MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc57d17b3c0a5ef3baa7ee867f9833f284f3c628c0b7ed610acda586b6bb2a14. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc57d17b3c0a5ef3baa7ee867f9833f284f3c628c0b7ed610acda586b6bb2a14
SHA3-384 hash: d3b0def611424a8f12f4c7611b229e1d32ce23e1ad7d1da1fa022a23b4d013a123b307330ba70c0bc92697a43215a34c
SHA1 hash: 4b72be509781c2b0956e16408ffb2e246d1beb54
MD5 hash: bab4e4db3df0c0d3bb897be955805483
humanhash: robert-georgia-illinois-sweet
File name:Inquiry 247.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:477'184 bytes
First seen:2022-06-13 11:42:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:tZ6BafvIH7Ygusd0BwhDLA4nKhS0niuZ2U+e/Rg49YiKAUwxj:tZtfK7R0mPA4nSSyZ2ZepRKAT
Threatray 14'275 similar samples on MalwareBazaar
TLSH T126A412690B7D4733CD29177EC83A300C07BE1B585117EF9A2E05B4F99B5AB4A8158B72
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 0022a3a2b8a6e610 (16 x Formbook, 7 x AgentTesla, 6 x Loki)
Reporter malwarelabnet
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
247
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Inquiry 247.exe
Verdict:
Malicious activity
Analysis date:
2022-06-13 11:48:52 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/ac1861f5-17d5-475b-b893-7a9d5b528fbe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/279395/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.6369.17459.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Launching the process to change network settings
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62a722d08763ffd4adbea1f8/reports/084758db-5cc0-4664-a0c0-43a880d9c888/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/321b573a-82ac-42d0-b349-a505138e8b58
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1011994
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 644492 Sample: Inquiry 247.exe Startdate: 13/06/2022 Architecture: WINDOWS Score: 100 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus detection for URL or domain 2->50 52 Multi AV Scanner detection for dropped file 2->52 54 10 other signatures 2->54 10 Inquiry 247.exe 7 2->10         started        process3 file4 36 C:\Users\user\AppData\...\xEpbTHELxeOb.exe, PE32 10->36 dropped 38 C:\Users\user\AppData\Local\...\tmpBB35.tmp, XML 10->38 dropped 40 C:\Users\user\AppData\...\Inquiry 247.exe.log, ASCII 10->40 dropped 58 Adds a directory exclusion to Windows Defender 10->58 60 Injects a PE file into a foreign processes 10->60 14 Inquiry 247.exe 10->14         started        17 powershell.exe 25 10->17         started        19 schtasks.exe 1 10->19         started        signatures5 process6 signatures7 68 Modifies the context of a thread in another process (thread injection) 14->68 70 Maps a DLL or memory area into another process 14->70 72 Sample uses process hollowing technique 14->72 74 Queues an APC in another process (thread injection) 14->74 21 explorer.exe 14->21 injected 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        process8 dnsIp9 42 naega-joahanungeon-neoya.net 133.242.249.186, 49767, 80 SAKURA-ASAKURAInternetIncJP Japan 21->42 44 www.mountainbiking.online 66.96.161.141, 49769, 80 BIZLAND-SDUS United States 21->44 46 www.naega-joahanungeon-neoya.net 21->46 56 System process connects to network (likely due to code injection or exploit) 21->56 29 msdt.exe 21->29         started        signatures10 process11 signatures12 62 Modifies the context of a thread in another process (thread injection) 29->62 64 Maps a DLL or memory area into another process 29->64 66 Tries to detect virtualization through RDTSC time measurements 29->66 32 cmd.exe 1 29->32         started        process13 process14 34 conhost.exe 32->34         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dc57d17b3c0a5ef3baa7ee867f9833f284f3c628c0b7ed610acda586b6bb2a14/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-13 00:33:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3rl5c6z4bjpphovh52dh7gbt6kcphrriyc362yikzwsynnv3fika._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0217e198252a39e8fee0b3f86c3f56ab448aa192be4ebd5b50fa08b26de69f8a
Formbook
13b1055dba2d6d9ff9b2937ca9a051ac5ae3c9faff869d887deff0fdd53bd936
Formbook
35ef7f464caa7cc3d93a0bd692aa8892284a56b098ae94ec9a70c2e876091b88
Formbook
4e7ff374bf5f0989e5d1e4ae395c9229a0d786ec1669dd0cf0fadf2a3f898554
Formbook
4fac64123dd9801541374d8d3bb647ed3f4378890841a7002ea48f3b14ea3872
Formbook
8f8d21fefa10cec4e4cf2f25573caaf203e6dbc001728ea6580821d8f1fbd0f5
Formbook
af4af6d4cc42a25c988c490988ad4ab6e0ef229059f110e4535c8148e7fada19
Formbook
bc1b641ded95e09ee28144b98ac38dd352f7a32ae47e9ccb1ea3a7f2e32372e3
Formbook
eeb925601fdf3c1d3155c01e836017ee29a9b1342b5c4d084839424aaee41a6a
Formbook
+ 14'265 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:pf28 rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220613-nvleyacbg3/
Behaviour
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
0703b3e4ffb98290253ba0e50f9320319defc86ab1c1a6c37429cad7bf03496b
MD5 hash:
dba316d78b0d5e73bd81a1fac6e157b4
SHA1 hash:
2b4ea94a47a5e962108f0838405de5049513d06d
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/8d5b2d1a-5175-4afc-a6a4-11bb2755d280/
Parent samples :
d2d4fa8e5269186698ecf34401a56bd30201c4f2e0be41ad4acfa714342c2b83
c070b3418951467e91abadb66c173d4727dbebe697e05b766bb661547dd3be1f
bd2f515058e5deaa9602bec839143b019bfac2b75897e559fd40058be3b8b2c1
dc57d17b3c0a5ef3baa7ee867f9833f284f3c628c0b7ed610acda586b6bb2a14
d9b964c2d111bf987b4b5c0bc43cb9753de50869f83059aaf96bab9082094aef
SH256 hash:
0cd70604fa72ae72a082cb96b7c372e0e46036754e60ee074c1eaec434973e77
MD5 hash:
9f68d96b6cd2d3135f8629508acc683f
SHA1 hash:
c99c2ca65b4662d32c2eddfa07473c4cfc6089fd
Link:
https://www.unpac.me/results/8d5b2d1a-5175-4afc-a6a4-11bb2755d280/
SH256 hash:
d699ff813956bf4106afea8b31df8ad93963998a50b5f483ed17ab6795250ba7
MD5 hash:
941ccee9483a6fb6937646d0c6ed3c56
SHA1 hash:
6403b6da62f09571127634c9b8561708b1e6fabc
Link:
https://www.unpac.me/results/8d5b2d1a-5175-4afc-a6a4-11bb2755d280/
SH256 hash:
dec15271d422cf3b82c0a94cf147312bb5a4a4f262da4b698ffe7e6bdaf18053
MD5 hash:
79c5c39e29ebe233cd13a50987e64609
SHA1 hash:
0560314716e6519158009159c017d2b52116608e
Link:
https://www.unpac.me/results/8d5b2d1a-5175-4afc-a6a4-11bb2755d280/
SH256 hash:
dc57d17b3c0a5ef3baa7ee867f9833f284f3c628c0b7ed610acda586b6bb2a14
MD5 hash:
bab4e4db3df0c0d3bb897be955805483
SHA1 hash:
4b72be509781c2b0956e16408ffb2e246d1beb54
Link:
https://www.unpac.me/results/8d5b2d1a-5175-4afc-a6a4-11bb2755d280/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dc57d17b3c0a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dc57d17b3c0a5ef3baa7ee867f9833f284f3c628c0b7ed610acda586b6bb2a14

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/279395/

Comments