MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48ce0e9cc96cb8d9ebe92bd7c1982e84d48baffdbada44d5949370a58ebae901. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48ce0e9cc96cb8d9ebe92bd7c1982e84d48baffdbada44d5949370a58ebae901
SHA3-384 hash: 6ecf372c8c02c4a385be02a17baa7c82030625b46d2de4f55572658dc8c9ea646a202f1b499e11cfa9820fa3020035b9
SHA1 hash: 3b9c201ceff06148739d6c59e3a20c2048e8a9fe
MD5 hash: 187a269d103856e0d922e71e26046ac4
humanhash: spaghetti-august-yankee-autumn
File name:KSP QUOTE_2.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:539'648 bytes
First seen:2020-07-09 07:45:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:abXOEacTaulCSRO67KMR2apNBykF8hbvbD:avLTESRTdprykF8ZDD
Threatray 6'400 similar samples on MalwareBazaar
TLSH 8AB401B7B2A81837EEB404F6952668400FF56CBBA0B5E2CD5CC9B1D922F3FC515814A7
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: truegreen-cn.cam
Sending IP: 111.90.140.74
From: Sherly <sherly@qualitech-solutions.cam>
Subject: RE: REQUEST FOR PROFORMA INVOICE
Attachment: KSP QUOTE_2.rar (contains "KSP QUOTE_2.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/23540/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Launching cmd.exe command interpreter
Possible injection to a system process
Enabling autorun with Startup directory
Unauthorized injection to a system process
Deleting of the original file
Unauthorized injection to a browser process
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/48ce0e9cc96cb8d9ebe92bd7c1982e84d48baffdbada44d5949370a58ebae901/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-09 07:47:04 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jdha5hgjns4nt27jfpl4dgboqtkixl75xlnejvmusnykldv25eaq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
1aeebb408f994fab29b26a81576cbd195faf9d4a1e0ef4c299e38b970e43de2c
FormBook
1c2f10aaf4e8b9a9e90316e8b470616bac893609cd85374cb11bb4a1a3971e5b
FormBook
3305e88d2594770eced662a94933358d2d1d57534aebb9c6b7876e50de58a8a1
FormBook
3ca89270a1e4ae27056087ab556bdadd89ba1ab27b505afa53a812c5f2acabc8
FormBook
4ff6913b35226527d4bb0bd458d326ad3d1bdd50b90aaac6d4eae1f7f43922c1
FormBook
51e016d7614461f51389151f4dce30de7db0945f781b4d7d6ec6ab1ef97935fa
FormBook
68f9789527e83e614dc50e0279316745c15b43c7f72f8e7c5d4b99d8a656ff12
FormBook
80f41a09d12356205262bb77b16daeaf2a284a89fd737b042149a4207f16c702
FormBook
a4d4f50a2dff36ea8d3f92a832578a875c3f6a3ce227f1263114bf9dcbe9e335
FormBook
c4031838bc163076ff2845546cad4c409d9cec8a2100d78d4ea1ea75579f7c37
FormBook
+ 6'390 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/200709-3meh9pj372/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
System policy modification
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Creates scheduled task(s)
Drops file in Program Files directory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Deletes itself
Reads user/profile data of web browsers
Adds Run entry to policy start application
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

43b52a06408c0660199e1deb50dcc2ec

FormBook

Executable exe 48ce0e9cc96cb8d9ebe92bd7c1982e84d48baffdbada44d5949370a58ebae901

(this sample)

  
Dropped by
MD5 43b52a06408c0660199e1deb50dcc2ec
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/23540/

Comments