MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 154d6b81bf4dcce3911f5c72f4790569e1cd91aee0040e7c1341f5286952bafe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 154d6b81bf4dcce3911f5c72f4790569e1cd91aee0040e7c1341f5286952bafe
SHA3-384 hash: da8be56d70bbee5808bdfd4959e3cc479d635685711c4b2d0e07f53ba9ec312f1060712a99d309e1e1dc1d9b6bef4ec5
SHA1 hash: 0e7cdaa81d5609a0dcfab42e8b41126bfe46af02
MD5 hash: 2a59c4d9b6c5438bc5cd69d8768c8035
humanhash: kansas-failed-maryland-virginia
File name:RFQ-QUOTATION#JULY2020.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:536'064 bytes
First seen:2020-07-06 06:32:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'746 x AgentTesla, 19'624 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:r8uNmCFF7S8G7i+n3HAApBz+HVlRB9uhb0Pzid9ncIEEWi4tNkv+TyU/:r8uBujPn3VkRB9pUVcIEE34tev+eA
Threatray 5'119 similar samples on MalwareBazaar
TLSH A3B42573127EEAEAFA2D3DB4824413501EB41C979670E14BE98F3CC5E1B3623C9695E1
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: dlveltex.co
Sending IP: 111.90.145.49
From: Cona Import Company <operacional26@conaimport.com.br>
Reply-To: david@kelichna.com
Subject: RE:RFQ-QUOTATION#JULY2020
Attachment: RFQ-QUOTATIONJULY2020.rar (contains "RFQ-QUOTATION#JULY2020.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/20805/
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Reading critical registry keys
Setting browser functions hooks
Possible injection to a system process
Unauthorized injection to a system process
Deleting of the original file
Unauthorized injection to a browser process
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/154d6b81bf4dcce3911f5c72f4790569e1cd91aee0040e7c1341f5286952bafe/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-06 06:34:07 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cvgwxan7jxgohei7lrzpi6ifnhq43eno4aca47atih2sq2ksxl7a._file
Verdict:
malicious
Similar samples:
3026e3d087b09043925e42928fa0764af54475791f45f8ce97ce3f72b0a66e50
FormBook
50f8d8b5cbbad3f2a1d4a25b84553ba285f49318ab3dbb8d436b6709582997e8
FormBook
528855cf41335ffa3099457ea280c63afba531ec224b3c3ee9eb293b369db220
FormBook
597022d4e4794fb02c89a43939d93d1b2b1140e798e355c2a53a8423f19514ad
FormBook
879e1880a4d2d7f0245a1267cf5bd4447eab697eea8680aa96ecf73f8a2c78f5
FormBook
8e3558d36802ba3f0da7c2b1188d5f12918959c2674e5421c2d15fad57d712e9
FormBook
a841d5eddb5208f4740c9d305151742f0a4c39b113e91d41414af98ff19c6c3d
FormBook
aa96ad04f8d5fede0038fa00238b1c5a275decf0774dadbfd93922311f80394d
FormBook
cbd6e5626ae84385a9fc7a7eab1877be367ef0b69dc1c4a8de1f668ecb018ab2
FormBook
da598cdcc8c0be3634bafe7bfb3ca0137e1ae0f785fcbe679f63a79fde4c3131
FormBook
+ 5'109 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
persistence spyware evasion trojan stealer family:formbook
Link:
https://tria.ge/reports/200706-1f8v1zvwrn/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run entry to start application
Deletes itself
Reads user/profile data of web browsers
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 13e92d1d6b77af965a828a921c01271c36e2fb38ad037bfab38a3943087a68dc

FormBook

Executable exe 154d6b81bf4dcce3911f5c72f4790569e1cd91aee0040e7c1341f5286952bafe

(this sample)

  
Dropped by
MD5 ce162bffcceeddbc8296207f2d0b9b47
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/20805/
  
Dropped by
SHA256 13e92d1d6b77af965a828a921c01271c36e2fb38ad037bfab38a3943087a68dc

Comments