MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 327254ffbd59cf2ac7038d509ace922665282b3d0cdc2eed9751d7bfe2b38f0f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	327254ffbd59cf2ac7038d509ace922665282b3d0cdc2eed9751d7bfe2b38f0f
SHA3-384 hash:	7ec6f64bbb64e8b5f779182a61c79b495bf4c06dc6fc32336c6151d8964813e309bfa5ba7c9efb4e58369ee18d0cd36f
SHA1 hash:	27e66133dc25ecd7ca2cea9c8ac0a2ec3c683699
MD5 hash:	f9ab007852042db9298278c32a00dd20
humanhash:	vegan-wolfram-fix-magazine
File name:	Quotation.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	547'328 bytes
First seen:	2020-08-18 11:42:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:cQ4EcmZHAFaxmVmie9bngPuCJkyhM4NqYR6Lry46ri50uTpjCY:H4EcmZHAFaxmVmie9bngPVJkF4NqYurB
Threatray	2'240 similar samples on MalwareBazaar
TLSH	D8C4CFB8719069EEF8EB4DBDA8282C201353FB1B9217BE071427B5E457FA7E36521407
Reporter	abuse_ch
Tags:	exe FormBook Hostwinds

abuse_ch

Malspam distributing FormBook:

HELO: hwsrv-764661.hostwindsdns.com
Sending IP: 104.168.215.186
From: Arun Sharma <info@aleninu.us>
Subject: purchase order-009764327
Attachment: Quotation.zip (contains "Quotation.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

69

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/47750/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/327254ffbd59cf2ac7038d509ace922665282b3d0cdc2eed9751d7bfe2b38f0f/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2020-08-18 11:44:10 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=gjzfj755lhhsvrydrvijvtusezssqkz5btoc53mxkhl37yvtr4hq._file

Verdict:

malicious

Similar samples:

172842029f8937753e79843e36fcb4715c0f3a9de4b256585847df48caf8e10f

344d949f94b4420c0cd7772fa786e17059d5599df223a93ef999ea2c663ad8be

4a6187dd467be22cbd3eab6807d368c37535c488af22442498423da8124f35fa

5620eaea502dcc3bc31e10dc48478022f518a15956a4b6565c454dd062859eff

590fde182a154cd89b15d88546d60351b9fecb51e04fbbf4affd8d49a618bd23

5e5d88343393a5a1f98a66c8e5967023e200dcf3be81bc0a3c210396156d0fea

6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b

8c55df1fdc1ac49e2c0a3b5b77bd044d842d2f6e38bd5f782d93853a560140fb

9c0d3c463792d704909de3a04cd7a6d31f8094301e8e24950af31cdc5e9f2838

d3664113994262962936ebe74d0355986970def0cd0bcdcf088fe102047df9ba

+ 2'230 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

rat persistence trojan spyware stealer family:formbook

Link:

https://tria.ge/reports/200818-6keb468rfj/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Suspicious use of SetThreadContext

Deletes itself

Adds policy Run key to start application

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.chemoly.com/k71/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/327254ffbd59cf2ac7038d509ace922665282b3d0cdc2eed9751d7bfe2b38f0f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 869872ec0f82b46065e15b7af980300ceb755a14600525cc1a13edd40185ed07

exe 327254ffbd59cf2ac7038d509ace922665282b3d0cdc2eed9751d7bfe2b38f0f

(this sample)

Dropped by

MD5 ed260be88b3e35b61eeca4e4d3609a9b

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/47750/

Dropped by

SHA256 869872ec0f82b46065e15b7af980300ceb755a14600525cc1a13edd40185ed07

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample