MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6e96276c116a1100b52ca6fcb369e22b4faa30bbfd48df68942fae3feffb15e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b6e96276c116a1100b52ca6fcb369e22b4faa30bbfd48df68942fae3feffb15e
SHA3-384 hash: 93de48d5d1eb700f4a2c8bb8565c84c83dc1977ede3d62a09751887ec575d9297058193c60fea73761b854cad56a77e9
SHA1 hash: 639595a07bd375349f8371e577252087ffe37247
MD5 hash: 78df6987b12a77a4d38c4d08665ebe18
humanhash: crazy-rugby-winner-eighteen
File name:QUOTE.0050.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:217'278 bytes
First seen:2021-07-14 21:09:41 UTC
Last seen:2021-07-14 21:49:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep 3072:iBkfJpRXATwMdFCcGbWW496EByWq0vJBKVonPM5Z7dfWdolMR5mlkplZnyIjhPc9:iqjIKuYiBdoZpQPgSH0mUZFoZcMqv
Threatray 6'430 similar samples on MalwareBazaar
TLSH T10D2412253291CCB7C3370A701F3B5E25ABAC922401A61B8FAB50DBEAB945DD71E5F107
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
N°CF-AD-2107007.xlsb
Verdict:
Malicious activity
Analysis date:
2021-07-14 13:56:23 UTC
Tags:
macros macros-on-open generated-doc exe-to-msi loader trojan formbook stealer
Link:
https://app.any.run/tasks/d35d2fe7-4a01-439e-9e63-b2c372a648f5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171832/
Detection(s):
SecuriteInfo.com.Zum.Androm.1.27250.26815.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/93035fa3-c6fd-4e92-870f-84ec9871a1ae
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/816588
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Process Start Without DLL
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 448999 Sample: QUOTE.0050.exe Startdate: 14/07/2021 Architecture: WINDOWS Score: 100 31 www.lowcarblovefnp.com 2->31 33 lowcarblovefnp.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 8 other signatures 2->47 11 QUOTE.0050.exe 17 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\Temp\kiyeu.dll, PE32 11->29 dropped 57 Detected unpacking (changes PE section rights) 11->57 59 Maps a DLL or memory area into another process 11->59 61 Tries to detect virtualization through RDTSC time measurements 11->61 15 QUOTE.0050.exe 11->15         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.zengheqiye.com 23.110.10.184, 49738, 80 LEASEWEB-USA-LAX-11US United States 18->35 37 aredntech.com 160.153.136.3, 49735, 80 GODADDY-AMSDE United States 18->37 39 4 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 rundll32.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b6e96276c116a1100b52ca6fcb369e22b4faa30bbfd48df68942fae3feffb15e/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-07-14 15:17:23 UTC
AV detection:
16 of 46 (34.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=w3uwe5wbc2qrac2szjx4wnu6ek2pviylx7ki35ujil5oh7x7wfpa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
010f54e04b88914349c222fb020f1a02d36ef80ae2d6048df29535d19a2012f8
Formbook
1f108a10b866def65686fcb0e0c10612152288ea1f7a6158e5ada37f26d03265
Formbook
5372118bedc7e54daeed321ca6e2271d9a53dfe37ffab9b9f8ea91e8a3520ef5
Formbook
920d5b079a7684340c82b1334d87f828f4820b54437da0d109b381fdae39ac92
Formbook
9349259160fa0f5b568826e27ea3e372372e7fcf4d0d8b9a7a2057195824506c
Formbook
af2a18f22d7d6aa8e9415336093f6d6c2a60197419601042250e48bfcf3f2d53
Formbook
c09b2348606b04620b185f4658474843eef3d9ec99ae70145a481b955d50aebf
Formbook
cd5cf89c75b6639053a9f493d611b7b575c0ce09d5388a7fdb0e5e92ea05a3c2
Formbook
d348cbf91ed1e466a286b17f93bf3fd27bb01de6ba91c76bf586788bf16876cb
Formbook
fc6028f1731d7c612c6a4b848df098cfaa7d3caac1a098c526d9eb24d46bd6c2
Formbook
+ 6'420 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210714-h6v5k2h5xj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.craftsman-vail.com/cca/
Unpacked files
SH256 hash:
147a6058524d7a6fef2f2d46aa322d43354354817de7716477789d04f5839cdf
MD5 hash:
e88bf48c10f6fb7a1f54787bda066573
SHA1 hash:
0161bff7924e72e36d10e14d0b4cdec04bf115b0
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/da52c7de-8d4f-4520-b3bd-18031da0d3ff/
Parent samples :
14420253ecb53e06005183d4d5f649d6b1d966403fbbb277575fbcf5264f54f7
55d030ccdce44ce560c937356b7c24819dd73772d2dbef1bd258bb9f23daf169
b6e96276c116a1100b52ca6fcb369e22b4faa30bbfd48df68942fae3feffb15e
SH256 hash:
db10c9636a7d7aec652d7aea8ab16143793b6a1da1c41f8486babc271e9be69d
MD5 hash:
2ba17e14d1ab840f5ca03ee92996928e
SHA1 hash:
eb6be7539a81e28c1a20a82316694ff0d36c25cb
Link:
https://www.unpac.me/results/da52c7de-8d4f-4520-b3bd-18031da0d3ff/
SH256 hash:
e808b2bc2570f55c2430d03407dff708b1400b45a2e95d8469f2b1b907f23a9c
MD5 hash:
02be99ca20752dd71a8c2b2d180e4c6d
SHA1 hash:
032e6ca64290696a70c389e48bdd9ec28b277f44
Link:
https://www.unpac.me/results/da52c7de-8d4f-4520-b3bd-18031da0d3ff/
SH256 hash:
b6e96276c116a1100b52ca6fcb369e22b4faa30bbfd48df68942fae3feffb15e
MD5 hash:
78df6987b12a77a4d38c4d08665ebe18
SHA1 hash:
639595a07bd375349f8371e577252087ffe37247
Link:
https://www.unpac.me/results/da52c7de-8d4f-4520-b3bd-18031da0d3ff/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.67
Link:
https://yomi.yoroi.company/submissions/b6e96276c116a1100b52ca6fcb369e22b4faa30bbfd48df68942fae3feffb15e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe b6e96276c116a1100b52ca6fcb369e22b4faa30bbfd48df68942fae3feffb15e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/171832/

Comments