MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db93a8cf5c8b72db62392b79b6d89f329801525af7a07e920505068922d00cc3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db93a8cf5c8b72db62392b79b6d89f329801525af7a07e920505068922d00cc3
SHA3-384 hash: a292415f85bf28e370d284dfd9c58debb7af7834f8652ebd44f35c212a93990af98871f4aa1c2f760684129748b4a272
SHA1 hash: 7a86e892c6be37749a343a7a3013b6a4f46ac988
MD5 hash: c09c8c0f060b5c6e10947578a3993dfc
humanhash: fruit-skylark-colorado-potato
File name:QUOTE REQUES__PDF_________________________________.EXE
Download: download sample
Signature Formbook
Create hunting rule
File size:527'360 bytes
First seen:2022-02-03 08:11:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:HV7p3jchxySDy8Wuj+xFA+UfBQgJxOz8qbBQE2JBlG8d1k8YwS5gJ:XchxySDy8Wuj+xFA+Uf2gJxOrbBQdJGW
Threatray 11'051 similar samples on MalwareBazaar
TLSH T114B4E1A1F6975591F52BDA316136BC5107763EE3AEC2DA181324F24C0BF32A04E76A4F
File icon (PE):PE icon
dhash icon 96d4acda6cb4dc0c (25 x AgentTesla, 12 x Formbook, 10 x Loki)
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/231759/
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Searching for synchronization primitives
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ae1487ab-c509-48f2-b488-8630efd459a8
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/933687
Behaviour
Behavior Graph:
n/a
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/db93a8cf5c8b72db62392b79b6d89f329801525af7a07e920505068922d00cc3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-03 08:12:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
29
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3oj2rt24rnznwyrzfn43nwe7gkmacus266qh5eqfaudisiwqbtbq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0be58a33d1ccbb74ef24592d2d16009bd56638aef6c294af7793e57588e04ef6
Formbook
12876a9ad6e0bd4cf0d4fd1edbc14eedf3bcc96bee95391bad387893bb07fa8c
Formbook
19ea70b85d1e0c5c9c9ebb1f2412ee14b363da45f5ba68f7f8ea217fe6dcb975
Formbook
719c2edea3c0aaa814d65c272598d8d64db5ac0d0cf0a9adb12fe7a0a1fc9f19
Formbook
dac74494f01d415ffd11b8d9dfc13b8910fd731ec1d2351d2c5115228d252cf0
Formbook
e4999525a5626a76247a8f02a9e08c0ea35f13f717687b8a966cddb72f8adc6f
Formbook
ee5dd80f9946c3b8221409e1aed242cd36a8188850718f89722b48404906275e
Formbook
fdbca30c6db5b5bc5e1a954ce387deec23d7b77ff249ec916bcabb0a5faeb783
Formbook
+ 11'041 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ihg0 loader rat suricata
Link:
https://tria.ge/reports/220203-j3vlcseebp/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Blocklisted process makes network request
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
811078381800166dbbc5fd38d26c3bef261557c73ff977602a2248287073df3f
MD5 hash:
f33cef1ae2de76a7e317e95f89b1c75c
SHA1 hash:
eb42461f6bc3be8d61f900d96ef01d25aef7207b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/7a3b7168-30c6-47c1-9a81-7fefd7b54f43/
Parent samples :
d750b5eb0bd3c9b24c2505c127c2a1ab78fd3385a2157083fcabdbba45bef7ba
db93a8cf5c8b72db62392b79b6d89f329801525af7a07e920505068922d00cc3
be2d5feff0e6129b41979d8f15047d4dbebfc994ef7e71214324a1f412e4474e
4c5764d95bdd80b5c98ce78df8684af248550c535adafae13b92b3b79125b871
42cce80e3e20528953d3472513918fa7e3061f68ba6153dfbe7db82cce6df46f
d647a2e8ff08785b542bd885e62aed69fd43ea2dd801f5144bd990ec8719f3ed
3fd7b914185575863f75d5ac1950236aa9cb4aece2fce6ef2a5cdfecdb0860fc
1e8978d9e298c1f7dfc988a4b218badd93df889eab03388033a1683f5b495f10
f7c444ed90a2592c2bff60a8bfd2dc26e285aa49b6df89ec62e8adc25d98abeb
da1950706431dfa31c66d1d99d2bc15bcb02600fecea4fab7c17f97af173cb7c
620376e4bbb28e2ff3c82427767153500ed1c55b8c20c565084940514b33bc9d
7b4b92d6eefbcabd5c2af244e8f048e5d11d1cc2f0c967ff244457aae3844adb
9484b37af380c8c86dbd8234b60e7420e498671548359ca9393ed0402d9dbd80
SH256 hash:
0cc119786b104cf0aa261a208bf38802b339774ff3d7a42afcd8329d2d7d21c9
MD5 hash:
263b5190f7ac42d83c756dcdf38147bb
SHA1 hash:
78f419fe3936ed7d603706c47230cd3e6ff79ffe
Link:
https://www.unpac.me/results/7a3b7168-30c6-47c1-9a81-7fefd7b54f43/
SH256 hash:
2dc62849954c5da32ce5e676c80d7d92a0e9140a6b685a26ab3367ad8ff35eac
MD5 hash:
7287fc6de834090e37cee53849a3b295
SHA1 hash:
6114a58787ae6f3ad9ecd128af9b2abf8bd43424
Link:
https://www.unpac.me/results/7a3b7168-30c6-47c1-9a81-7fefd7b54f43/
SH256 hash:
db93a8cf5c8b72db62392b79b6d89f329801525af7a07e920505068922d00cc3
MD5 hash:
c09c8c0f060b5c6e10947578a3993dfc
SHA1 hash:
7a86e892c6be37749a343a7a3013b6a4f46ac988
Link:
https://www.unpac.me/results/7a3b7168-30c6-47c1-9a81-7fefd7b54f43/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/db93a8cf5c8b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/db93a8cf5c8b72db62392b79b6d89f329801525af7a07e920505068922d00cc3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

iso 1d98137d7e001a745ad15fb444b3f798d9d5c4b1a6a027ce61c283c7aa26a5af

Formbook

Executable exe db93a8cf5c8b72db62392b79b6d89f329801525af7a07e920505068922d00cc3

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 1d98137d7e001a745ad15fb444b3f798d9d5c4b1a6a027ce61c283c7aa26a5af
Cape
Cape
https://www.capesandbox.com/analysis/231759/

Comments