MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 714e525a436fc97ce8b8e31b63c79e8f13cc0577c80f613f825cafdf7fddeb1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	714e525a436fc97ce8b8e31b63c79e8f13cc0577c80f613f825cafdf7fddeb1f
SHA3-384 hash:	4d6ecfac097da26817bf79ddc50c2fa72c212cd47ad84b9da708443046a3b26d87e6547246895a9f61b1276ca197bba3
SHA1 hash:	489f667a831be85ffd37288ca187d0517fc5d649
MD5 hash:	0c6982e8d622d6550a6a170f1c0b9c49
humanhash:	pennsylvania-butter-don-wisconsin
File name:	rectified quote.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	410'112 bytes
First seen:	2020-07-13 14:17:41 UTC
Last seen:	2020-07-13 16:05:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:uHeHQjNij/Ez1BqPerT2mW2zvSpiwDOzq7nfL4dG5X8CTn+kXn+Ej9:uHeOX1zv8iUOzq7fMddCCl
Threatray	4'762 similar samples on MalwareBazaar
TLSH	3094C01553ECC52BF17FA77AE633002187B5AA46F452E7DF998868DD2403780C9A236F
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: ngmontajes.com
Sending IP: 95.211.253.194
From: 'admin' <admin@ngmontajes.com>
Subject: Re: rectified quote
Attachment: rectified quote.zip (contains "rectified quote.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

108

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/25407/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WOU.19723.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Launching a process

Launching cmd.exe command interpreter

Deleting a system file

Reading critical registry keys

DNS request

Setting browser functions hooks

Stealing user critical data

Enabling autorun with Startup directory

Unauthorized injection to a system process

Unauthorized injection to a browser process

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/714e525a436fc97ce8b8e31b63c79e8f13cc0577c80f613f825cafdf7fddeb1f/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2020-07-13 14:19:06 UTC

File Type:

PE (.Net Exe)

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ofhfewsdn7exz2fy4mnwhr46r4j4yblxzahwcp4clsx567655mpq._file

Verdict:

malicious

Similar samples:

387119236c9bd4c60215cab8efae3cdd16a0fe9906d83016b2dc8ee425fad40d

590fde182a154cd89b15d88546d60351b9fecb51e04fbbf4affd8d49a618bd23

7da1749d927d6d2f4f8175bb1cef8c4a92793b107d24d661d83bd55c57e83df8

8d8f0c6fdcd021f11d41e3da7521ec78e5460def24bd61f7eb15879788fafcc2

9b861daa0a7b4276df89a7ec49d2dd3388366ad60a3058df70525313799a0d05

a9e4a57e85cb473702863d801a78af3c4e224ac70be4f29a99ae9f2433c0c48d

c79a75bdb7f50439434aef1de18f5eaa857b9c0affd00f8e40ef85348df6cf57

d0604fe76ff35e2311825f1822171208bd472c764dfbdbf45e20fad47f6a4472

d524551cdd54b82c03f7121e7ff86cd4b2f79a524d886be9adb3f281793865f9

fe3306e3cb623199393790e95304cf4d0a24ce092ed2c5c82b48658e987fa56c

+ 4'752 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

persistence spyware trojan stealer family:formbook

Link:

https://tria.ge/reports/200713-g6aekvhj2j/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

System policy modification

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Drops file in Program Files directory

Suspicious use of SetThreadContext

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Drops startup file

Drops startup file

Reads user/profile data of web browsers

Adds Run entry to policy start application

Formbook

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/714e525a436f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip ee5ab59e924592f9db91c2fd201f13eb426de234ac78c854071ffb7bc7f1aa77

exe 714e525a436fc97ce8b8e31b63c79e8f13cc0577c80f613f825cafdf7fddeb1f

(this sample)

Dropped by

MD5 799c73ce6fc7a04beb2a16cb34df628d

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/25407/

Dropped by

SHA256 ee5ab59e924592f9db91c2fd201f13eb426de234ac78c854071ffb7bc7f1aa77

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample