MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e638074622767c226f5cdb70802da5b362d775d9eeffb5b69fc372a9b721225d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e638074622767c226f5cdb70802da5b362d775d9eeffb5b69fc372a9b721225d
SHA3-384 hash: 04e9d8d72d9ac6a7e34512c2cfcbd3c8f5948fde1dce7f77b38593b03b640fa1ce28fce31ad590a52ef3cd1341567fae
SHA1 hash: 09d1442f5721697c9e4dd14871b877a2cf496322
MD5 hash: 27aecebab6b0ce06b5b753a97770369d
humanhash: muppet-cat-asparagus-jupiter
File name:Quote order#098799.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:782'848 bytes
First seen:2022-04-04 14:39:40 UTC
Last seen:2022-04-04 15:59:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:kv8a3113C3yXySEUDiqWQ9jcjh0JVWzXOWs8sExvkqdbCedZYS199tlJzN3FOMv9:klDSiCSjj9j7VWTwERhdBColrFOcjXNb
Threatray 14'595 similar samples on MalwareBazaar
TLSH T1DDF41204712CAB6AD27C87F70196D5540BFD67193B08ED099FDB34E87A873D21382AA7
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/260626/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.DLB.genEldorado.15397.21822.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5fbb4d94-b635-4356-967f-1bc875e42919
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/970156
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 602640 Sample: Quote order#098799.exe Startdate: 04/04/2022 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 9 other signatures 2->42 10 Quote order#098799.exe 3 2->10         started        process3 file4 28 C:\Users\user\...\Quote order#098799.exe.log, ASCII 10->28 dropped 54 Injects a PE file into a foreign processes 10->54 14 Quote order#098799.exe 10->14         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 14->17 injected process8 dnsIp9 30 fosilbunda.com 172.96.191.204, 49812, 80 LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG Canada 17->30 32 www.fosilbunda.com 17->32 34 www.03c3txprmu5qz3lovgm8257.com 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 msdt.exe 17->21         started        signatures10 process11 signatures12 46 Self deletion via cmd delete 21->46 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e638074622767c226f5cdb70802da5b362d775d9eeffb5b69fc372a9b721225d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-04 14:40:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4y4aorrcoz6ce3243nyialnfwnrno5oz5373lnu7ynzktnzbejoq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
045c15ef3a76b61d487b30e3e554c77afbc4f3fc17078d3818b5392de608a92e
Formbook
3442fd19b9e1ee720034c0849d905f81d4211e289a5a758c9239f1422874c9c5
Formbook
3ff28d4f5a5b236c660c2714bf1b5a515cf72cd738afea35b916938024644538
Formbook
5fd22c8bf1e7e06ccaa6ebc23410086fe0e3bc30b1613cd6ee734f280c0d6979
Formbook
6d1ae3278059d592ae7c4426df9456553b8abfbc3bd90ce0f8d1792e94ae95c2
Formbook
7c7e7d1ad3f8afd0ffcba163bac7c1df9ceb8202a96a61b30b697569e00051b0
Formbook
8392408d685d10ddf024a7e4f47976e03a00fd787bd4ee0932766c4b9b278bc0
Formbook
a532c52eac805e4d436b96265c172a50026c866ee4f560b75d9b6d93ef71406a
Formbook
c652919676cc6f3ea808c6e1023de343d27ed8f72f4f1b94523c4ecfb09bf223
Formbook
+ 14'585 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:e0i2 rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220404-r1vscabdem/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
94fcde13fa1a9eb12e3d2d820cad2a62eeb7688293b59b4ab855494aceebcc6f
MD5 hash:
807e5baa8273ab3b0c11ae2ad7310f66
SHA1 hash:
e9725b44ccd2a7d460b7ae4088b77a1adbe0b37d
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/729661ee-f39a-44a3-bce9-dce7ba1103a8/
Parent samples :
e638074622767c226f5cdb70802da5b362d775d9eeffb5b69fc372a9b721225d
76cc06bfad45121afa9c1b5ac81cfc129a3a16a388170a84e895ed099ccccecb
3b09da74a064a61e7ab0c1ebda53ec9672808950178ae4691ee5ebddf8b278aa
SH256 hash:
81050d1843c66864b414d62872ff078ce5e7b6e26a425bfa21b82acc16ce3b51
MD5 hash:
03479d9c5cd84211cb0806fdf665774e
SHA1 hash:
f1c937306344a034fba5aefa3a37fb0e6956a586
Link:
https://www.unpac.me/results/729661ee-f39a-44a3-bce9-dce7ba1103a8/
SH256 hash:
e9ad1bc57a5c51228938fa875eede1f92a36a1b4a89361a4d597c24c3cd35673
MD5 hash:
ae23539b08bddfb9ff8468122d38f033
SHA1 hash:
ee165bd89c7e87b8ba3398e907b4289d13e6283f
Link:
https://www.unpac.me/results/729661ee-f39a-44a3-bce9-dce7ba1103a8/
SH256 hash:
71764eb60a83a17343af4a26bf3ec546c5ee08454722233fd5cf59693327b1a4
MD5 hash:
bfcf754fb9acba752f79f44817b7be23
SHA1 hash:
01af19456b6f97790973d0d67a97ecc362ab7aed
Link:
https://www.unpac.me/results/729661ee-f39a-44a3-bce9-dce7ba1103a8/
SH256 hash:
e638074622767c226f5cdb70802da5b362d775d9eeffb5b69fc372a9b721225d
MD5 hash:
27aecebab6b0ce06b5b753a97770369d
SHA1 hash:
09d1442f5721697c9e4dd14871b877a2cf496322
Link:
https://www.unpac.me/results/729661ee-f39a-44a3-bce9-dce7ba1103a8/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e63807462276/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/e638074622767c226f5cdb70802da5b362d775d9eeffb5b69fc372a9b721225d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 65fef0825244239ee368dc96574652ceb31452ba4916aacda68819c50aa7369e

Formbook

Executable exe e638074622767c226f5cdb70802da5b362d775d9eeffb5b69fc372a9b721225d

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 65fef0825244239ee368dc96574652ceb31452ba4916aacda68819c50aa7369e
Cape
Cape
https://www.capesandbox.com/analysis/260626/

Comments