MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e64a40c05ac395f8751ac149772087476c75ae46a7e7831fbd00b20fd3edcf99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e64a40c05ac395f8751ac149772087476c75ae46a7e7831fbd00b20fd3edcf99
SHA3-384 hash: 65728ab62002d155b00c830fdb7fc48be6fe9e5f47ab28e27e701a27ec6c18b7707f4749111fd473743dcf6b1b412d08
SHA1 hash: 531de5b043cff52cf9090d225d7d14eceb634de9
MD5 hash: 76d002a7f73aee6e8226620d3c73092a
humanhash: table-kentucky-crazy-item
File name:quotation.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:500'736 bytes
First seen:2020-05-05 07:42:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:zonob++kHvRPK02b4kJLvpIZwcMUWXYn:zon6GPF64kJaNM/X
Threatray 4'855 similar samples on MalwareBazaar
TLSH ACB48C116EFADD3BE2F27BFB05A031415E2EBE622D22F14D24547286FD73A01C990667
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: colorntouch.co
Sending IP: 111.90.141.162
From: Purchasing <purchasing@majuuniversal.com>
Reply-To: intertradeemito@gmail.com
Subject: REQUEST FOR QUOTATION - PR-S/P-100789
Attachment: quotation.rar (contains "quotation.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.44370.30062.18839.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-05 08:36:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
51
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4zfebqc2yok7q5i2yfexoiehi5whllsgu7tygh55acza7u7nz6mq._file
Verdict:
malicious
Similar samples:
00983a8176276beea115d21fef7919c49b29b96d78dbc2151cc04cc7d8c95b35
FormBook
059adc86fc6f66c311937e2fd4910fa9d07d55b1897daa608bfb54e01f655257
FormBook
1a96662a743a681756e4ae5ed7a3d259cca5a50725413698c1769939a950b455
FormBook
7654e7f6d4c0f38e9f771bf4c6d002b6e816d169afcabee3f028081a25b25506
FormBook
8697eb117ba4ca2b18a9a7bbdcbd201cc062e2e79ccbc9d8ea785baf5b868657
FormBook
923a8eab7773b5be5e3e380de1505a2c6c71f7b82329e9f3b3ff1461dc057610
FormBook
b97bfa891b722322095fcbd10be1c232066827749e4f5dc945beacf1a84d1658
FormBook
c921c868103f592befe1f7c0787c6389b914d8f09ffd8cccac514b610dfc1975
FormBook
e3bdb2a06e43b09073cebd4f7a7fe633d45d1c6d149885f7b815cc591fe3b453
FormBook
e65997e20f521c8eee713623c45c9600a7a05629c85d73c9dd2bdf696f43e5de
FormBook
+ 4'845 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-ftxdtfzd3n/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.howndey.com/xd4/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar a1c1b89e8ed24d485860f8cb6486d68e68e93949232128bf1820a700cb1d3847

FormBook

Executable exe e64a40c05ac395f8751ac149772087476c75ae46a7e7831fbd00b20fd3edcf99

(this sample)

  
Dropped by
MD5 37e3d4b364fbf2432b7a42b70c1bf3bb
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 a1c1b89e8ed24d485860f8cb6486d68e68e93949232128bf1820a700cb1d3847

Comments