MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 992a690bc3f667c4d65ef3157b4dadb573d992338422a350617740743505fcf2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 992a690bc3f667c4d65ef3157b4dadb573d992338422a350617740743505fcf2
SHA3-384 hash: dbe682335fbf505a5cd4a15a16835ba6990efc81fbd40c9147aa4392b128f7c445df6167734d1d585f98992c068eebb0
SHA1 hash: b0201d739818ff7190614c95d4d8ad083a5ff862
MD5 hash: 49393190d0a3b85025e6751a85ec91b5
humanhash: five-equal-hot-burger
File name:REQUEST_PURCHASE_INQUIRY (2).scr
Download: download sample
Signature Formbook
Create hunting rule
File size:616'960 bytes
First seen:2021-09-10 09:57:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:AHtx8984Zk4DbF53e0IUFLY8Ofu4PbkHsXM7cN/MCyZuVjKWc9l:n0Zf9bkHsXJnA2Lc9l
Threatray 9'173 similar samples on MalwareBazaar
TLSH T1A3D49D1539EE50DAF1779F750ED0F29D9A1EBE222602DC192C41738A4632A42DDF393E
dhash icon b4ecccccd4c4ccc8 (8 x AgentTesla, 6 x Formbook, 2 x RedLineStealer)
Reporter cocaman
Tags:exe FormBook scr

Intelligence

File Origin
# of uploads :
1
# of downloads :
247
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
REQUEST_PURCHASE_INQUIRY (2).scr
Verdict:
Malicious activity
Analysis date:
2021-09-10 10:00:14 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/7db53671-8f6c-4846-be3b-16e03e088518

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/186845/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c14d873d-2b31-4381-b620-b149dbfbf2ed
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/848706
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 481136 Sample: REQUEST_PURCHASE_INQUIRY (2).scr Startdate: 10/09/2021 Architecture: WINDOWS Score: 100 31 www.blacktanandwhite.com 2->31 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 10 other signatures 2->55 10 REQUEST_PURCHASE_INQUIRY (2).exe 3 2->10         started        signatures3 process4 file5 29 C:\...\REQUEST_PURCHASE_INQUIRY (2).exe.log, ASCII 10->29 dropped 57 Injects a PE file into a foreign processes 10->57 14 REQUEST_PURCHASE_INQUIRY (2).exe 10->14         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 14->59 61 Maps a DLL or memory area into another process 14->61 63 Sample uses process hollowing technique 14->63 65 Queues an APC in another process (thread injection) 14->65 17 wlanext.exe 14->17         started        20 explorer.exe 14->20 injected process9 dnsIp10 39 Self deletion via cmd delete 17->39 41 Modifies the context of a thread in another process (thread injection) 17->41 43 Maps a DLL or memory area into another process 17->43 45 Tries to detect virtualization through RDTSC time measurements 17->45 23 cmd.exe 1 17->23         started        33 www.jjkvic.com 20->33 35 cdl-lb-1356093980.us-east-1.elb.amazonaws.com 54.85.93.188, 49783, 80 AMAZON-AESUS United States 20->35 37 expired.namebright.com 20->37 47 System process connects to network (likely due to code injection or exploit) 20->47 25 autofmt.exe 20->25         started        signatures11 process12 process13 27 conhost.exe 23->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/992a690bc3f667c4d65ef3157b4dadb573d992338422a350617740743505fcf2/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-10 04:22:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
8 of 45 (17.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tevgsc6d6zt4jvs66mkxwtnnwvz5tertqqrkgudbo5ahinif7tza._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
004068094b6adb0e6548b6334afd2dad79312f09e94e04a1d1206874028bdda0
Formbook
5e6cd5d639ae3b9425d3e11ded2ba9b054bd28903e7c9ae7b1702a89fc66b953
Formbook
9404674e08d2d675f2d304d6c80ab25b857281973d00d06dd3ca367b03f8eacd
Formbook
96d01352b8291a658a602d403e2133d469945ab385d9746db535aba474fc04d0
Formbook
bf47f08eee3ae55a05d7cc1609a916422eb04771d04242ffa60756d922df3412
Formbook
c474dc9d81e08842f527487d032551b0d86e95a0f32fa2ebc7375fdb740c7e42
Formbook
dd3ecf0b5a39b287ba63687fe12ff1f1fcdde34adf0f3e30f7990ebc158347d8
Formbook
df8b0772860e56938078f92e437d4c04ff34808f40837e249b85af1ffb4dee4b
Formbook
+ 9'163 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:im8r rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/210910-lzhhqsdabj/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.xeroxliquidmetal.com/im8r/
Unpacked files
SH256 hash:
50e18bd0327a53ed939160e939c6406046424fde4321bc2b6c25f82f5c282b7e
MD5 hash:
ba315072b134228dced52088aba374ed
SHA1 hash:
c11d1263df9d320ec9ff15e56a06bfb8147ef702
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/0f2abc62-b386-4f28-8198-48d9c9971ff0/
Parent samples :
992a690bc3f667c4d65ef3157b4dadb573d992338422a350617740743505fcf2
31573322ef0e4c9d77a36ba43b66edc88da6d66a7be519d118b7c01d0986baca
SH256 hash:
e6b211e7f2a8b65a078c68f4ed693e4038112000b77e4159c082e13c08b23d32
MD5 hash:
67ef61c7285277faf123ea8906bb7b07
SHA1 hash:
f6b6fd5a322ed49f3f19fec511cb1824c9777ef2
Link:
https://www.unpac.me/results/0f2abc62-b386-4f28-8198-48d9c9971ff0/
SH256 hash:
ad4a7895d529d5164302bb88596964ab42ff125bf0f5544418c80b6d438cb587
MD5 hash:
43ababb6b0a02907aad43084f12b10d9
SHA1 hash:
b60ba705891d5a666d64300181b475a46714ffa8
Link:
https://www.unpac.me/results/0f2abc62-b386-4f28-8198-48d9c9971ff0/
SH256 hash:
992a690bc3f667c4d65ef3157b4dadb573d992338422a350617740743505fcf2
MD5 hash:
49393190d0a3b85025e6751a85ec91b5
SHA1 hash:
b0201d739818ff7190614c95d4d8ad083a5ff862
Link:
https://www.unpac.me/results/0f2abc62-b386-4f28-8198-48d9c9971ff0/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/992a690bc3f6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/992a690bc3f667c4d65ef3157b4dadb573d992338422a350617740743505fcf2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 62e8ab0aaa3079e468b29c137c6b93581938619e41a2c1f9c7478c391985f23e

Formbook

Executable exe 992a690bc3f667c4d65ef3157b4dadb573d992338422a350617740743505fcf2

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 62e8ab0aaa3079e468b29c137c6b93581938619e41a2c1f9c7478c391985f23e
Cape
Cape
https://www.capesandbox.com/analysis/186845/

Comments