MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23f5c4c38dc1ab5c57de98087bdc5ed23a2a0b123293526eb496dae8e9311e2d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	23f5c4c38dc1ab5c57de98087bdc5ed23a2a0b123293526eb496dae8e9311e2d
SHA3-384 hash:	37b0d3336d569511b8cbd04cf6f1fd3ba918e3bb94c6d86e62c22ae693494a1d2c0fa76daed15526ea735f9d5261d075
SHA1 hash:	55e29f249d7cff919649dff6beeb08e89ef4402b
MD5 hash:	c56409ad88d66ffb34076c9532b071ee
humanhash:	jig-delta-mountain-xray
File name:	quote 6084.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	693'760 bytes
First seen:	2020-08-18 06:24:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	12288:UaEcW+qO2KygZcEhk4K9ph42fNYc4M1vX0Zu/YRy0mZ4yA:rhwKygZ3s7SmNGiYRy0J
Threatray	3'496 similar samples on MalwareBazaar
TLSH	C7E4F193F1808495C8791BB29C2B491513B67DAAB8B1FE1D6CDDB1A997733C20107EC7
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing unidentified malware:

From: Helen He <server@hinet.net>
Subject: Required Quote
Attachment: quote 6084.zip (contains "quote 6084.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

71

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/47522/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/23f5c4c38dc1ab5c57de98087bdc5ed23a2a0b123293526eb496dae8e9311e2d/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-08-17 21:44:29 UTC

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ep24jq4nygvvyv66taehxxc62i5cucysgkjve3vus3nor2jrdywq._file

Verdict:

malicious

Similar samples:

006bb451c7207fa375e67a1684a97136a46beea1ff74e193eb4bbf6665a0ec9b

0e596eee578e5cc009d172a7dbae0cf150bbf925360389b9961e67c60ab8f3a2

2bccd7c0c084c310cc99b76682f6747baebaec683536a1ec3a8210b55daa327a

327bc1ad9fc793811e5da6cb3553b7dca05c8a48d8060fc94015339ee805851d

52f217cdebe83217297bedc352fac2e475e293e6cad52a1335b3641eeb8c412b

5d23715d3724a6a10e1af754d9fd8209a399164c65d020eceaa8aa1ff93879be

8288e9e21f28be24c2d3839e26c3c726dc90e9955a8506816fb498044f9846b6

a3146b5cf5e3e45e07943cd02d6b2758acce9213ffb3b33dc4f0c098d54dd58b

b91d1df833c959a0c941ea92dae9d30f23cb4825ae33594da4eafc758a8de10f

f17cee91692c671592aa451fea1c86090f9ff613dfad84a5e7f17c18fe939e1e

+ 3'486 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

rat trojan spyware stealer family:formbook

Link:

https://tria.ge/reports/200818-d355hv6mee/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.godhep.com/vcd/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip b30585778ccca8f448706eb3f508bf514cc329145a854d28bcbf1493d28af1a7

exe 23f5c4c38dc1ab5c57de98087bdc5ed23a2a0b123293526eb496dae8e9311e2d

(this sample)

Dropped by

MD5 c0bcd3d6da69e000ed025857aa24f87a

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 b30585778ccca8f448706eb3f508bf514cc329145a854d28bcbf1493d28af1a7

Cape

Cape

https://www.capesandbox.com/analysis/47522/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample