MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ea404b56d3341cbcc42c2f9b99c6cf8aa457d94b5319e19bee72859be9b1c32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8ea404b56d3341cbcc42c2f9b99c6cf8aa457d94b5319e19bee72859be9b1c32
SHA3-384 hash: 68fae4191a22e5ce3189b1ea2b1ef3f3f491221eb6a228d11a93b98100b2b5eb9867731c3a38c787c3aef32a39f30f87
SHA1 hash: ee4185e2232581c17e45b5598a07a99f49887364
MD5 hash: c1b13db471da675d9887133f6de51d4d
humanhash: freddie-alpha-angel-cat
File name:IMAGES-001-QUOTE REQUEST #21800176_354667485903 _09_07_2020PDF.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:516'096 bytes
First seen:2020-07-10 07:00:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 6144:7w2NHiToBmvO4uKRyRanJ4FobpbdkET8SiU1SR6zNwB5V3MVTUwDSLtHCSK:XHo9Z0RgJ4SbpbnTBiU1SYJMVcNbDSi
Threatray 5'265 similar samples on MalwareBazaar
TLSH E6B46CA1FCA4AA2DFA7DC6F809B4BBE49E502B254D43C7C1177235C9C4FEA026D4C592
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: 3goz.com
Sending IP: 213.128.71.98
From: Leons M <osman@kablo.com>
Subject: RFQ for SS304L U-Tube bundle & OUR QUOTE NO. Q230
Attachment: IMAGES-001-QUOTE REQUEST 21800176_354667485903 _09_07_2020PDF.z (contains "IMAGES-001-QUOTE REQUEST #21800176_354667485903 _09_07_2020PDF.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/24228/
Detection(s):
SecuriteInfo.com.MSIL.GenKryptik.ENZE.5511.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Reading critical registry keys
Possible injection to a system process
Unauthorized injection to a system process
Deleting of the original file
Unauthorized injection to a browser process
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8ea404b56d3341cbcc42c2f9b99c6cf8aa457d94b5319e19bee72859be9b1c32/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-10 07:02:10 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=r2sajnlngna4xtccyl43thdm7cvek7muwuyz4gn644uftpu3dqza._file
Verdict:
malicious
Similar samples:
0edc17effc79112df8aadfd138cc3db51ecb97c7ed54668f1b17a216f45eb5ab
FormBook
1e13e14b2d390dc75cc450654d0201bb43366bc2e4a028e0f5566630fea12630
FormBook
30efd997c49aae97766539c72d72529b06f1e8522ea84e71758cde4ed1846921
FormBook
45024576e848c50c9199cbfe61462e11551ec6ce99cb7ca39ae929dc77aa348f
FormBook
6dcf4557563343e881daf4b7d7b01e372457cee637ac001a1102a2e67a69cbf8
FormBook
8155c967977dee334ccd8751bb30dbe3e2a134c387ac6d7e48ba5043e07441df
FormBook
8f60548d2cde9e0681d8609aef71f51c820073a2a70e75bfa0fa56e3890d94e0
FormBook
90c983c0a5db34d281c7dfe887f8f9273a63c935187a74240fefb5e866bc295d
FormBook
b9cd83c667b694ec10f884183b138beeb0f986a7d3c50af463535852f2fa0663
FormBook
fd77bda3f991235956974723013237b8dd8ed7f661dfad976d2fde68804c55a7
FormBook
+ 5'255 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
trojan spyware stealer family:formbook persistence
Link:
https://tria.ge/reports/200710-rzgkjcfxjj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
System policy modification
Drops file in Program Files directory
Suspicious use of SetThreadContext
Deletes itself
Reads user/profile data of web browsers
Adds Run entry to policy start application
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

z f5724fd0f22c33f2e9e1158976c6db54b02ba90774ee26eb5e423d5a816bea3c

FormBook

Executable exe 8ea404b56d3341cbcc42c2f9b99c6cf8aa457d94b5319e19bee72859be9b1c32

(this sample)

  
Dropped by
MD5 5ec3febf93b49ff95b8c96f65da8a468
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/24228/
  
Dropped by
SHA256 f5724fd0f22c33f2e9e1158976c6db54b02ba90774ee26eb5e423d5a816bea3c

Comments