MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2e29e115cef90f4158d21938c7458762bb01be720156a2f7c8bb8d021704fef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d2e29e115cef90f4158d21938c7458762bb01be720156a2f7c8bb8d021704fef
SHA3-384 hash: b7f6df81ff174f5c426e2438de5c500b2e11e7c57eeb504f55016b49673738cbd337c481537b8467b9a6afad3a0127d3
SHA1 hash: cb2013d03a2bf04448b20a5a4aec0a8f979c8d9b
MD5 hash: 52bf72d40f8ecc722a7d8d6ae83ad2d9
humanhash: item-yankee-blossom-jupiter
File name:Inquiry List 0001-081021.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:864'768 bytes
First seen:2021-08-12 01:02:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:x1kMHia17eHK7zvdqcFhPfmUxYXNUuki1qcbJdwd2/a:qcTdqMVfd2XNZLbJWES
Threatray 7'731 similar samples on MalwareBazaar
TLSH T14B05C029B784B904F2770EF6CC9E50109AB9EC035A43DF2FA0E8F629687B759943315D
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
296
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Inquiry List 0001-081021.exe
Verdict:
Malicious activity
Analysis date:
2021-08-12 01:04:08 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/b2120620-9cc9-4e8a-92f6-265e09f29f47

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/178418/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.993-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c14152f5-8202-413e-9e64-ece31380f5d4
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/831326
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 463757 Sample: Inquiry List 0001-081021.exe Startdate: 12/08/2021 Architecture: WINDOWS Score: 100 33 www.southernhighlandsnails.com 2->33 35 www.soarshipping.com 2->35 37 2 other IPs or domains 2->37 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 9 other signatures 2->51 11 Inquiry List 0001-081021.exe 3 2->11         started        signatures3 process4 file5 31 C:\Users\...\Inquiry List 0001-081021.exe.log, ASCII 11->31 dropped 61 Injects a PE file into a foreign processes 11->61 15 Inquiry List 0001-081021.exe 11->15         started        18 Inquiry List 0001-081021.exe 11->18         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 20 explorer.exe 15->20 injected process9 dnsIp10 39 mieducaciondigital.com 162.241.62.44, 49707, 80 UNIFIEDLAYER-AS-1US United States 20->39 41 www.shanmo456.com 146.148.194.239, 49710, 80 HENGTONG-IDC-LLCUS United States 20->41 43 12 other IPs or domains 20->43 53 System process connects to network (likely due to code injection or exploit) 20->53 24 svchost.exe 20->24         started        signatures11 process12 signatures13 55 Modifies the context of a thread in another process (thread injection) 24->55 57 Maps a DLL or memory area into another process 24->57 59 Tries to detect virtualization through RDTSC time measurements 24->59 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d2e29e115cef90f4158d21938c7458762bb01be720156a2f7c8bb8d021704fef/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-11 12:41:08 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2lrj4ek456ipifmnegjyy5cyoyv3ag7heakwul34ro4nailqj7xq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
19f2101d500dfa2ba71baf220497fe8888667bb7d9c8cf4996087ff67c11d156
Formbook
2fbe2f9ceef4deca8b67d6cb32dc3cd8ebd422a95c24cf4392837f95ad560473
Formbook
3803dec5e2ab718dedda091e9ee84b588545614ae3d54aa78d956cec21128fda
Formbook
6fac6e1f7f8cdd8cec52b2dd7a23fd434084c7d12ef0f04deaa52794d3612ef7
Formbook
8ff564a57fcca6daaa6319451c7ccb61537b02b513b8b262a5f76348b70d0287
Formbook
abb1db77386f0eb3cd2c68603ee8817d6d1015287422182845345dad70503564
Formbook
b5e2b52a984579c7f0aa92d0acaa6eef67f06af5330857ba98a62345edd59908
Formbook
ffb4062f3105628be393872c098765b9a7736911cb8fee4ff571b006a891c8a8
Formbook
+ 7'721 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:uqf5 loader rat suricata
Link:
https://tria.ge/reports/210812-jv3dhvghls/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.southernhighlandsnails.com/uqf5/
Unpacked files
SH256 hash:
9462512f72ee07ca950b6153430cb50906e6928efd6aadab68678dbbfe40ff80
MD5 hash:
3c08eafb1a6a184cf843a29c781a941a
SHA1 hash:
b96532e27b417f23aa1312cc827b82a1c84ea03f
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/9479de07-7aa7-4668-ace8-8d408208ecc6/
Parent samples :
2fbe2f9ceef4deca8b67d6cb32dc3cd8ebd422a95c24cf4392837f95ad560473
d2e29e115cef90f4158d21938c7458762bb01be720156a2f7c8bb8d021704fef
SH256 hash:
c837099bc43550c7e5ed1f0f2de68c0431677dc506ed27fb4329fe6bca347095
MD5 hash:
e80939801fa023a7ffd4200709e8c242
SHA1 hash:
b390fd8d19c2a1082a50d33d4ea7c0fcfa575ead
Link:
https://www.unpac.me/results/9479de07-7aa7-4668-ace8-8d408208ecc6/
SH256 hash:
ed0dd1e2260da7b03c8b80e0b45e8fef44be722c1e8c41e078c1a25ed0d18ecc
MD5 hash:
6057ce35bd926dd6d49dedfa9cc18372
SHA1 hash:
1f4e44e1740ffbd91129ac3a37d22845bc52c158
Link:
https://www.unpac.me/results/9479de07-7aa7-4668-ace8-8d408208ecc6/
SH256 hash:
d2e29e115cef90f4158d21938c7458762bb01be720156a2f7c8bb8d021704fef
MD5 hash:
52bf72d40f8ecc722a7d8d6ae83ad2d9
SHA1 hash:
cb2013d03a2bf04448b20a5a4aec0a8f979c8d9b
Link:
https://www.unpac.me/results/9479de07-7aa7-4668-ace8-8d408208ecc6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/d2e29e115cef90f4158d21938c7458762bb01be720156a2f7c8bb8d021704fef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe d2e29e115cef90f4158d21938c7458762bb01be720156a2f7c8bb8d021704fef

(this sample)

  
Dropped by
null
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/178418/

Comments