MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c327cc4c54ba20e649ab27c83ea7d5fcf2a596ae3f9feb50b2f5d550bcb71bf8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c327cc4c54ba20e649ab27c83ea7d5fcf2a596ae3f9feb50b2f5d550bcb71bf8
SHA3-384 hash: afd1ac7e0d255ca81404c88169edac89bcacbfadad1ab19f469d77adc294777582f9281bb860878720069bf7bcc66d14
SHA1 hash: 11abbf143e53cc33fd9f3faaafcd405d1554c3ab
MD5 hash: 04e9512a58cc579f1a304cf851c26953
humanhash: four-rugby-lactose-colorado
File name:quote-THP1403 080620.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:467'456 bytes
First seen:2020-07-07 08:52:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:95PHUqzhv4F1QU+BHtCOnG6BtrxUOj3GOeh+2eju0A:tU+xBn7BM47eh+2ej0
Threatray 5'157 similar samples on MalwareBazaar
TLSH 1DA4AD313222AEB7C63A08F4864424414FF55A97226DE3DF7CCAB1CA81C9FD09E955B7
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: hwsrv-748566.hostwindsdns.com
Sending IP: 104.168.155.2
From: Dat-tH company <sr@grandtek.pw>
Reply-To: Dat-tH company <mahdi_bashii45@yahoo.com>
Subject: Please quotation for valves / RFQ no. THP1403 080620
Attachment: quote-THP1403 080620.zip (contains "quote-THP1403 080620.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/22093/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Launching cmd.exe command interpreter
Reading critical registry keys
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c327cc4c54ba20e649ab27c83ea7d5fcf2a596ae3f9feb50b2f5d550bcb71bf8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-07 00:47:44 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ymt4ytcuxiqomsnle7ed5j6v7tzklfvoh6p6wufs6xkvbpfxdp4a._file
Verdict:
malicious
Similar samples:
03a99b633ca01928659955c896a703e45cbc1527738b53a5d6267fa8da44c030
FormBook
1d1c9ee0b1adaa5a121fd70d332785395ad22538f9cdc7db44414c1604e28919
FormBook
3c5ef5423e281a468e9f0381327a9635f20626a98054e769fc08dd4270db01e4
FormBook
4844f86de461d882aa8fba67fe579696bb68e5a5a02d725b2bd9732101f86966
FormBook
57234a3ec3bf2d3e6539a25221595d791fcf68dbed39a942651819c74fc3c664
FormBook
61ce52bb7cf517275e2bea379104a392630ec8dc216790a910f4586efbdca4fb
FormBook
931de7a667086f50575388e97d16c318682f63c8ba9d044aa006abc6e26f2862
FormBook
c177f9b4bd74ab895e5b56bd2de176fa8eef55435f62a734fabc4a1215980c60
FormBook
e95f01bbde0fbd70670b820b972768e7fc5f23509495c805ddbc3271030f443c
FormBook
faf1dca0b043816dc1a448c778e8fc03030add15983e04a7cc39851297615c4f
FormBook
+ 5'147 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
spyware trojan stealer family:formbook persistence
Link:
https://tria.ge/reports/200707-ta5yekz8cx/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
System policy modification
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Drops file in Program Files directory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Adds Run entry to policy start application
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 2d4b447cd683c9551f780d5da0f8591446a845a8059f630fb792e4c2697401ce

FormBook

Executable exe c327cc4c54ba20e649ab27c83ea7d5fcf2a596ae3f9feb50b2f5d550bcb71bf8

(this sample)

  
Dropped by
MD5 31ce3c087864a2ab3b83bce8b3f03a3d
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/22093/
  
Dropped by
SHA256 2d4b447cd683c9551f780d5da0f8591446a845a8059f630fb792e4c2697401ce

Comments