MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe3306e3cb623199393790e95304cf4d0a24ce092ed2c5c82b48658e987fa56c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe3306e3cb623199393790e95304cf4d0a24ce092ed2c5c82b48658e987fa56c
SHA3-384 hash: 9a179ae6f71d629bdf28de38a28d7383c63ab36182b97317c366792b10013fc482efb85e5f7dbaf898b1493bd02b9f29
SHA1 hash: dc4ac5af965c8cf1748a7a1ba21bb0e4207c41ac
MD5 hash: 2a41070485cd5c70bed3a7e3ec2ce6c6
humanhash: cold-ohio-blue-oranges
File name:Request_For_Quotation.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:264'704 bytes
First seen:2020-08-03 11:18:23 UTC
Last seen:2020-08-13 04:24:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 6144:VxnjxgzFtt2WctnlVTbQHvtiO9HQmxjfBm:rjx+tttctnlt8vtHQm7m
Threatray 4'442 similar samples on MalwareBazaar
TLSH A844D1751A88443FC7AE457CF46706F6CEA8C6013702EBAA57B9600EFE27395C60725B
Reporter theDark3d
Tags:FormBook

Intelligence

File Origin
# of uploads :
4
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/37735/
Detection(s):
SecuriteInfo.com.Fareit-FVK2A41070485CD.15794.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Launching a process
Launching cmd.exe command interpreter
Sending a UDP request
DNS request
Creating a window
Setting browser functions hooks
Enabling autorun by creating a file
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/407804
Signature
Drops PE files to the startup folder
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Uses netstat to query active network connections and open ports
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 256115 Sample: Request_For_Quotation.exe Startdate: 03/08/2020 Architecture: WINDOWS Score: 100 65 www.flyingdutchmantreeservices.com 2->65 89 Malicious sample detected (through community Yara rule) 2->89 91 Yara detected FormBook 2->91 93 Machine Learning detection for sample 2->93 95 5 other signatures 2->95 12 Request_For_Quotation.exe 4 2->12         started        signatures3 process4 file5 59 C:\Users\user\s.exe, PE32 12->59 dropped 61 C:\Users\user\AppData\...\HJdyTuap.exe, PE32 12->61 dropped 63 C:\Users\user\s.exe:Zone.Identifier, ASCII 12->63 dropped 115 Drops PE files to the user root directory 12->115 117 Drops PE files to the startup folder 12->117 119 Maps a DLL or memory area into another process 12->119 121 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->121 16 Request_For_Quotation.exe 12->16         started        19 RegAsm.exe 12->19         started        signatures6 process7 signatures8 73 Maps a DLL or memory area into another process 16->73 21 Request_For_Quotation.exe 16->21         started        24 RegAsm.exe 16->24         started        75 Modifies the context of a thread in another process (thread injection) 19->75 77 Sample uses process hollowing technique 19->77 79 Tries to detect virtualization through RDTSC time measurements 19->79 81 Queues an APC in another process (thread injection) 19->81 26 explorer.exe 3 19->26 injected process9 dnsIp10 97 Maps a DLL or memory area into another process 21->97 29 Request_For_Quotation.exe 21->29         started        32 RegAsm.exe 21->32         started        99 Modifies the context of a thread in another process (thread injection) 24->99 101 Sample uses process hollowing technique 24->101 67 www.xn--o39aw5d3yw2os.com 26->67 69 www.f8uc.com 26->69 71 www.amazon-d1.com 26->71 34 NETSTAT.EXE 26->34         started        36 rundll32.exe 26->36         started        38 cmmon32.exe 26->38         started        40 4 other processes 26->40 signatures11 process12 signatures13 123 Maps a DLL or memory area into another process 29->123 42 Request_For_Quotation.exe 1 29->42         started        45 RegAsm.exe 29->45         started        125 Sample uses process hollowing technique 32->125 127 Modifies the context of a thread in another process (thread injection) 34->127 129 Tries to detect virtualization through RDTSC time measurements 34->129 47 cmd.exe 1 34->47         started        process14 signatures15 109 Maps a DLL or memory area into another process 42->109 49 Request_For_Quotation.exe 42->49         started        52 RegAsm.exe 42->52         started        111 Modifies the context of a thread in another process (thread injection) 45->111 113 Sample uses process hollowing technique 45->113 54 conhost.exe 47->54         started        process16 signatures17 83 Maps a DLL or memory area into another process 49->83 56 RegAsm.exe 49->56         started        85 Modifies the context of a thread in another process (thread injection) 52->85 87 Sample uses process hollowing technique 52->87 process18 signatures19 103 Modifies the context of a thread in another process (thread injection) 56->103 105 Maps a DLL or memory area into another process 56->105 107 Sample uses process hollowing technique 56->107
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fe3306e3cb623199393790e95304cf4d0a24ce092ed2c5c82b48658e987fa56c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-03 11:20:08 UTC
File Type:
PE (.Net Exe)
AV detection:
40 of 46 (86.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7yzqny6lmiyzsojxsduvgbgpjufcjtqjf3jmlsbljbsy5gd7uvwa._file
Verdict:
malicious
Similar samples:
387119236c9bd4c60215cab8efae3cdd16a0fe9906d83016b2dc8ee425fad40d
Formbook
6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b
Formbook
714e525a436fc97ce8b8e31b63c79e8f13cc0577c80f613f825cafdf7fddeb1f
Formbook
7da1749d927d6d2f4f8175bb1cef8c4a92793b107d24d661d83bd55c57e83df8
Formbook
8d8f0c6fdcd021f11d41e3da7521ec78e5460def24bd61f7eb15879788fafcc2
Formbook
9b861daa0a7b4276df89a7ec49d2dd3388366ad60a3058df70525313799a0d05
Formbook
a9e4a57e85cb473702863d801a78af3c4e224ac70be4f29a99ae9f2433c0c48d
Formbook
c79a75bdb7f50439434aef1de18f5eaa857b9c0affd00f8e40ef85348df6cf57
Formbook
d0604fe76ff35e2311825f1822171208bd472c764dfbdbf45e20fad47f6a4472
Formbook
d524551cdd54b82c03f7121e7ff86cd4b2f79a524d886be9adb3f281793865f9
Formbook
+ 4'432 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook persistence evasion
Link:
https://tria.ge/reports/200803-lej4tzvs8s/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Gathers network information
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
Reads user/profile data of web browsers
Drops startup file
Formbook Payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fe3306e3cb623199393790e95304cf4d0a24ce092ed2c5c82b48658e987fa56c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/37735/

Comments