MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa
SHA3-384 hash: fc6a9ff37ae66397d7420095c7e89f3fa9ac0a1bbdfdee8b87240c079ee17d1b7c577fcab9d1bc788fe7881647cdd3a6
SHA1 hash: ae23bd161690cc42cdfb2b2220bcf15992ae175a
MD5 hash: c563ac9781f5dd0b8a701d8a57029194
humanhash: timing-thirteen-winner-speaker
File name:Solicitud de cotización.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:638'464 bytes
First seen:2023-05-24 15:10:22 UTC
Last seen:2023-05-24 19:15:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:U2N8jiZ4zypIPjtPplTY6RhKu5wMS2lEs/cLFCQDgYCnrz2RzSjpUUfIp1qO58O/:U2N8jiZ4zypIPjJTDEkSVsDQD4rz2KJ6
Threatray 3'007 similar samples on MalwareBazaar
TLSH T155D4239C965F4B5BD0AB57F414805638073A8E94B872F30F6E27F1DDEA617428E21B0B
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter abuse_ch
Tags:ESP exe FormBook geo

Intelligence

File Origin
# of uploads :
2
# of downloads :
271
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Solicitud de cotización.exe
Verdict:
Suspicious activity
Analysis date:
2023-05-24 15:11:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5e7b108e-65f9-44f2-bd17-4de9df9852db

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/391200/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.36733.30647.9776.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a process from a recently created file
Creating a file
Searching for synchronization primitives
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed
Link:
https://www.filescan.io/uploads/646e29089621774aa98ebbf2/reports/fab2c3db-efa1-436d-8aad-a9ac33694491/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c7a014a3-203c-4bd8-b2a3-7dae6e7471c5
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1241761
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-24 15:11:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
14 of 23 (60.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6gzwzj6woc6hgwydfydyqw6xvpzvwndmzs2rszqv4fnn5xrqwx5a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
02b060c393fbc76a082ef0411f28e2be60bce1af80ea2df91f003e9b8a762b88
Formbook
1950034453da28649135d35016d5ab7ee791cd4bbbc1e4a72f7c56ce3aa9dd9a
Formbook
1fe93bcce0611f7025ad13add45a4f37516a1e9b3f348e553fa27d184bf441c7
Formbook
291f9c211eed167fbf4b31411d79c7447a09b29dd2308dceacacc3fe31fa2364
Formbook
47c74b216015a03abc6bf2a786c4c760fe23f5ce920c9a0ed6e68aa340568e84
Formbook
6c3de47dade4aecab32720941195ae5fd0c275f66358c05cb01162fc8c0189b3
Formbook
6f6635f95155f37d66c295977e973d28b681fb57fc50caf361e5e13f1037008a
Formbook
a28cb539852da2e100484ab8cee9613a28b2e68d409b99d80e27f4fb7f238b5d
Formbook
a8982b67f297cc68ff3f3de02cc7b60d51c8b4a3db85971ce4f73149fe67b6ee
Formbook
e30d41df0b3384eb57a607989bdfe40191b4e81df96327c1974f6d05a3a3d83f
Formbook
+ 2'997 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:q6at rat spyware stealer trojan
Link:
https://tria.ge/reports/230524-skleeade5v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
766848103fe44d177d6a0869618f1fca08d339ce5d2570bee420fff9b9a28efc
MD5 hash:
20d4c22f7d1a97fd239b9c2451c1ba3d
SHA1 hash:
fa9f095e5e68690930e1d950bae64602ad936391
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/5dbf1774-0656-4a8a-b3e9-4392132989a3/
Parent samples :
f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa
0074ed761aea590abca0a0f0fe2d58a82f0b9cacc91cc108d122a0091329ef84
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/5dbf1774-0656-4a8a-b3e9-4392132989a3/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
3873aae401d3d0b09008e3462e486227e5c8ea5bf6d0ac5a511df6608d7b20b6
MD5 hash:
ebd24798d1c7d98ec43aee5dcbd2ed7e
SHA1 hash:
60b7e8ed60838e9d49ddd345f33bf30442c19ea0
Link:
https://www.unpac.me/results/5dbf1774-0656-4a8a-b3e9-4392132989a3/
SH256 hash:
a518e0fddabae1e59f933566cb54e592331404d5362976f3ef81a1432dac4ffb
MD5 hash:
de906fce89f615f303ddfb80c1b37b35
SHA1 hash:
3568e3f9f0731da9a3294f4f8de61f95dc3eec31
Link:
https://www.unpac.me/results/5dbf1774-0656-4a8a-b3e9-4392132989a3/
SH256 hash:
a77bc5d01619bfa24147e06bacfea03fda0ac996a70e8b25c6d66483ab764287
MD5 hash:
466216a053a044c71a41a323378be08f
SHA1 hash:
21e3bee6151a48c6ff097dfe8e3e732533ec559c
Link:
https://www.unpac.me/results/5dbf1774-0656-4a8a-b3e9-4392132989a3/
SH256 hash:
f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa
MD5 hash:
c563ac9781f5dd0b8a701d8a57029194
SHA1 hash:
ae23bd161690cc42cdfb2b2220bcf15992ae175a
Link:
https://www.unpac.me/results/5dbf1774-0656-4a8a-b3e9-4392132989a3/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f1b36ca7d670/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/391200/

Comments