnsIp11 32 www.cpitherapy.com 178.128.239.245, 49699, 49700, 49701 DIGITALOCEAN-ASNUS Netherlands 19->32 34 www.p-soils.com 162.43.120.154, 49702, 49703, 49704 CYBERTRAILSUS United States 19->34 36 5 other IPs or domains 19->36 54 System process connects to network (likely due to code injection or exploit) 19->54 23 svchost.exe 13 19->23         started        signatures12 process13 signatures14 56 Tries to steal Mail credentials (via file / registry access) 23->56 58 Tries to harvest and steal browser information (history, passwords, etc) 23->58 60 Modifies the context of a thread in another process (thread injection) 23->60 62 Maps a DLL or memory area into another process 23->62
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/91218386ed25d62220408973a03c76b8c4fc44512a60eabd0e437b2bbd10e7d4/
Threat name:
Win32.Trojan.NSISInject
Create hunting rule
Status:
Malicious
First seen:
2022-12-13 10:01:59 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=seqyhbxnexlceicarfz2apdwxdcpyrcrfjqovpioin5sxpiq47ka._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
523437805fcc7f3356f98479d5f7c268717886b41240a8b4466188fea8644f60
Formbook
7c470477c32979be016bffc98f861acc089861a6a2ba015aed73d769774370bf
Formbook
90212e18e6b4b235bbb6f4083bd0a2c491e0be12edc600199eb0ed0839d9a554
Formbook
933b7f5c98ba6f0c28c54a11d35c8ac0a36d825699df11a896767556ebce1603
Formbook
937c7c476bb363e55fdf1ff275c87de91ec0f550072e9a759387cc95e6c78c83
Formbook
984a9449ed9070e40a86c6b5ab4a3ae6e0df87d9b316e26db7e876942b3b2f05
Formbook
a7537f2ef1d10ef549145bd8ce586f1cce82ed841eda60b991b01137bd558bab
Formbook
bc3d6ac010a0a9b7dd04daeef112c3aa5524fd52076cc38665d4ff7377292c85
Formbook
d4c48b5aefc7225b307e2e8c3f2d158b14fc6b736c83d36dc36a9d7c2e6eec29
Formbook
e1a4191f102a615de1993bfd9381ec31a264cd7f4cfe76b90244a1abf0ab6c7e
Formbook
+ 19'789 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:m5oe rat spyware stealer trojan
Link:
https://tria.ge/reports/221216-n456psef64/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/08b6b97a-656f-4636-9fd1-cab5bcf8d718
Unpacked files
SH256 hash:
1e050e7b9dbeaeef5a13fd50f97d96dc6a7bf16c5977955750f5af8c18bd6a99
MD5 hash:
1e8d6d450d4d29021a1492aa95936706
SHA1 hash:
843c7823b2bf5b08745cc4070b6baaf0e77d343b
Detections:
XLoader
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/aa34be3d-525c-4a06-94f0-a598de12465e/
Parent samples :
90212e18e6b4b235bbb6f4083bd0a2c491e0be12edc600199eb0ed0839d9a554
7c470477c32979be016bffc98f861acc089861a6a2ba015aed73d769774370bf
4ac30ca3142675b81e4490da111a69336cc0b41b21049d3a8bb6b38e7851b529
937c7c476bb363e55fdf1ff275c87de91ec0f550072e9a759387cc95e6c78c83
933b7f5c98ba6f0c28c54a11d35c8ac0a36d825699df11a896767556ebce1603
05740669c4c15fd382ace1ce3a03d78ad0bbd9b1dafa5d22d13fea990e07e65b
e6c4c251d5481c065e23d202620aa2d2d0ebc7e4d159a70c6ac9e377804da5bf
91218386ed25d62220408973a03c76b8c4fc44512a60eabd0e437b2bbd10e7d4
SH256 hash:
9710dc374fe631ea03575f6159156c1a105b2da641af25593c016327a0b5691c
MD5 hash:
e0e19eb3bb4dc912f4ad29c31d3a35f7
SHA1 hash:
36ae39734e7d6475e92387f05a184daabee1fb40
Link:
https://www.unpac.me/results/aa34be3d-525c-4a06-94f0-a598de12465e/
SH256 hash:
8db377e7f08c81910b0c64aaac26f99d9e468f6f1322c8f705a37743e712d3cf
MD5 hash:
9b189f63f42e58423a0b42311b6be5ce
SHA1 hash:
2d2bc7e732838ff6925cc7c23486b78aeb713ed2
Link:
https://www.unpac.me/results/aa34be3d-525c-4a06-94f0-a598de12465e/
SH256 hash:
91218386ed25d62220408973a03c76b8c4fc44512a60eabd0e437b2bbd10e7d4
MD5 hash:
f0e4c1267b74749baa333af7b79863e4
SHA1 hash:
8392408915040e7397d0c5ef8415748fd41ed51c
Link:
https://www.unpac.me/results/aa34be3d-525c-4a06-94f0-a598de12465e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/91218386ed25/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.24
Link:
https://yomi.yoroi.company/submissions/91218386ed25d62220408973a03c76b8c4fc44512a60eabd0e437b2bbd10e7d4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 91218386ed25d62220408973a03c76b8c4fc44512a60eabd0e437b2bbd10e7d4

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/346973/

Comments