MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5e9981b7fdef80983edcdda6b3e09870fe991720db4684986ceecb01d24506c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d5e9981b7fdef80983edcdda6b3e09870fe991720db4684986ceecb01d24506c
SHA3-384 hash: eb6b403a6c0786b0cdd60d08c76e6484943e237436d1d69976a38fe9e141f2ac5bf105b9e521d1152bc1db4bb103adaf
SHA1 hash: 3b7c6425c65933d6b5dac6187e16a0597f3ea5aa
MD5 hash: ae2f78ed3b32a4e7f969ce267778ac66
humanhash: violet-ohio-nitrogen-bakerloo
File name:THREE quotations.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:784'384 bytes
First seen:2023-06-08 13:21:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:0uJas/16/YHmM9mARLAV+/3M73epjTDrFljb3m0z9SFOuDsDtnQkCEgYDjz:0Bs6cV9mA9Im873epjyOxDtQXEnDf
Threatray 2'429 similar samples on MalwareBazaar
TLSH T1FEF4015D77F6050FD66B7FBD1C101170C6F86E8A7523C3AA1E8B798E9C92B440AC1A93
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
271
Origin country :
US US
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
THREE quotations.exe
Verdict:
Malicious activity
Analysis date:
2023-06-08 13:23:00 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/904b4452-7122-4f53-8f32-953e95707efd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/396991/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.36929.25372.8425.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
floxif lokibot packed virus
Link:
https://www.filescan.io/uploads/6481d5fc4210b37bc33f9d21/reports/b8c16fe4-f444-490d-bc7d-df243108e63a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/d5e9981b7fdef80983edcdda6b3e09870fe991720db4684986ceecb01d24506c
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/805d3db9-1498-42c4-88aa-e80928496f89
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1251161
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 884184 Sample: THREE_quotations.exe Startdate: 08/06/2023 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 7 other signatures 2->42 10 THREE_quotations.exe 3 2->10         started        process3 file4 28 C:\Users\user\...\THREE_quotations.exe.log, ASCII 10->28 dropped 54 Writes to foreign memory regions 10->54 56 Injects a PE file into a foreign processes 10->56 14 vbc.exe 10->14         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 2 other signatures 14->64 17 explorer.exe 5 1 14->17 injected process8 dnsIp9 30 www.ikano-dashboard.com 17->30 32 www.p94d3.xyz 185.162.229.2, 49699, 80 UKFASTGB Denmark 17->32 34 9 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 46 Performs DNS queries to domains with low reputation 17->46 21 msdt.exe 17->21         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d5e9981b7fdef80983edcdda6b3e09870fe991720db4684986ceecb01d24506c/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-06-08 08:59:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
22 of 37 (59.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2xuzqg37334ata7nzxngwpqjq4h6telsbw2gqsmgz3wlahjekbwa._file
Verdict:
malicious
Similar samples:
0807202daf2095810fdbc78ccf60ed83368e84da1f89d7215f9bac6590b40b7d
Formbook
2f10fa5c438a3d36f5156ff280926c9135bbc7b8f6e260dc322da83c0b7076f3
Formbook
31fae40dd922e63fd26099fa13a7b790c23e529439ea701a15b5c1c168da23f4
Formbook
3c4bb89b988346aaae821e6b5ca65572da9e265bf00dfa5d0df0870634711545
Formbook
6076d3956e79dc8752564da23a3dfa0100509b647128e82552bd234e5fa61ae8
Formbook
9f9ef502a14f6985947ff8aed129252f4db71d4ab29bb2cd11b533ce1fbf3102
Formbook
a5e39f16cb3dec0b3e2b6fe876bbfa1805f2266011289cf24864b3b85d9e5561
Formbook
e9439e30548f1ed8c32d7670ce4f9936ad5e802d488b931577e37c6741d27dce
Formbook
f3c00fb75da49f73a9945b562d748ff1b6958e3bfdbb1e833d6a16ef4d063092
Formbook
f8cbcb1465a47d18cd2c770f5b2dc7ffe152c51a618149c079ec5ff8a322dfdb
Formbook
+ 2'419 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ct45 rat spyware stealer trojan
Link:
https://tria.ge/reports/230608-ql79fsgd31/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Formbook payload
Formbook
Unpacked files
SH256 hash:
1324ef1d47933d10b993f88ecbba39139917f63b5bb491de253b07e3895b6dfc
MD5 hash:
52b6e08cc03c01d68bfa8016d62136f6
SHA1 hash:
110f300f6a6dd87039eea6b879e51e77116c7bfe
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/a363fb23-d047-46cd-ac3d-25db5663d22e/
Parent samples :
d5e9981b7fdef80983edcdda6b3e09870fe991720db4684986ceecb01d24506c
b1d6939bbb4a9f66306d13bd4b0cd7a59fbe69c451c3bd2df836a65c1114f70a
9d9e8ec84f674a2484716075dd29db7677057598a3ef9b1d0f8dd4addfac24da
244be6e97ebec790a323a32fc4fe43dade04804c07ae684191c4d527f5312ad0
1434b391d1b8e5369395173e021878dee61f4269e7e758102c430bb047cb336b
725bd590093b4997559b500248e8a84debbde13ceec846081c78e7ec286a40ef
9dfcc932a69f5fd8aa13068874c8c34a90ed3cc60e54be8bd7c2f815c4cf952b
SH256 hash:
c440617e04a50ced73c8ab992cbe8d8954a3e41f21f046ee9d1f2a41ea9b416d
MD5 hash:
9390df6c9a6111978dee5414bc42eda6
SHA1 hash:
d3cb1c366b9e466afa93eb369838a04d30777795
Link:
https://www.unpac.me/results/a363fb23-d047-46cd-ac3d-25db5663d22e/
SH256 hash:
534e42de4b7d045cea95098674009af40a1297d7b9aee6771342e6b4109811a7
MD5 hash:
7e3a05043a3171a413e744fe391e8285
SHA1 hash:
b1b157009bed8b13f48c37a593c75a9310d2cbb5
Link:
https://www.unpac.me/results/a363fb23-d047-46cd-ac3d-25db5663d22e/
SH256 hash:
7fe8d63c68dcd691c2076ca94d8e0faaf95226675e89c31393d6bf7deabcf2c5
MD5 hash:
31f56ca35afe42c72a7a128a155840e9
SHA1 hash:
abdd8ffe6090e3939e575cccc07dd40fce77ef22
Link:
https://www.unpac.me/results/a363fb23-d047-46cd-ac3d-25db5663d22e/
SH256 hash:
4c64b4dc00a0d9537f507e7eca7eabef65071c03f551c72981005ec3a6bed76c
MD5 hash:
97bb0d881dde533de5af2cb5b52f86ac
SHA1 hash:
96beb44139dcb732964cb9431280c360e79c1984
Link:
https://www.unpac.me/results/a363fb23-d047-46cd-ac3d-25db5663d22e/
SH256 hash:
d5e9981b7fdef80983edcdda6b3e09870fe991720db4684986ceecb01d24506c
MD5 hash:
ae2f78ed3b32a4e7f969ce267778ac66
SHA1 hash:
3b7c6425c65933d6b5dac6187e16a0597f3ea5aa
Link:
https://www.unpac.me/results/a363fb23-d047-46cd-ac3d-25db5663d22e/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d5e9981b7fde/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d5e9981b7fdef80983edcdda6b3e09870fe991720db4684986ceecb01d24506c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/396991/

Comments