MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6963991b3f7b0d0870130058d1494481d64003e95bbb5fabfb024de68582c02e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6963991b3f7b0d0870130058d1494481d64003e95bbb5fabfb024de68582c02e
SHA3-384 hash: 43a2881ce1e3b73dfcc60e5a599dc51cec421bd75c0296cdb985867b5d8a8f678efde865451486404fc2358175c2c125
SHA1 hash: 708f65cd2ce9350d70c8aa9d8e2f28c41607945e
MD5 hash: 6fb8f65a82723453ec8959f31bf6f9a4
humanhash: sixteen-iowa-item-robin
File name:PAYMENT TRANSFER RECEIPT_PDF.bat
Download: download sample
Signature Formbook
Create hunting rule
File size:254'464 bytes
First seen:2020-04-30 09:53:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:kDx7moNZqQmuAYcP1K75pA0JMWVqR6SqUM4B:kDNZMdYqK7nJRJSqUZ
Threatray 5'108 similar samples on MalwareBazaar
TLSH 784429291DBCD036D164C9FE8FDBC43AE70ED07322195D39999342648BE6F6361821BE
Reporter abuse_ch
Tags:bat FormBook HSBC


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: slot0.creative-sour-co.ml
Sending IP: 64.190.90.116
From: info@pangaea-hk.com
Subject: FW: © HSBC Bank Payment successful 29042020
Attachment: PAYMENT TRANSFER RECEIPT_PDF.zip (contains "PAYMENT TRANSFER RECEIPT_PDF.bat")

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Quasar
Create hunting rule
Status:
Malicious
First seen:
2020-04-30 06:22:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
26 of 31 (83.87%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nfrzsgz7pmgqq4atabmncskeqhleaa7jlo5v7k73ajg6nbmcyaxa._file
Verdict:
malicious
Similar samples:
223bbe1af0d09289a1ebeddf78e3218fcae28d0a69c291d66fee5fa29337844a
Formbook
5628310c6fe718d77dadbc5c8cb6238faa27942517b590c2a87c07aadca429d6
Formbook
5eb9ca5476eb4c9c83bbb5d6bbb7ff90474749121e2e063bbd9e988c4e4917e2
Formbook
7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6
Formbook
a88caf11b01cea311aca13b6e757a8974d5033e1acb8749b9d1951ed0d93d44c
Formbook
b24a5df4c63722afbed1e3807b18fcc065008ec3431de146dbf3657dffa00893
Formbook
bfa0531240e8ae03aee76df45f9e4c8748ad739a63f47c81269d7b2ca05fc329
Formbook
dc6eb23c871bd7c54a5a38c3806d021a413b4897358a86915c7b27c7cca9d202
Formbook
f38d170b1da421aa60e778a64fec953d3058336f7cb06568ba7926495fe87f0c
Formbook
f99691f533ca56e970f2be2d26ea424ac50bff2aa2bfd43482d0a166bece71eb
Formbook
+ 5'098 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip bc1357d4c62dd82f18e2fba5a9f496e8502389815211ed722ea598af195f727f

Formbook

Executable exe 6963991b3f7b0d0870130058d1494481d64003e95bbb5fabfb024de68582c02e

(this sample)

  
Dropped by
MD5 f6de22f7798772d3f46f19bce5a2ec67
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 bc1357d4c62dd82f18e2fba5a9f496e8502389815211ed722ea598af195f727f

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments