MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1a12a36b7cdbc3e0429105b407ca042b88c6113e39083abc39316ad835e41fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1a12a36b7cdbc3e0429105b407ca042b88c6113e39083abc39316ad835e41fe
SHA3-384 hash: bf716b10778033e43e41ed1f87872a10991bdbd494b54d570f500fcdbd403271c0f51620662b22810d13c50286d2f494
SHA1 hash: 8c4382a100d97a0fc69cfcc20ac89ca62fb1fdef
MD5 hash: d6462d2a7741ba618a76002919ba1296
humanhash: purple-red-butter-michigan
File name:RFQ Specification BINIF0865.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:574'976 bytes
First seen:2020-10-22 08:07:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:Nf/kZGnE9fPeJEp4ckiKVmO+2XbIm9A1GKZHNYPzod:JmGnE1PeqHDKVmOHIqA1GUKzod
Threatray 2'640 similar samples on MalwareBazaar
TLSH DBC4026061A9A733E3FE8BF6305C590A97B1541E13F5E7644CE37BEAAA507048F80E53
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: rdns0.pollyarm.xyz
Sending IP: 157.230.63.67
From: Amacon Makgoka<amacon.makgoka@hotmail.com>
Subject: Re: 回复: Request for Quotation with reference: BINIF0865
Attachment: RFQ Specification BINIF0865.rar (contains "RFQ Specification BINIF0865.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/74578/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Unauthorized injection to a system process
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f1a12a36b7cdbc3e0429105b407ca042b88c6113e39083abc39316ad835e41fe/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-10-22 07:38:35 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6gqsunvxzw6d4bbjcbnua7faik4iyyit4oiihk6dsmlk3a26ih7a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
02e422396eb123142575e0dcee9f629941c42543ae8839a931e2cc8eefecb9c4
Formbook
5388c70ef1d9bfc414a92c3aa4ea34db6992ee705813b5b4a2b4c28b435cbf6c
Formbook
583e11d3579a63016e568fad73fb9f5ab64e32012ab1a0764f62191ced808078
Formbook
6e7a5741c5cb3b394efeefd5cac1c71d023df73e4c19a02b9de64ea1a1ae4241
Formbook
6eced51e9e9f798e79627188c69026a06a576021d112c8b94ed517f2576b009f
Formbook
6f0c98efd3149c8527cf3f700d123da142275f32c166cf2ca2b186d1acc1286c
Formbook
9a6e3d08a19f78c4910503262e775bfeda3c3b53ea5e86e5430e1d4b4c92a6f8
Formbook
b3b1f3479b7d0033e21ef89ccea063a0281604d4472252cf590ec99be5aa2eb4
Formbook
dc22665dc14ec019a9f8c421c938db597c2a1b9e439c4a0a0b6dc7b1330e75b8
Formbook
f2848bb06faec26cdb7bf8df01c598641d0d73c8b7c58a7aed106e9864942cf6
Formbook
+ 2'630 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201022-rs6bmlaxna/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.flipgired.com/aqu2/
Unpacked files
SH256 hash:
f1a12a36b7cdbc3e0429105b407ca042b88c6113e39083abc39316ad835e41fe
MD5 hash:
d6462d2a7741ba618a76002919ba1296
SHA1 hash:
8c4382a100d97a0fc69cfcc20ac89ca62fb1fdef
Link:
https://www.unpac.me/results/06831896-4373-4d43-b32f-2117d203d98f/
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
Link:
https://www.unpac.me/results/06831896-4373-4d43-b32f-2117d203d98f/
SH256 hash:
1bc8f732dec929181a990598b6a6f60a58f6cb4602fb7d8669f9e2664a14dd11
MD5 hash:
02192ecbb5746b3179be2cc5770a04d3
SHA1 hash:
2eea2bea1c6104c8e23137de6f58212a5c4e585c
Link:
https://www.unpac.me/results/06831896-4373-4d43-b32f-2117d203d98f/
SH256 hash:
fb8b9188a802dc4c9142e4bf6cb89b857524dbb66c47b73d3da8e0f6ce4c3a83
MD5 hash:
bfdbb26f7dbd069633a9e83c438c72b2
SHA1 hash:
54183d95c570211ea46e2d88c13e3f563d9647a1
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/06831896-4373-4d43-b32f-2117d203d98f/
Parent samples :
f1a12a36b7cdbc3e0429105b407ca042b88c6113e39083abc39316ad835e41fe
28e6b82a33e2b7e7ce02e684b90aae380c6e4ec244d111a5d16833ddf288981b
069d5be9ad8536747fa1075147dc61962d00ff0a13a0694bd9bc9946c94db225
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 64ffbb744d084caba6af2ced8f3037794585c3a496ddab8721155f1e9d1e5d31

Formbook

Executable exe f1a12a36b7cdbc3e0429105b407ca042b88c6113e39083abc39316ad835e41fe

(this sample)

  
Dropped by
MD5 9b4a71b823de0987eb13d61cf1075640
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74578/
  
Dropped by
SHA256 64ffbb744d084caba6af2ced8f3037794585c3a496ddab8721155f1e9d1e5d31

Comments