MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff77c6e9dc25a550d8f37600c25b0ad1069e94196cbd2372968b3ad11f47268f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff77c6e9dc25a550d8f37600c25b0ad1069e94196cbd2372968b3ad11f47268f
SHA3-384 hash: 14b18acaa1822dc87b4419e5884370da40ad367270117cb8a90179cfd263d240056c5c26ce42c19b850b3bd7ce1e3d5a
SHA1 hash: cf26dcb4f037e4802fea71f45efc464398fa0e71
MD5 hash: c2a8cc6623d2302cdb1537cab34923f6
humanhash: papa-carbon-muppet-april
File name:Request for Quotation.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:797'184 bytes
First seen:2022-06-08 14:03:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:Pg442iNqDdpbS72AEXJhFeLsSjTufX+wfE3a5OK9yv3L1pCIhUuf:Y441QHbcZE7FeAWT6fya5nyv3vphl
Threatray 14'035 similar samples on MalwareBazaar
TLSH T16705CF85B36AAF36F13857F27451C05917B82E2E8AE0D22A5CDA70CE21B1B4305F5F5B
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
282
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Request for Quotation.exe
Verdict:
Malicious activity
Analysis date:
2022-06-08 19:03:39 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/9f43fd4b-48dd-4e62-8e71-c70b170cc74b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/277805/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PackedNET.1364.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/62a0ac93a2b1fc9744d6bacf/reports/7d443953-1481-4ee3-a810-fdf542efe54c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9a9c4230-a5a7-456b-a883-aa91dfda3842
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1009100
Signature
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd or bat file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 641593 Sample: Request for Quotation.exe Startdate: 08/06/2022 Architecture: WINDOWS Score: 100 45 www.walmart-tr.xyz 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for dropped file 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 11 other signatures 2->53 11 Request for Quotation.exe 7 2->11         started        signatures3 process4 file5 37 C:\Users\user\AppData\Roaming\QkuAWDJSa.exe, PE32 11->37 dropped 39 C:\Users\...\QkuAWDJSa.exe:Zone.Identifier, ASCII 11->39 dropped 41 C:\Users\user\AppData\Local\...\tmpF9BB.tmp, XML 11->41 dropped 43 C:\Users\...\Request for Quotation.exe.log, ASCII 11->43 dropped 55 Adds a directory exclusion to Windows Defender 11->55 15 Request for Quotation.exe 11->15         started        18 powershell.exe 25 11->18         started        20 schtasks.exe 1 11->20         started        22 Request for Quotation.exe 11->22         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 Queues an APC in another process (thread injection) 15->71 24 explorer.exe 15->24 injected 26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        process9 process10 30 WWAHost.exe 24->30         started        signatures11 57 Self deletion via cmd or bat file 30->57 59 Modifies the context of a thread in another process (thread injection) 30->59 61 Maps a DLL or memory area into another process 30->61 63 Tries to detect virtualization through RDTSC time measurements 30->63 33 cmd.exe 1 30->33         started        process12 process13 35 conhost.exe 33->35         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff77c6e9dc25a550d8f37600c25b0ad1069e94196cbd2372968b3ad11f47268f/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-06-06 18:24:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7534n2o4ewsvbwhtoyamewyk2edj5fazns6sg4uwrm5nch2he2hq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
154fb108d0bed6e3e736e5e00b6a52ac322216ae2053d71ead05f6f71d909f65
Formbook
4519a9d46f0391eae9853aa7bfba414b8b04a22f6dfbc6b506c9385329c187c8
Formbook
802472f04d847b1938c561b991f14db7756e8e137c2bc72a9563752cde1881ab
Formbook
cba6f82874cfbafe61ef0cc5491e9d11aa8aba58a4df9b3eb738ceef2da0e828
Formbook
cd39064e2db9b7568fff7a58cc14153d1f45fa6060f301cbcf56c13106922a69
Formbook
d080a745b7938d247a21fe80650dd1e392eb37326882536a111a16acb6b49082
Formbook
+ 14'025 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:oi25 rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220608-rc9atsebh8/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
d9ad45bcbfe603a3be699508002edc692666abb8607437d7287797ebbb20c35c
MD5 hash:
75d51ce06fec59270a87053916934bbb
SHA1 hash:
892b1be0a0937ef4607d705b4e750b36e166e084
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/639b3240-2437-443f-9402-f59e5f72d3e4/
Parent samples :
e4769e3e2b77ecaf145799bbd14fc3ebe7b7032f12f34807c59f59cee8eb063d
e3a24aa140797ba344e0e38ca85a738ce76c906f13492db3fdf982087abde342
cba6f82874cfbafe61ef0cc5491e9d11aa8aba58a4df9b3eb738ceef2da0e828
154fb108d0bed6e3e736e5e00b6a52ac322216ae2053d71ead05f6f71d909f65
4519a9d46f0391eae9853aa7bfba414b8b04a22f6dfbc6b506c9385329c187c8
ff77c6e9dc25a550d8f37600c25b0ad1069e94196cbd2372968b3ad11f47268f
d789dc89cbdaa34557abf0c25f2ae5e35208c752fdfceb0aaff7ab15a7e45220
d060c0c503a5d377c6f8df72835faad2b6172958efa655f04d3b0f074d10d1dc
9120ea8d13a11c171723ddc231be7217f6611b631d98a71254be079cc3e9dfe2
591874c05f745cf6f02c3ab1d420f9edffbda8ca2c967b0d8cbad21a10f3fd09
SH256 hash:
8e88aaa9014d04b1ef25dbcda8ddd06017be33b89c185a0ef60e84ce07d4aa82
MD5 hash:
dbcd32a3fceab5491cf57ec1d665f4d2
SHA1 hash:
5805fb72ee86ee4420fd14790b29ee0651d35def
Link:
https://www.unpac.me/results/639b3240-2437-443f-9402-f59e5f72d3e4/
SH256 hash:
ce8ac09f8d79f41a3f9a18ae93819778186278dee8e6326854fed4dd0a78d02e
MD5 hash:
945f34d4c8a957887fd2b84c594d1892
SHA1 hash:
3429a44eea2b5fb348628d7c3d77a06a16b876af
Link:
https://www.unpac.me/results/639b3240-2437-443f-9402-f59e5f72d3e4/
SH256 hash:
ee772c7d445ec23467fe8e22560769a44a8c8fa0e6906e234f879f3001c1576f
MD5 hash:
a43ec03317c49f85679bd73f68703ada
SHA1 hash:
1483cccd0cb50f41e644566dd6f67441feff150a
Link:
https://www.unpac.me/results/639b3240-2437-443f-9402-f59e5f72d3e4/
SH256 hash:
ff77c6e9dc25a550d8f37600c25b0ad1069e94196cbd2372968b3ad11f47268f
MD5 hash:
c2a8cc6623d2302cdb1537cab34923f6
SHA1 hash:
cf26dcb4f037e4802fea71f45efc464398fa0e71
Link:
https://www.unpac.me/results/639b3240-2437-443f-9402-f59e5f72d3e4/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ff77c6e9dc25/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff77c6e9dc25a550d8f37600c25b0ad1069e94196cbd2372968b3ad11f47268f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe ff77c6e9dc25a550d8f37600c25b0ad1069e94196cbd2372968b3ad11f47268f

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/277805/

Comments