MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de577499476b9118f1ec1283e41d41c1dafe8be81e7e30daba8ff90685016690. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de577499476b9118f1ec1283e41d41c1dafe8be81e7e30daba8ff90685016690
SHA3-384 hash: df6b1e134e9ae540aeb42f6191ddbb34945b172a6129a3d636546ed9cc675a1fdcf311a87924469b46c9f08c2067a4cf
SHA1 hash: 0b47a6f6131ff2ab8a60f9965313a58b81053710
MD5 hash: 37ed8efbbca2e8a9c008ea7f627c84cf
humanhash: september-william-sodium-red
File name:Quote.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:905'216 bytes
First seen:2020-12-29 08:01:08 UTC
Last seen:2020-12-29 10:11:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:fyjO1ccOYrcIt9E03i91qGw54dnT5jcNWPDMwp54g17fWibxH9Wwm/8piD:fyS1Z6Dqpk6eMY54gBLWP
Threatray 3'909 similar samples on MalwareBazaar
TLSH 04159D017E618950FE69273AC5AF480807F6BD1069B2E33FBEFC3169057379668319B6
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: coimtra.cam
Sending IP: 111.90.159.197
From: Dolwin Xavier <Xavier@coimtra.cam>
Subject: Re: Re: RFQ FOR CBD/PR20/3348
Attachment: Quote.rar (contains "Quote.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Quote.exe
Verdict:
Malicious activity
Analysis date:
2020-12-29 08:03:14 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/c31bad25-b2f9-40dc-a8b1-4b10081cdd18

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/109732/
Detection(s):
SecuriteInfo.com.FileRepMalware.25392.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Forced shutdown of a system process
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/571281
Signature
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 334702 Sample: Quote.exe Startdate: 29/12/2020 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Sigma detected: Scheduled temp file as task from temp location 2->50 52 7 other signatures 2->52 10 Quote.exe 7 2->10         started        process3 file4 32 C:\Users\user\AppData\Roaming\pYdeyGBL.exe, PE32 10->32 dropped 34 C:\Users\...\pYdeyGBL.exe:Zone.Identifier, ASCII 10->34 dropped 36 C:\Users\user\AppData\Local\...\tmpF071.tmp, XML 10->36 dropped 38 C:\Users\user\AppData\Local\...\Quote.exe.log, ASCII 10->38 dropped 62 Tries to detect virtualization through RDTSC time measurements 10->62 64 Injects a PE file into a foreign processes 10->64 14 Quote.exe 10->14         started        17 schtasks.exe 1 10->17         started        signatures5 process6 signatures7 66 Modifies the context of a thread in another process (thread injection) 14->66 68 Maps a DLL or memory area into another process 14->68 70 Sample uses process hollowing technique 14->70 72 Queues an APC in another process (thread injection) 14->72 19 explorer.exe 14->19 injected 23 conhost.exe 17->23         started        process8 dnsIp9 40 valiantbranch.com 34.102.136.180, 49764, 49770, 49772 GOOGLEUS United States 19->40 42 www.xiangoshi.com 35.213.137.208, 49773, 80 GOOGLEUS United States 19->42 44 24 other IPs or domains 19->44 54 System process connects to network (likely due to code injection or exploit) 19->54 25 msdt.exe 19->25         started        signatures10 process11 signatures12 56 Modifies the context of a thread in another process (thread injection) 25->56 58 Maps a DLL or memory area into another process 25->58 60 Tries to detect virtualization through RDTSC time measurements 25->60 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/de577499476b9118f1ec1283e41d41c1dafe8be81e7e30daba8ff90685016690/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-12-29 03:12:08 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3zlxjgkhnoirr4pmckb6ihkbyhnp5c7idz7dbwv2r74qnbibm2ia._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
06c8996db7925f8eba3f2e8c64b7b80a5d7a896733c9bd479336ed0cd13d19df
Formbook
3268f1c7fa17a732fee543ec75d3cfb6bf55354e751a25394bf2e980ec10e65b
Formbook
3459d3a07659440f0e31b4b59a53a6ed78914d64a467cab3dcd05de1555c1488
Formbook
641c0aa7cf4d3a8dd646a8a295e8c3f66ea01eb4bc86547c90b52390ca04c2b9
Formbook
642dfced9844802f4388b3c2f30e08d9a1c94f2507e7277d900756b284d37ca1
Formbook
6e15cb6bdde40a6e89952a1c54cb27bf39becf29160f965e7efe743bce4629dd
Formbook
86db671efb5361717b2f8356bb1a1a127d9f3683ef6f55b41fba5a33bc65f1a2
Formbook
9ab99b021cac114dbf496c1b48e7f704799a1ca7d8b1e7e4366743f2e0ebcdfd
Formbook
b87399c6d528ab7bf017ea2c0d5a1b8d6eb5eb98c1837af426b4beff34372c01
Formbook
fda9bc94b5b0819fb153117c4a037262264d7d22d2610eafd45c7fbfd4765c7b
Formbook
+ 3'899 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/201229-ec56zyz2qe/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious behavior: MapViewOfSection
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.valiantbranch.com/0wdn/
Unpacked files
SH256 hash:
de577499476b9118f1ec1283e41d41c1dafe8be81e7e30daba8ff90685016690
MD5 hash:
37ed8efbbca2e8a9c008ea7f627c84cf
SHA1 hash:
0b47a6f6131ff2ab8a60f9965313a58b81053710
Link:
https://www.unpac.me/results/05364733-62b9-4c3b-a8c1-89409f9a8d92/
SH256 hash:
41c55177e9a8e4b5c9973b9ab8ac8dd2f4ef7db6eb6311a9c2287eebd6607b8b
MD5 hash:
bd2d71bc301ec26bd843d49169c5ec9d
SHA1 hash:
04cad934c7a53d50b6d243e167758f2357086004
Link:
https://www.unpac.me/results/05364733-62b9-4c3b-a8c1-89409f9a8d92/
SH256 hash:
488546f5a2ea2fd1b34074ef2ca48cd140dc2195c2b46de36ac979fe5206eea5
MD5 hash:
ad5e809b6ed836ea72cd0bcc032d8919
SHA1 hash:
0ba0944e50ceb46b8aacb19d0c8e5c389671964f
Link:
https://www.unpac.me/results/05364733-62b9-4c3b-a8c1-89409f9a8d92/
SH256 hash:
44106a7753790a12c522849b3f7da238337bd0342e5664021e25f79b2705ae9a
MD5 hash:
d43e8dcc8f8b23c144f820eaa9bdbee4
SHA1 hash:
41faa61eb543ac1386e59ef1e3c485a19458ff68
Link:
https://www.unpac.me/results/05364733-62b9-4c3b-a8c1-89409f9a8d92/
SH256 hash:
890e5e72222461be09c0c885e7b1f70c63d1cfec5ac245de637af3929b7e7834
MD5 hash:
7a6958c8cec4aec91bbafe23f99276e0
SHA1 hash:
b046b046022e42a868634a6675330933734575f9
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/05364733-62b9-4c3b-a8c1-89409f9a8d92/
Parent samples :
641c0aa7cf4d3a8dd646a8a295e8c3f66ea01eb4bc86547c90b52390ca04c2b9
fda9bc94b5b0819fb153117c4a037262264d7d22d2610eafd45c7fbfd4765c7b
de577499476b9118f1ec1283e41d41c1dafe8be81e7e30daba8ff90685016690
bbd660181713b47240cc63e19eeb05480de79422be73d133113b6472dc17c924
48e91aaa4b96fa73dbc3bdb98ca784031bb6bed5aa790acfb85d258e7738044a
565a3fc27dfb56071acfd1e8c492eb3becbb587f0167353834e97c3819cc1337
a5a6c551d8c3ea36aa3d399ed87dc15c9d311bcdcb70f246b8d11fb15622798d
b9e89d7766f894c102cd449dace5e9c1ef8f3cdca070af5f6ce22a7737eb593a
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/de577499476b9118f1ec1283e41d41c1dafe8be81e7e30daba8ff90685016690

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 650193b83b7aab6f25be28333d36c0543b721cdaa59c702d903faa279a54db9e

Formbook

Executable exe de577499476b9118f1ec1283e41d41c1dafe8be81e7e30daba8ff90685016690

(this sample)

  
Dropped by
MD5 fee6b5f806d57fa0c4a4ea795cb4132c
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 650193b83b7aab6f25be28333d36c0543b721cdaa59c702d903faa279a54db9e
Cape
Cape
https://www.capesandbox.com/analysis/109732/

Comments