MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1ba1b9d4f186aa4cb943df579530e6d858bc23c252b81a34486773e761a3b9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e1ba1b9d4f186aa4cb943df579530e6d858bc23c252b81a34486773e761a3b9a
SHA3-384 hash: 170c251afdb34abaf59137d07c24ade31c7012c478c26b78d7a7119798e595cc775426c8dda96ec0a52f46d18081eb4d
SHA1 hash: af0b81615458f354e50bf812bdf8b757b86f1a72
MD5 hash: ebeea18caf4bdf7f35434cf2282575b8
humanhash: fillet-thirteen-tennis-fish
File name:Revised Quotation 6931450071.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'180'672 bytes
First seen:2025-06-20 07:21:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep 24576:Ctb20pkaCqT5TBWgNQ7a5kIBazJphlUT4PqaJ0m6A:PVg5tQ7a5UlJYXaJr5
Threatray 2'381 similar samples on MalwareBazaar
TLSH T16D45CF2373DD8361C3B25273BA26B701AE7B78250AB5F96B2FD4093DEC20161525E673
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
436
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Revised Quotation 6931450071.exe
Verdict:
Malicious activity
Analysis date:
2025-06-20 07:45:49 UTC
Tags:
auto-startup
Link:
https://app.any.run/tasks/058c8922-4545-4fd3-85b7-f65f706257ac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/10281/
Detection(s):
SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68550c9c1c92edc6a01b1606
Tags:
autorun autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a file
Creating a process from a recently created file
Launching a process
Сreating synchronization primitives
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context autoit compiled-script fingerprint keylogger microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/68550c4ef8f8abe4f8b72cac/reports/11e11c25-4ff4-4e12-b7f8-eed876c0221a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e1ba1b9d4f186aa4cb943df579530e6d858bc23c252b81a34486773e761a3b9a
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/595e4f29-57eb-4cc8-a682-4833b416d900
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1719124
Signature
Binary is likely a compiled AutoIt script file
Drops VBS files to the startup folder
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1719124 Sample: Revised Quotation 6931450071.exe Startdate: 20/06/2025 Architecture: WINDOWS Score: 100 47 www.nftnode.xyz 2->47 49 www.lopixa.xyz 2->49 51 16 other IPs or domains 2->51 59 Multi AV Scanner detection for submitted file 2->59 61 Yara detected FormBook 2->61 63 Sigma detected: Drops script at startup location 2->63 67 4 other signatures 2->67 12 Revised Quotation 6931450071.exe 6 2->12         started        16 wscript.exe 1 2->16         started        signatures3 65 Performs DNS queries to domains with low reputation 49->65 process4 file5 45 C:\Users\user\AppData\...\starbowlines.exe, PE32 12->45 dropped 83 Binary is likely a compiled AutoIt script file 12->83 18 starbowlines.exe 3 12->18         started        85 Windows Scripting host queries suspicious COM object (likely to drop second stage) 16->85 22 starbowlines.exe 2 16->22         started        signatures6 process7 file8 43 C:\Users\user\AppData\...\starbowlines.vbs, data 18->43 dropped 69 Multi AV Scanner detection for dropped file 18->69 71 Binary is likely a compiled AutoIt script file 18->71 73 Drops VBS files to the startup folder 18->73 75 Switches to a custom stack to bypass stack traces 18->75 24 svchost.exe 18->24         started        77 Writes to foreign memory regions 22->77 79 Maps a DLL or memory area into another process 22->79 27 svchost.exe 22->27         started        signatures9 process10 signatures11 81 Maps a DLL or memory area into another process 24->81 29 3FzlwqMbWbMg.exe 24->29 injected process12 process13 31 logman.exe 13 29->31         started        signatures14 87 Tries to steal Mail credentials (via file / registry access) 31->87 89 Tries to harvest and steal browser information (history, passwords, etc) 31->89 91 Modifies the context of a thread in another process (thread injection) 31->91 93 3 other signatures 31->93 34 6wvmpo4AFHgHp.exe 31->34 injected 37 chrome.exe 31->37         started        39 firefox.exe 31->39         started        process15 dnsIp16 53 www.lopixa.xyz 67.223.117.189, 49709, 49710, 49711 VIMRO-AS15189US United States 34->53 55 www.kjartan.xyz 13.248.169.48, 49691, 49697, 49698 AMAZON-02US United States 34->55 57 9 other IPs or domains 34->57 41 WerFault.exe 4 37->41         started        process17
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e1ba1b9d4f186aa4cb943df579530e6d858bc23c252b81a34486773e761a3b9a
Verdict:
Malware
YARA:
7 match(es)
Tags:
AutoIt Decompiled Executable PE (Portable Executable) Suspect Win 32 Exe x86
Link:
https://app.malva.re/file/ebeea18caf4bdf7f35434cf2282575b8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e1ba1b9d4f186aa4cb943df579530e6d858bc23c252b81a34486773e761a3b9a/
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2025-06-20 00:57:53 UTC
File Type:
PE (Exe)
Extracted files:
24
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4g5bxhkpdbvkjs4uhx2xsuyonwcyxqr4euvydi2eqz3t45q2hona._file
Verdict:
malicious
Label(s):
unc_loader_036
Create hunting rule
autoit
Create hunting rule
Similar samples:
0831426451e8b8071303db9f6b0344e25065cb98272cf73e670db1053285d7a0
Formbook
3fc89ad938129437b93f26db8776fc6aa89bd3811b2f1dede0541b5a088aa983
Formbook
4b418e5eb7834e7fee32b5acf0b26100b038524c09f1608c8f6e3db582b95e50
Formbook
681d856fffd8a6f16f3b0f62f6aad5cd1adb042be504b3e9dcbc5ed469d7450f
Formbook
7039cacccff280189a0abf06fecc5bd52ad7386fdc88b25a582a13a6eae02851
Formbook
753a49b70d32e9b5fba67f7c07a71634266b6f31339265c1e32c1e1d30965e4c
Formbook
89453961b990b5fe0cae4bc8fb354e107f4aa429acb83c359bd7484e3234e7b4
Formbook
d2e4942924fa6f218f70772eefd5ef57ae369799ba23cd70913f4d0b8fd6da94
Formbook
ea5ad478df7db224610821def4d39b12ba7ef2f7a95fe88c9bc30a135bca5739
Formbook
+ 2'371 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/250620-h78hcawwew/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
AutoIT Executable
Suspicious use of SetThreadContext
Drops startup file
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8bc40c4c-36e8-4518-94a4-c6d671980b1e
Unpacked files
SH256 hash:
f5c39d3ff91e3161079ba8095322585bafa3009e617948d72ad027baa8b0ef3b
MD5 hash:
21e4beaac529d65b562180923af85ba2
SHA1 hash:
cc68144f915710ba10151a8ecc45b24d49e01893
Link:
https://www.unpac.me/results/18b1fc0a-d482-4ca4-8b32-064b42e218f4/
SH256 hash:
ee076d1883a596044150f8bb7ffc838461c1b6aeca7e29f0d90bbecf37f6b2f7
MD5 hash:
755ce6bf3140bfc1ca1cdde3513b278a
SHA1 hash:
45f3b33dfd4bc389c601c262a9af7a545f2183e2
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/18b1fc0a-d482-4ca4-8b32-064b42e218f4/
Parent samples :
7039cacccff280189a0abf06fecc5bd52ad7386fdc88b25a582a13a6eae02851
e1ba1b9d4f186aa4cb943df579530e6d858bc23c252b81a34486773e761a3b9a
432ba75638ad5983cdf489ee72b425185dd0c8ea746b3e329b30dca191561476
f745db2b407ab57072397092b6354a1fafc1442753acf17119dd464595e5bdee
011b0f36f357ab20aa21d33a4f1b496c7eaf7d2580af285a694b5447fa62779e
1d256e48ad02938535032f73aac2a6a469f7f044c9aa6485a8813a1258b011d1
SH256 hash:
e1ba1b9d4f186aa4cb943df579530e6d858bc23c252b81a34486773e761a3b9a
MD5 hash:
ebeea18caf4bdf7f35434cf2282575b8
SHA1 hash:
af0b81615458f354e50bf812bdf8b757b86f1a72
Link:
https://www.unpac.me/results/18b1fc0a-d482-4ca4-8b32-064b42e218f4/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e1ba1b9d4f18/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e1ba1b9d4f186aa4cb943df579530e6d858bc23c252b81a34486773e761a3b9a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:YahLover
Create hunting rule
Author:Kevin Falcoz
Description:YahLover

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe e1ba1b9d4f186aa4cb943df579530e6d858bc23c252b81a34486773e761a3b9a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/10281/

Comments