MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5a5f44907b66b03277d484eac713c47cb4c39751b8cba89a4d0c54d387362bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5a5f44907b66b03277d484eac713c47cb4c39751b8cba89a4d0c54d387362bf
SHA3-384 hash: 29333f14c8372b7697939417306150e11dca8ec552197561a8db6dbd41457bf01dfd647ec526cfb62fd3270ab35c11cf
SHA1 hash: e06c39414bd6aa6c993a099ecc36636c483ae518
MD5 hash: e29ab840675a57be3b6bf409b074656f
humanhash: indigo-wyoming-kansas-jig
File name:URGENT QUOTE REQUEST_____Pdf_.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:555'283 bytes
First seen:2022-02-14 07:06:37 UTC
Last seen:2022-02-14 08:58:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 12288:9GGWPLTzYKV7VfSQp+gwc3FTrXsPmrFEuZPf0P3I7VLB+ZeZ2:IMKV7Vf9ZsPmrFlZPf0PY75B+ZeA
Threatray 10'823 similar samples on MalwareBazaar
TLSH T10AC41209FBE5CCD1F0AD29301A76CA6EB2B33D763B88460B26A17F0D57705465A13D8B
File icon (PE):PE icon
dhash icon 19b8ce5b5dc37a18 (1 x Formbook)
Reporter GovCERT_CH
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
4
# of downloads :
204
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/241263/
Detection(s):
SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d9a878e3-e067-4050-b68a-aa7cc52bd994
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/939130
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 571603 Sample: URGENT QUOTE REQUEST_____Pdf_.exe Startdate: 14/02/2022 Architecture: WINDOWS Score: 100 28 Multi AV Scanner detection for domain / URL 2->28 30 Found malware configuration 2->30 32 Malicious sample detected (through community Yara rule) 2->32 34 6 other signatures 2->34 7 URGENT QUOTE REQUEST_____Pdf_.exe 19 2->7         started        10 jscgmrhj.exe 2->10         started        12 jscgmrhj.exe 2->12         started        process3 file4 24 C:\Users\user\AppData\Local\...\bjeexpqdr.exe, PE32 7->24 dropped 14 bjeexpqdr.exe 1 2 7->14         started        18 WerFault.exe 10 10->18         started        20 WerFault.exe 10 12->20         started        process5 file6 26 C:\Users\user\AppData\...\jscgmrhj.exe, PE32 14->26 dropped 36 Multi AV Scanner detection for dropped file 14->36 22 bjeexpqdr.exe 1 14->22         started        signatures7 process8
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a5a5f44907b66b03277d484eac713c47cb4c39751b8cba89a4d0c54d387362bf/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-02-14 07:07:12 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
14 of 43 (32.56%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uws7isihwzvqgj35jbhky4j4i7fuyolvdoglvcne2dcu2odtmk7q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
13c9e72370631d555cab3bd6ba12339252fa26915a6a60741668aea478a17cbb
Formbook
3336b511b906b02bae8c9addc0896660dbe98cc95a01acf0b18a9020953cb13e
Formbook
41d5c1e02c1b4a694660a1c8759ffd46569f5b9574ed99a08d3f00cd2765d2d0
Formbook
502bd048ca66ac44a6ee60d4737e1b9fc5749bf3e665645e9da6039bdf399ba7
Formbook
b7cf8d9d8db4c5eaf796d35251bfc2b24f34c2c77d2ca82a1ebf470323c0894f
Formbook
d2cc3484cdabe8305bf9afd35530ca1118ca2c308408dc7140c3a94b392b60bb
Formbook
+ 10'813 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:edf6 loader persistence rat
Link:
https://tria.ge/reports/220214-hxm4nahgdl/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Xloader Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Xloader
Unpacked files
SH256 hash:
d7ec99606ae71b9a0841680a25cc0fcd4a45915d5291f7e03e85d9b8ec871032
MD5 hash:
4a7a35b35aa7bffcce780c4efc31cbeb
SHA1 hash:
5f5d7ed535e3b305a3064b8139f1aa533c7db74e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/14bccad1-48a0-44ad-994c-5ad1e76a9c84/
Parent samples :
3336b511b906b02bae8c9addc0896660dbe98cc95a01acf0b18a9020953cb13e
a5a5f44907b66b03277d484eac713c47cb4c39751b8cba89a4d0c54d387362bf
993c7253966fed344ec31076448b6d38ca58b11116d57cf578115595b9fc1c86
3b3db55767e2d5972892d5832d84b7879d2ec179ee501dd41ee9fcc11f107132
6988ca1c014e55ad0ff7c394a9be532bf01fe531d68dfaba70ea106f9db787cb
SH256 hash:
18235940fcd1739e64b81513d79ddab34046ec17cf8f141af1e035c0d13ac16e
MD5 hash:
91af51ba97f06533ff4288cdb87e40d2
SHA1 hash:
0bffbdc72f1d407cf82241ff626358d98ec19c50
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/14bccad1-48a0-44ad-994c-5ad1e76a9c84/
SH256 hash:
ae31824c12ac1b106622af15f3eca9ec755f420319fb295b9e137c1688e92989
MD5 hash:
ceba0911615e5e3cf6b29aba1470582b
SHA1 hash:
549c636fc6950ebf6bb46f520399ec76bdaa64f5
Link:
https://www.unpac.me/results/14bccad1-48a0-44ad-994c-5ad1e76a9c84/
SH256 hash:
a5a5f44907b66b03277d484eac713c47cb4c39751b8cba89a4d0c54d387362bf
MD5 hash:
e29ab840675a57be3b6bf409b074656f
SHA1 hash:
e06c39414bd6aa6c993a099ecc36636c483ae518
Link:
https://www.unpac.me/results/14bccad1-48a0-44ad-994c-5ad1e76a9c84/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a5a5f44907b6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a5a5f44907b66b03277d484eac713c47cb4c39751b8cba89a4d0c54d387362bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_Formbook_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe a5a5f44907b66b03277d484eac713c47cb4c39751b8cba89a4d0c54d387362bf

(this sample)

  
Dropped by
xloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/241263/

Comments