MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5a0ede7fa969afb1b610eb91c97c19a7a3ff52544198d1d1714bf34c7db8a7e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e5a0ede7fa969afb1b610eb91c97c19a7a3ff52544198d1d1714bf34c7db8a7e
SHA3-384 hash: 48da540efccf5c1c853567553a1e0299502adb768da46da1785fd266cc3c8a5bd7011d70a4e9100abe4ce2555938087e
SHA1 hash: cb72007bc2277b6785978d52ae809bc7fba47454
MD5 hash: 9c35649333b05a64d1056d21c7194454
humanhash: fanta-butter-hamper-hydrogen
File name:QUOTATION REQUEST DOCUMENTS - GOTO TRADING.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:666'624 bytes
First seen:2021-11-25 13:10:02 UTC
Last seen:2021-11-25 16:43:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:rEKTMs0KixBFmwNht5CuItgwmnpHGq6hC3j9Rc52XWABfGlW:rEKws0Ki1zjcuPHxx3j9WgfGw
Threatray 11'686 similar samples on MalwareBazaar
TLSH T1D3E4BF207E191087D68F89B2388E41969761B928F346DD0F23D1BD3DC5AB6F04E5E2ED
File icon (PE):PE icon
dhash icon b2bec096ac968682 (15 x AgentTesla, 5 x Formbook, 3 x AveMariaRAT)
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
4
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
QUOTATION REQUEST DOCUMENTS - GOTO TRADING.exe
Verdict:
Malicious activity
Analysis date:
2021-11-25 13:12:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7a86373c-244a-4a71-95ec-28e5eb3c5a6e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.53056.22104.24174.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
DNS request
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/619f8b3102c80febc2a92e88/reports/fefb8229-b6d9-4043-9bf4-cd704880b8f9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/84fad93e-ecb9-469d-9460-34784358ef75
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/896099
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 528575 Sample: QUOTATION REQUEST DOCUMENTS... Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 32 www.youluf.com 2->32 34 www.segbjpjnuoo.mobi 2->34 36 7 other IPs or domains 2->36 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 8 other signatures 2->50 11 QUOTATION REQUEST DOCUMENTS - GOTO TRADING.exe 3 2->11         started        signatures3 process4 file5 30 QUOTATION REQUEST ...OTO TRADING.exe.log, ASCII 11->30 dropped 14 QUOTATION REQUEST DOCUMENTS - GOTO TRADING.exe 11->14         started        17 QUOTATION REQUEST DOCUMENTS - GOTO TRADING.exe 11->17         started        process6 signatures7 64 Modifies the context of a thread in another process (thread injection) 14->64 66 Maps a DLL or memory area into another process 14->66 68 Sample uses process hollowing technique 14->68 70 Queues an APC in another process (thread injection) 14->70 19 explorer.exe 14->19 injected process8 dnsIp9 38 immunotecduplicacion.com 162.240.9.164, 49819, 80 UNIFIEDLAYER-AS-1US United States 19->38 40 www.solderring.com 217.160.0.229, 49807, 80 ONEANDONE-ASBrauerstrasse48DE Germany 19->40 42 10 other IPs or domains 19->42 52 System process connects to network (likely due to code injection or exploit) 19->52 54 Performs DNS queries to domains with low reputation 19->54 23 WWAHost.exe 19->23         started        signatures10 process11 signatures12 56 Self deletion via cmd delete 23->56 58 Modifies the context of a thread in another process (thread injection) 23->58 60 Maps a DLL or memory area into another process 23->60 62 Tries to detect virtualization through RDTSC time measurements 23->62 26 cmd.exe 1 23->26         started        process13 process14 28 conhost.exe 26->28         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e5a0ede7fa969afb1b610eb91c97c19a7a3ff52544198d1d1714bf34c7db8a7e/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-11-25 13:45:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
35
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4wqo3z72s2npwg3bb24rzf6btj5d75jfiqmy2hixcs7tjr63rj7a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
014d0ece0d472eaea73698d634308303ddb9f227f39d339a66416c3cb744d2c1
Formbook
098a32bfcd332f71fdb65cf704994c70cf6390110340c809ae2cc66bddfbde04
Formbook
3ac2da7ec8b0c46550c9b85707c4743ea4cacbb5bb6ee0fd159792f3978e3ad3
Formbook
3c185c2191d1bc3a281f26cb51114b69b6d36a9fd63b3103d6c41608c8baf8a8
Formbook
73b461809cd7295bd5b96d49742acee5ab83f55e774fdc426e7e184bb1fcf097
Formbook
86df15ac78abc1d224a4249db72d29dcb2979fd0669a15c0d291e47648dc0c1c
Formbook
b4b82d2154aa722ebcbc554e0be9beb41d9af35b590c9e72793b6e59bc389e62
Formbook
c18d5baf727358a8635a51fc7cfb4c3f4c90c78abcecf051feb4540323e98746
Formbook
ce50b9267e52d36420b01ad72bfa8f64c9d561d6ce1083e29aa68268a06815c4
Formbook
ebc008a7b326afef547049414a909b2120e6e09b560c67e4b79d173195180691
Formbook
+ 11'676 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:bus9 loader rat suricata
Link:
https://tria.ge/reports/211125-qedfhafcek/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.navasoft.net/bus9/
Unpacked files
SH256 hash:
cadb869c9da06e796fc67272e1abef31b46a5f34ca75ee2d5541e326fe0b86a4
MD5 hash:
72ca43b2c63da0212e1627bc31c99f1a
SHA1 hash:
851f29640b7968649cb984c6c5840340449e76eb
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/b2f4cc82-8df4-42da-af28-4ffe7b3e7820/
Parent samples :
ebc008a7b326afef547049414a909b2120e6e09b560c67e4b79d173195180691
b4b82d2154aa722ebcbc554e0be9beb41d9af35b590c9e72793b6e59bc389e62
ce50b9267e52d36420b01ad72bfa8f64c9d561d6ce1083e29aa68268a06815c4
73b461809cd7295bd5b96d49742acee5ab83f55e774fdc426e7e184bb1fcf097
b93d38b48b7854971ebfe6c5845ba7185ee0572ae8413e0684df99b164314c68
bddd097c283b04fe3f26e44f1640b5496d8d29251fbf41c15c179285919eb3b0
e5a0ede7fa969afb1b610eb91c97c19a7a3ff52544198d1d1714bf34c7db8a7e
bf6ccdb40c75ee410046cf7c4590b73d9d9f6e0c16e7d9bf0659b2ae264893e2
SH256 hash:
f6639a3b21a09ca5e9e43e10f8ac7f822956232806805252096f03f68bc9815c
MD5 hash:
aa334e922c53c5cba0b43c342ac13b14
SHA1 hash:
68109327b5e98174293bb348dfea6a088cbd5d2f
Link:
https://www.unpac.me/results/b2f4cc82-8df4-42da-af28-4ffe7b3e7820/
SH256 hash:
940a927733fd76ca579396f46419c865b0c138c185874ff50ae7e870a5ba54f9
MD5 hash:
5faf5e96779d25adbfd108fca5a4f76a
SHA1 hash:
043237381d4afae94873ef3d498e18de783a176d
Link:
https://www.unpac.me/results/b2f4cc82-8df4-42da-af28-4ffe7b3e7820/
SH256 hash:
e5a0ede7fa969afb1b610eb91c97c19a7a3ff52544198d1d1714bf34c7db8a7e
MD5 hash:
9c35649333b05a64d1056d21c7194454
SHA1 hash:
cb72007bc2277b6785978d52ae809bc7fba47454
Link:
https://www.unpac.me/results/b2f4cc82-8df4-42da-af28-4ffe7b3e7820/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e5a0ede7fa96/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/e5a0ede7fa969afb1b610eb91c97c19a7a3ff52544198d1d1714bf34c7db8a7e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

7z ef22b70669f68fe71d55454f1f94c11fea049c1e2122f1dd25138701151ec2ce

Formbook

Executable exe e5a0ede7fa969afb1b610eb91c97c19a7a3ff52544198d1d1714bf34c7db8a7e

(this sample)

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/209370/
  
Dropped by
SHA256 ef22b70669f68fe71d55454f1f94c11fea049c1e2122f1dd25138701151ec2ce

Comments