MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ffdce32ce2f9c0f99abb5cff3602bcc02f3ceb4933d145fe02f650244b513a51. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	ffdce32ce2f9c0f99abb5cff3602bcc02f3ceb4933d145fe02f650244b513a51
SHA3-384 hash:	c3ac878781a8af2633eab29d97a7b0d8f2e5d464e001247f90b54c8751cf457a8efa28cba145e034be41e001c443cb99
SHA1 hash:	56953fa95c04051b3bcb7c3ace9e993d6586fb29
MD5 hash:	65cb21f74729427dcb7ddb1bb8cb762f
humanhash:	solar-skylark-uranus-washington
File name:	quote.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	832'440 bytes
First seen:	2021-07-19 15:08:30 UTC
Last seen:	2021-07-19 15:37:31 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep	12288:R+MO8FsF87bhQxUKKKVxempYqoFGb3yWbgko4t3PgPMlkwIdd0yNXzgEu7ax:R+MOQW87bhQxtVUkDg+FYUkwed00XMLA
Threatray	6'637 similar samples on MalwareBazaar
TLSH	T10A0512310860F8D1DE6F463C54F75FC66FE222B3D2548EFA42AC506DEA93F80865A5E4
Reporter	James_inthe_box
Tags:	exe FormBook signed

Code Signing Certificate

Organisation:	Mozilla Corporation
Issuer:	DigiCert SHA2 Assured ID Code Signing CA
Algorithm:	sha256WithRSAEncryption
Valid from:	2021-04-09T00:00:00Z
Valid to:	2024-06-19T23:59:59Z
Serial number:	0c1cd3eea47edda7a032573b014d0afd
Intelligence:	15 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	854b470dd8c92c875fe4a726ad1619507fc0bdcee9e936b5963daf0eb26426a3
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

120

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

quote.exe

Verdict:

Malicious activity

Analysis date:

2021-07-19 15:10:18 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ac9fb9bf-a2a6-4227-8edf-ac938c6b1709

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/172566/

Detection(s):

SecuriteInfo.com.Variant.Bulz.567852.16774.25031.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/79a29bd7-0355-4e33-a68f-606ce2edda56

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/818334

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/ffdce32ce2f9c0f99abb5cff3602bcc02f3ceb4933d145fe02f650244b513a51/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2021-07-19 15:09:05 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 28 (64.29%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=77ooglhc7haptgv3lt7tmav4yaxtz22jgpiul7qc6zicis2rhjiq._file

Verdict:

malicious

Label(s):

formbook

Formbook

2cea4d259b54152c7e175ed0739e4c4c70050a49d07cacae4d9003032e7d9990

Formbook

3755206dc18df104854e076d74799c1d83d6cb6acb22a7aa22ec595c56e31abc

Formbook

441a0a46bcdfdee8c8b6761798e75a65204eac43b47547557604f80f26b87e95

Formbook

872d03fd7d4748230a0e84593f7a29c36f70a5c711ed4a4dc2c11a9d9774d06a

Formbook

8909a6a1081cf2202e33dbc0e496c5be450f360b8f2d63a05c8c671d5ffb00de

Formbook

8d0c96f1776267d62dff665af9687e0a5bb0fa35d9bd151c8871114d797020f1

Formbook

9f86527e3ca4530bb3209d8608dae083afab4ef2cf7b0ae23bcd6fdc322a0c33

Formbook

b36a2901bfafd8723bfddd0388f65b0a46237b063ca33edbf773bb589f929981

Formbook

bb9ba507dcfe191724f459ded8009edfa46481b2e244827354116f1734a52a9c

Formbook

+ 6'627 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader loader rat

Link:

https://tria.ge/reports/210719-yzcscsgkne/

Behaviour

Gathers network information

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.queroquitarbv.net/bx69/

Unpacked files

SH256 hash:

a2d0c9553abc0e808f5f78e0e6ddf8978098ebee90f7d1843132d197ddef096c

MD5 hash:

2a0c904eb618bef08d6264802bcb1847

SHA1 hash:

e59233e6c4f20781692d219ea6a07d5db985c0a8

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/cdb88592-9957-421c-814d-765167d522db/

SH256 hash:

3be7cf1070f5c2462550385a2fdb5505b440b15fb84ab66430a40a332d792dbd

MD5 hash:

4501fde13b35e09eeb0e38902b78cc28

SHA1 hash:

9ccd4998beaf4ec62cd011673eaed1b451cc8132

Link:

https://www.unpac.me/results/cdb88592-9957-421c-814d-765167d522db/

SH256 hash:

db2e30cad16c037cdae98e25c70fee86d4dd4537c50be706e61c7aea2c502749

MD5 hash:

298129ec64d2152cf9c66dda71391c6a

SHA1 hash:

88b2c41c25027cdc612cb3d70f569bbb35aa1277

Link:

https://www.unpac.me/results/cdb88592-9957-421c-814d-765167d522db/

SH256 hash:

ffdce32ce2f9c0f99abb5cff3602bcc02f3ceb4933d145fe02f650244b513a51

MD5 hash:

65cb21f74729427dcb7ddb1bb8cb762f

SHA1 hash:

56953fa95c04051b3bcb7c3ace9e993d6586fb29

Link:

https://www.unpac.me/results/cdb88592-9957-421c-814d-765167d522db/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.21

Link:

https://yomi.yoroi.company/submissions/ffdce32ce2f9c0f99abb5cff3602bcc02f3ceb4933d145fe02f650244b513a51

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing bas64 encoded gzip files

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/172566/

URLhaus

https://urlhaus.abuse.ch/url/1466344/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample