MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90c983c0a5db34d281c7dfe887f8f9273a63c935187a74240fefb5e866bc295d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90c983c0a5db34d281c7dfe887f8f9273a63c935187a74240fefb5e866bc295d
SHA3-384 hash: f96f9d3822cca7c360f247622392eb1e3f459196b218d9306873b5cc056b3f45a79ff220a131761f55724b42451a1736
SHA1 hash: ebebd5dd655d4722fe4e7b9d90c55407f5793b88
MD5 hash: 1d09bbe44fde7829b74c095a1c132a3f
humanhash: mango-spaghetti-nebraska-beer
File name:QUOTE REQUEST #21800176_354667485903 _09_07_2020PDF.PIF
Download: download sample
Signature FormBook
Create hunting rule
File size:843'264 bytes
First seen:2020-07-13 14:44:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:q4j88W4UuUGVjE4UjgVYZSTNUe8HS74efs:YVuUGNXn6pc0as
Threatray 4'913 similar samples on MalwareBazaar
TLSH FA05D571B8995858E97E03B4DE6876EDDA707E501903D6BB673131CBD8BE2606C0C0BE
Reporter abuse_ch
Tags:FormBook pif


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: biz-authmsr4.hinet.net
Sending IP: 210.59.136.104
From: sales <osman@kablo.com>
Subject: Quotation Request - Medical Supplies
Attachment: QUOTE REQUEST 21800176_354667485903 _09_07_2020PDF.z (contains "QUOTE REQUEST #21800176_354667485903 _09_07_2020PDF.PIF")

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/25443/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Reading critical registry keys
Possible injection to a system process
Unauthorized injection to a system process
Deleting of the original file
Unauthorized injection to a browser process
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/90c983c0a5db34d281c7dfe887f8f9273a63c935187a74240fefb5e866bc295d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-13 14:46:06 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sdeyhqff3m2nfaoh37uip6hze45ghsjvdb5hijap5626qzv4ffoq._file
Verdict:
malicious
Similar samples:
0edc17effc79112df8aadfd138cc3db51ecb97c7ed54668f1b17a216f45eb5ab
FormBook
1e13e14b2d390dc75cc450654d0201bb43366bc2e4a028e0f5566630fea12630
FormBook
489d3efd8b97c389697e1851b7c4351b28725dca02d2550b2c4e3770d747bc97
FormBook
490a783bc399cb6dd9b64ecc8d0f909830fe1a351d18f148493fcdf6eefb52cd
FormBook
8ea404b56d3341cbcc42c2f9b99c6cf8aa457d94b5319e19bee72859be9b1c32
FormBook
a5a17e29758a200bd8bd3805f5b1f292a236ee994274033ee1953ec7e9690db3
FormBook
b042e4bdfe19df2aa474fd5e2294aecc9a07d447c96466db7a7e20316d885634
FormBook
cc84debcfc3e30a4b682bb53e028acb0a75d56607ab25b2418797f65a7e6efb7
FormBook
d7083f1007834bbc16f0b6d2ee0e1e2b9e79a04af2a2e21f2d2682c9dff939eb
FormBook
e1103e6f026f85275a21a6263a141142a733a222c923fa7232c4c9935681e91d
FormBook
+ 4'903 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
spyware trojan stealer family:formbook persistence
Link:
https://tria.ge/reports/200713-gcfyeqkytx/
Behaviour
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
System policy modification
Drops file in Program Files directory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Deletes itself
Adds Run entry to policy start application
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

899553bb7f54696f7f6cf97e1c81d9cb

FormBook

Executable exe 90c983c0a5db34d281c7dfe887f8f9273a63c935187a74240fefb5e866bc295d

(this sample)

  
Dropped by
MD5 899553bb7f54696f7f6cf97e1c81d9cb
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/25443/

Comments