MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a480cdba9dc551429026fd2c99081fdca4ef0e73c0167b410fcbb7158eeb629c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a480cdba9dc551429026fd2c99081fdca4ef0e73c0167b410fcbb7158eeb629c
SHA3-384 hash: df67ce0905424c92ed3612e8d78cfad8b0a2ebcc427f3de63251b7ee0d7b5d2101a53162e45a73f8748683fcc30fbff4
SHA1 hash: ec9a84c22b53401b6868cd52cdef28657ea3d6d3
MD5 hash: dc3fc5c07d6e2176beff1d7a105a217a
humanhash: blue-double-ten-yellow
File name:REQUEST FOR QUOTE#2800021_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:414'685 bytes
First seen:2022-04-19 12:02:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 6144:ONeZw4wh+w0qaS7SnWYARyx58lpHXd6XohTDFqX4/ACkdkyjry20:ONX4wOS7XYzQ7N6XcTDFyik9ry20
TLSH T183941249F760C892CDA3E933CDAC116A6EFDB919C6A006061B62E6153E773C104A5FFD
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f096965555d670e8 (1 x Formbook)
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
244
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
REQUEST FOR QUOTE#2800021_pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-04-19 12:11:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3392248f-7dde-49fe-8e67-f86efb4b50bc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/264605/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe formbook overlay packed python shell32.dll swisyn
Link:
https://www.filescan.io/uploads/625ea4f7482f2f41cad1adc2/reports/6a325046-30b5-44db-a434-250cd3e9d28e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2dd15e31-e818-469b-87b7-59b62fd7a34e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/978818
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: File Created with System Process Name
Yara detected FormBook
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 611305 Sample: REQUEST FOR QUOTE#2800021_pdf.exe Startdate: 19/04/2022 Architecture: WINDOWS Score: 100 19 Multi AV Scanner detection for domain / URL 2->19 21 Found malware configuration 2->21 23 Malicious sample detected (through community Yara rule) 2->23 25 7 other signatures 2->25 7 REQUEST FOR QUOTE#2800021_pdf.exe 18 2->7         started        process3 file4 17 C:\Users\user\AppData\Local\Temp\keabpd.exe, PE32 7->17 dropped 10 keabpd.exe 1 7->10         started        process5 signatures6 27 Multi AV Scanner detection for dropped file 10->27 13 keabpd.exe 1 3 10->13         started        15 conhost.exe 10->15         started        process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a480cdba9dc551429026fd2c99081fdca4ef0e73c0167b410fcbb7158eeb629c/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-04-18 23:18:48 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=usam3ou5yviufebg7uwjsca73sso6dttyalhwqipzo3rldxlmkoa._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220419-n71emafbhj/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
352dfb5b7de96827a21cc378c1a6c69810910d7a8d5ba447626a9e60ce9d93f5
MD5 hash:
c7e11ed9adda1b9cd61b3bb4a8112afd
SHA1 hash:
1b9b4e31a1deee78eaf9d24904ad75e874f6ea1b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/462d2e1e-3e69-4662-8575-2f7b9d080a4d/
Parent samples :
7f8435d43386aa3aee57de7fe1889c8e7762271428c279827b3293e3af5af282
a480cdba9dc551429026fd2c99081fdca4ef0e73c0167b410fcbb7158eeb629c
52abf7bfa451ea28652ba5043a6b997af38a38fac15444930c69d75f7a5e6cbb
SH256 hash:
0fbb4ce46b861999cc270596c4f7c9252c5a57a5b0621e873b94cad50e4f48f7
MD5 hash:
d74fe5b3cd250a499edf19662940ceda
SHA1 hash:
fec398b9a4f3231d968c4f9978f49b99769e233a
Detections:
win_mofksys_auto
Create hunting rule
Link:
https://www.unpac.me/results/462d2e1e-3e69-4662-8575-2f7b9d080a4d/
SH256 hash:
a21565e5b09575c3988bc3ae9a2be7acba41bbf8a8949372c8c3ffacb7b43229
MD5 hash:
fbfbfaa74b41ecdeb1070344a6a546ac
SHA1 hash:
e0440b67055abe45c02b66bdb4ee9b4577a8787c
Link:
https://www.unpac.me/results/462d2e1e-3e69-4662-8575-2f7b9d080a4d/
SH256 hash:
a480cdba9dc551429026fd2c99081fdca4ef0e73c0167b410fcbb7158eeb629c
MD5 hash:
dc3fc5c07d6e2176beff1d7a105a217a
SHA1 hash:
ec9a84c22b53401b6868cd52cdef28657ea3d6d3
Link:
https://www.unpac.me/results/462d2e1e-3e69-4662-8575-2f7b9d080a4d/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a480cdba9dc5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a480cdba9dc551429026fd2c99081fdca4ef0e73c0167b410fcbb7158eeb629c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/264605/

Comments