MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae8f3d13092dbd9ac0a490c691eefafe0026e44148a9df896d6b5b8edceb5284. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae8f3d13092dbd9ac0a490c691eefafe0026e44148a9df896d6b5b8edceb5284
SHA3-384 hash: 11deb115840ee8b7f59b18970dcc98e99712cb9bc48fb3869329d683d791ae6937babe8b1632768529b8f6a382d0732d
SHA1 hash: ba88609508657b04c665d15b9fec27565810aec9
MD5 hash: 7f2ab7a73897ef184b2b2f88c441f7b2
humanhash: aspen-floor-don-delta
File name:Request for Quotation.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'089'536 bytes
First seen:2021-01-19 07:37:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:S9AeKHprV+oOCo42Y1e0LwBQfNgCRDNo6CP+3Kw+CdHGcsokBY:1tzPgYUGw2fnRD5uiXUcfkW
Threatray 3'534 similar samples on MalwareBazaar
TLSH BA35382212BC5AD9F4BDAFB56064031A83F1BC01D735DA1DED8B70D9D873A83CA566C2
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: dynabiotech.cam
Sending IP: 111.90.158.99
From: Mesut <mesut@alamsteel.com>
Reply-To: andypurchesmen.780@gmail.com
Subject: Quotation NEW ENQUIRY ///URGENT///
Attachment: Request for Quotation.rar (contains "Request for Quotation.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Request for Quotation.exe
Verdict:
Malicious activity
Analysis date:
2021-01-19 08:15:25 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/277865e7-a411-48a8-bcee-7349aa9f23ae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/112808/
Detection(s):
Win.Malware.Score-7597125-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/584587
Signature
.NET source code contains potential unpacker
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 341331 Sample: Request for Quotation.exe Startdate: 19/01/2021 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 12 other signatures 2->52 10 Request for Quotation.exe 7 2->10         started        process3 file4 32 C:\Users\user\AppData\...\OrxfuWwhEehOge.exe, PE32 10->32 dropped 34 C:\...\OrxfuWwhEehOge.exe:Zone.Identifier, ASCII 10->34 dropped 36 C:\Users\user\AppData\Local\...\tmpE514.tmp, XML 10->36 dropped 38 C:\Users\...\Request for Quotation.exe.log, ASCII 10->38 dropped 62 Injects a PE file into a foreign processes 10->62 14 Request for Quotation.exe 10->14         started        17 schtasks.exe 1 10->17         started        signatures5 process6 signatures7 64 Modifies the context of a thread in another process (thread injection) 14->64 66 Maps a DLL or memory area into another process 14->66 68 Sample uses process hollowing technique 14->68 70 Queues an APC in another process (thread injection) 14->70 19 explorer.exe 14->19 injected 23 conhost.exe 17->23         started        process8 dnsIp9 40 rociosegura.com 50.87.150.177, 49746, 49778, 80 UNIFIEDLAYER-AS-1US United States 19->40 42 ufomars.com 51.178.7.144, 49767, 49783, 80 OVHFR France 19->42 44 20 other IPs or domains 19->44 54 System process connects to network (likely due to code injection or exploit) 19->54 25 netsh.exe 19->25         started        signatures10 process11 signatures12 56 Modifies the context of a thread in another process (thread injection) 25->56 58 Maps a DLL or memory area into another process 25->58 60 Tries to detect virtualization through RDTSC time measurements 25->60 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ae8f3d13092dbd9ac0a490c691eefafe0026e44148a9df896d6b5b8edceb5284/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-01-19 07:38:17 UTC
AV detection:
7 of 44 (15.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v2ht2eyjfw6zvqfesddjd3x27yacnzcbjcu57clnnnny5xhlkkca._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
005b07f4994dac828c9c730744e73a4fde81ce34bd642f6835985871a2fb0084
Formbook
200f07a68b2fb323fa7f8cfa944a5bed193adfedcc00570a238fd66662109bd2
Formbook
36aaa61da7c30d84b06d1a0de81be11faa87266b5b88d45d04476ffc0112e53a
Formbook
5250b6aa047823e57f17d7f569816518b6acffce3ac870b2167b0cdc262b2bba
Formbook
6ea42d461e10aa280c9a3bf273e6edfd0cf92a916f35768546ef7f09484c0829
Formbook
7315a2ebbb0bb585763c14e7c9f83722816d908e62407725e0aeb4f3b7d2ff5d
Formbook
7e81991149512cf491dcf11bbf5281f0aa35f79b50d0dec772c113dad415d680
Formbook
adfaf60f2ef07cd0b6f3fdd429fb94e76376ebf41b0b615d2664449e6adb358e
Formbook
ba989ee01ad39b78f47142e56183f0946d74ded34ad136a48576a5a9aff25c34
Formbook
da455c9459a51e64557b7f36c33a3ef60fdc43b647d1f2f480c3de5d31b2aa2f
Formbook
+ 3'524 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/210119-e98swdzdmj/
Behaviour
Creates scheduled task(s)
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.outtheframecustoms.com/9t6k/
Unpacked files
SH256 hash:
2675bc7b7bd9dc81e47de36455e479e09a116dfe0a70b1644f53422c90989a9a
MD5 hash:
162fde8f3d5c40936bd33952bf3e00fb
SHA1 hash:
a7cae18ece9b7c539ff1522700b2e4eb77cd494f
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/01bbcd98-655d-4759-b799-34ee9b45897d/
Parent samples :
7315a2ebbb0bb585763c14e7c9f83722816d908e62407725e0aeb4f3b7d2ff5d
200f07a68b2fb323fa7f8cfa944a5bed193adfedcc00570a238fd66662109bd2
fe0ac8413830a780c0b21a9d453354d61a7ca21f08cadc5e40ba672e7d87d96e
36aaa61da7c30d84b06d1a0de81be11faa87266b5b88d45d04476ffc0112e53a
8e9bc8937b7c4448c8302e1e2b03af0e9fac285df0d8615e01e0e383694178b1
ae8f3d13092dbd9ac0a490c691eefafe0026e44148a9df896d6b5b8edceb5284
SH256 hash:
d558eea0e93dd22901942458eacc3d9d21541a6ef26f4ad0ca7e2d956d016f3f
MD5 hash:
d065b27cf243a1a76d544337b042db01
SHA1 hash:
9bda8f51638210d6514f431494c7220b030bc08c
Link:
https://www.unpac.me/results/01bbcd98-655d-4759-b799-34ee9b45897d/
SH256 hash:
52d35fabfc97d3e903b5d9eb253e8f84d1dfee2967fa9dde6d6ca37cc61951c5
MD5 hash:
b5a7f2596efe4c5fc5f5d2c733d49259
SHA1 hash:
c121578124375dc293e4daf12fac22442a8131b6
Link:
https://www.unpac.me/results/01bbcd98-655d-4759-b799-34ee9b45897d/
SH256 hash:
ae8f3d13092dbd9ac0a490c691eefafe0026e44148a9df896d6b5b8edceb5284
MD5 hash:
7f2ab7a73897ef184b2b2f88c441f7b2
SHA1 hash:
ba88609508657b04c665d15b9fec27565810aec9
Link:
https://www.unpac.me/results/01bbcd98-655d-4759-b799-34ee9b45897d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ae8f3d13092dbd9ac0a490c691eefafe0026e44148a9df896d6b5b8edceb5284

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 51fb9b5d18024da76ab74d7f21eb0c8d0d278d01b4e6f96f3d0d4187bedd5a36

Formbook

Executable exe ae8f3d13092dbd9ac0a490c691eefafe0026e44148a9df896d6b5b8edceb5284

(this sample)

  
Dropped by
MD5 12a489331601b8fb523274b4f9220395
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 51fb9b5d18024da76ab74d7f21eb0c8d0d278d01b4e6f96f3d0d4187bedd5a36
Cape
Cape
https://www.capesandbox.com/analysis/112808/

Comments