MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80d1c0d6566bacc1b75145357e11d066c3fc49877afc5155eef788f17ee73471. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 80d1c0d6566bacc1b75145357e11d066c3fc49877afc5155eef788f17ee73471
SHA3-384 hash: afc83d382973569c9d4296a917d75f49b62375c5c907d712804f8da7bf1547bae18f59725a0d5865b540c1d1f305bcf3
SHA1 hash: 9a07d612ef2a76b4ec19510e22fe6ebc69d810f0
MD5 hash: 19d0614755d52d434616634c91d43519
humanhash: blossom-freddie-kitten-romeo
File name:QUOTE 36.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:760'320 bytes
First seen:2020-07-20 08:59:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:BuHlF71q9I6/kldSCGDyaod+ik4g8y3SoDM994NO4yv5wVLeKRP6tm:Bub7OPW2rEloDMT4uqVLeUPGm
Threatray 5'216 similar samples on MalwareBazaar
TLSH 19F4E0C96AA05500D6ED2FF99E62CA784334BD09F1F2930F1FC4A88EF97A792D454352
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: dongsonvina.co
Sending IP: 111.90.145.114
From: Brad Tyler <brad.tyler@hysic.co>
Subject: RE: AW: Request for Quote/proforma invoice
Attachment: QUOTE 36.rar (contains "QUOTE 36.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28844/
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/391148
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247929 Sample: QUOTE 36.exe Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 73 Malicious sample detected (through community Yara rule) 2->73 75 Multi AV Scanner detection for dropped file 2->75 77 Sigma detected: Scheduled temp file as task from temp location 2->77 79 9 other signatures 2->79 10 QUOTE 36.exe 5 2->10         started        process3 file4 59 C:\Users\user\AppData\Roaming\bYksQlzNv.exe, PE32 10->59 dropped 61 C:\Users\...\bYksQlzNv.exe:Zone.Identifier, ASCII 10->61 dropped 63 C:\Users\user\AppData\Local\...\tmpCC96.tmp, XML 10->63 dropped 65 C:\Users\user\AppData\...\QUOTE 36.exe.log, ASCII 10->65 dropped 13 QUOTE 36.exe 10->13         started        16 schtasks.exe 1 10->16         started        process5 signatures6 105 Modifies the context of a thread in another process (thread injection) 13->105 107 Maps a DLL or memory area into another process 13->107 109 Sample uses process hollowing technique 13->109 111 Queues an APC in another process (thread injection) 13->111 18 explorer.exe 1 6 13->18 injected 23 conhost.exe 16->23         started        process7 dnsIp8 67 marthataranto.com 34.102.136.180, 49722, 49723, 49724 GOOGLEUS United States 18->67 69 www.herostore.online 209.59.209.80, 49721, 80 BIZLAND-SDUS United States 18->69 71 2 other IPs or domains 18->71 49 C:\Users\user\AppData\...\9rd_lrddxy8.exe, PE32 18->49 dropped 81 System process connects to network (likely due to code injection or exploit) 18->81 83 Benign windows process drops PE files 18->83 25 wlanext.exe 1 19 18->25         started        29 9rd_lrddxy8.exe 1 18->29         started        31 svchost.exe 18->31         started        33 2 other processes 18->33 file9 signatures10 process11 file12 53 C:\Users\user\AppData\...\19Nlogrv.ini, data 25->53 dropped 55 C:\Users\user\AppData\...\19Nlogri.ini, data 25->55 dropped 57 C:\Users\user\AppData\...\19Nlogrf.ini, data 25->57 dropped 93 Detected FormBook malware 25->93 95 Tries to steal Mail credentials (via file access) 25->95 97 Tries to harvest and steal browser information (history, passwords, etc) 25->97 103 2 other signatures 25->103 35 cmd.exe 2 25->35         started        39 cmd.exe 1 25->39         started        99 Injects a PE file into a foreign processes 29->99 41 9rd_lrddxy8.exe 29->41         started        43 9rd_lrddxy8.exe 29->43         started        101 Tries to detect virtualization through RDTSC time measurements 31->101 signatures13 process14 file15 51 C:\Users\user\AppData\Local\Temp\DB1, SQLite 35->51 dropped 85 Tries to harvest and steal browser information (history, passwords, etc) 35->85 45 conhost.exe 35->45         started        47 conhost.exe 39->47         started        87 Modifies the context of a thread in another process (thread injection) 41->87 89 Maps a DLL or memory area into another process 41->89 91 Sample uses process hollowing technique 41->91 signatures16 process17
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/80d1c0d6566bacc1b75145357e11d066c3fc49877afc5155eef788f17ee73471/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 09:01:05 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qdi4bvswnowmdn2riu2x4eoqm3b7ysmhpl6fcvpo66epc7xhgryq._file
Verdict:
malicious
Similar samples:
032f594e26c4a20fc56b06210d294f7134f6c9a51cf30b7125db4683465a6643
FormBook
0698cbff335f16544c0a97a71df4f0e52ee4dbddf3cadad2ee0ac52103ea8ed2
FormBook
0ec9f68c897e49e8f0158931b397bba4d5207511d5c05c36038adcddfb3bae88
FormBook
3cc2675e93622e4c76e7af2100e3bda43f0ce0065557d1e66b9e44123351b9c0
FormBook
7ffbd591d72f33b826c40da82f5f72195ca4af6a311bb934862f3cd190d4fdad
FormBook
836d479354578427f7cc678351df35175bc6e4b6a75bd936b1945b961f808a88
FormBook
880bba3fa9d2e255ad00cc35d53aa361bcdf739d16064d669a4b21b9a8034f73
FormBook
aed6c9d200b86186575d13e40ed7231c61bba34c0159c19ca6428168019da4f9
FormBook
c8d4a30dc6aa1224dd98bbb384b54e90ee845cbb0e0e591964868a0be5657897
FormBook
d4f9f7cd2d03cd2a1ede00200777caac9bd3ca5c337ce6bf6e15a3ff8e53f844
FormBook
+ 5'206 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
trojan spyware stealer family:formbook persistence
Link:
https://tria.ge/reports/200720-x947jndcw6/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Suspicious use of SendNotifyMessage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/80d1c0d6566bacc1b75145357e11d066c3fc49877afc5155eef788f17ee73471

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 4d29c08a1a79f37f2972d5eddd36d22b0e4595b3594a43ca3735ca67c673989c

FormBook

Executable exe 80d1c0d6566bacc1b75145357e11d066c3fc49877afc5155eef788f17ee73471

(this sample)

  
Dropped by
MD5 fcf108c03c958de009c69d61b259c543
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 4d29c08a1a79f37f2972d5eddd36d22b0e4595b3594a43ca3735ca67c673989c
Cape
Cape
https://www.capesandbox.com/analysis/28844/

Comments