MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9405e5517f3a40a2dafc9e86359aa53e211af30c4fe1a7f77b24bd42ccc36354. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9405e5517f3a40a2dafc9e86359aa53e211af30c4fe1a7f77b24bd42ccc36354
SHA3-384 hash: aeeefc464a73974d71656512a51c7920d7dc0d4cf286732885e876b38db204766630495304f9df6bba6689ec17a93368
SHA1 hash: e9bba65a4ff3b19edae1f445758bfcc5a8624e6a
MD5 hash: 20abb77d986979d1826e03f0b21eda8d
humanhash: mango-artist-edward-neptune
File name:RFQ 120.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:701'440 bytes
First seen:2022-12-23 02:01:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:la2PFC1Xliyg3OPD0hsJa8V1xUAbWJDsUqIJc92qD:g11XliyfD0h70YDs9Uc92g
TLSH T1C0E4F15D90A60688CE699F76C07B4829473F6D7ABE7CE11D304BB0216BF72CB4212B57
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 6b4b346153455121 (9 x Formbook)
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
182
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
RFQ 120.exe
Verdict:
Malicious activity
Analysis date:
2022-12-23 02:03:51 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/32b8bc2f-154a-4f97-8845-8cb68abde7d2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.25109.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Searching for synchronization primitives
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed phishing
Link:
https://www.filescan.io/uploads/63a50c1b5e4c075cba0ff237/reports/db3698c5-29c8-4fe9-ad0e-33f791dc9e45/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5867a6d6-0df4-4064-8717-946b2fa91daa
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1139735
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 772465 Sample: RFQ 120.exe Startdate: 23/12/2022 Architecture: WINDOWS Score: 100 61 www.vr-training.one 2->61 77 Multi AV Scanner detection for domain / URL 2->77 79 Malicious sample detected (through community Yara rule) 2->79 81 Antivirus detection for URL or domain 2->81 83 12 other signatures 2->83 11 RFQ 120.exe 7 2->11         started        15 BaBkeEmYzxE.exe 5 2->15         started        signatures3 process4 file5 53 C:\Users\user\AppData\...\BaBkeEmYzxE.exe, PE32 11->53 dropped 55 C:\Users\...\BaBkeEmYzxE.exe:Zone.Identifier, ASCII 11->55 dropped 57 C:\Users\user\AppData\Local\...\tmp2E71.tmp, XML 11->57 dropped 59 C:\Users\user\AppData\...\RFQ 120.exe.log, CSV 11->59 dropped 91 Adds a directory exclusion to Windows Defender 11->91 93 Injects a PE file into a foreign processes 11->93 17 RFQ 120.exe 11->17         started        20 powershell.exe 21 11->20         started        22 schtasks.exe 1 11->22         started        95 Multi AV Scanner detection for dropped file 15->95 97 Machine Learning detection for dropped file 15->97 99 Tries to detect virtualization through RDTSC time measurements 15->99 24 BaBkeEmYzxE.exe 15->24         started        26 MpCmdRun.exe 1 15->26         started        28 schtasks.exe 1 15->28         started        signatures6 process7 signatures8 69 Modifies the context of a thread in another process (thread injection) 17->69 71 Maps a DLL or memory area into another process 17->71 73 Sample uses process hollowing technique 17->73 75 Queues an APC in another process (thread injection) 17->75 30 explorer.exe 17->30 injected 34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        38 conhost.exe 26->38         started        40 conhost.exe 28->40         started        process9 dnsIp10 63 www.adulty.net 103.224.212.219, 49701, 80 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 30->63 65 www.shenghuojia6688.com 30->65 67 2 other IPs or domains 30->67 101 System process connects to network (likely due to code injection or exploit) 30->101 103 Uses netstat to query active network connections and open ports 30->103 42 NETSTAT.EXE 30->42         started        45 chkdsk.exe 30->45         started        47 autofmt.exe 30->47         started        signatures11 process12 signatures13 85 Modifies the context of a thread in another process (thread injection) 42->85 87 Maps a DLL or memory area into another process 42->87 89 Tries to detect virtualization through RDTSC time measurements 42->89 49 cmd.exe 1 42->49         started        process14 process15 51 conhost.exe 49->51         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9405e5517f3a40a2dafc9e86359aa53e211af30c4fe1a7f77b24bd42ccc36354/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-12-21 06:44:23 UTC
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sqc6kul7hjakfwx4t2ddlgvfhyqrv4ymj7q2p533es6uftgdmnka._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
cobaltstrike
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ci07 rat spyware stealer trojan
Link:
https://tria.ge/reports/221223-cf5dqaag7t/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Formbook payload
Formbook
Gathering data
Unpacked files
SH256 hash:
df140d439eac7c6b3d92b93f099289a3c5aab8bb2700f76e96fe3cf1a5896c56
MD5 hash:
344610dcf21c8e20223b966898b761fe
SHA1 hash:
d4f36442fd63c9dbb8d70b6bf3f6dc06d2f6dfd5
Detections:
FormBook
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/3115c4b2-ec7a-4357-9cca-741dbdd1f556/
Parent samples :
901e0cc15f4525b844025cc57959ee5dc434844ba318e9f1349589ba965c1f53
794ff32dcb5a26819bea2fa85f82ee36dae53a5d6a6d2e42790801bfb018cda7
8cde8e6a8021c1d4d221179126d6fdd2a2a20a2b24f57fc20202f86640350f96
152d5ef19fdfabb482918d51148804bd5227e44e3eb5007dccc347b0ee8585d2
9405e5517f3a40a2dafc9e86359aa53e211af30c4fe1a7f77b24bd42ccc36354
9d6d28627c34f8d225dde0a78d27418d461ea3a35e6bc4afa0f50e9cb8bc1b21
94950eecd04b39b6b5e9e79f403ff8d5413ffd9d8176d8af0dc059862b720cf1
8ac5dceeed786e06a01cec7ce9d550a0f48c50511ad81db887c69fd5d720ff3e
a78e65c599449ae8f781711a5b432c95fd1c7ebbb4bb1c9353087e79b62f6489
59fe1ecfcc9a304108971209bdd1656f033bf0ef51744babf253394d58b10bbc
f2a813ed5d99e263f28a0b9224ae1d4f484b606cab37305b56c75a70cff31518
SH256 hash:
fc6485350cf55dc14ecbfd9b91b7a9979f61023b4104101e9f351caa6c73abaa
MD5 hash:
6c3fdb2b5d93cf814ea1b6ca05a0efcf
SHA1 hash:
f8ae5f9fa1c9b6b0e47b2f0873d2ee3373e0ebf5
Link:
https://www.unpac.me/results/3115c4b2-ec7a-4357-9cca-741dbdd1f556/
SH256 hash:
3c99f4dc6f8678d8e1c3c090a3b1f22c307c624a649f2e36326ac3e7fb47179b
MD5 hash:
d0d724f61dda48089dac0f818b64d852
SHA1 hash:
8871678863bd59c5855b9c8ec740a44ccc330d8a
Link:
https://www.unpac.me/results/3115c4b2-ec7a-4357-9cca-741dbdd1f556/
SH256 hash:
f04775dc66438783710a1c87060131c44fdb31867a30fdc56ba3efd9ed4c6bae
MD5 hash:
4564146fcf67d65eb78952ef7b38f1cc
SHA1 hash:
5c9e9659d07cd7b34d143bbd622a63cdeb985760
Link:
https://www.unpac.me/results/3115c4b2-ec7a-4357-9cca-741dbdd1f556/
SH256 hash:
ab2f8dbc2b147528cecac6ea1a8886951c424be0b2026743b39d97f0cbabb04c
MD5 hash:
77ab42f4bbbf4565846eb8953192d71f
SHA1 hash:
3c662c756cc31867c0473716a74e777a65ced550
Link:
https://www.unpac.me/results/3115c4b2-ec7a-4357-9cca-741dbdd1f556/
SH256 hash:
9405e5517f3a40a2dafc9e86359aa53e211af30c4fe1a7f77b24bd42ccc36354
MD5 hash:
20abb77d986979d1826e03f0b21eda8d
SHA1 hash:
e9bba65a4ff3b19edae1f445758bfcc5a8624e6a
Link:
https://www.unpac.me/results/3115c4b2-ec7a-4357-9cca-741dbdd1f556/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9405e5517f3a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/9405e5517f3a40a2dafc9e86359aa53e211af30c4fe1a7f77b24bd42ccc36354

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 9405e5517f3a40a2dafc9e86359aa53e211af30c4fe1a7f77b24bd42ccc36354

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment

Comments