MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 023ca25a18e7b6fe4c2346878ff4e688c011ef10900611f59689c4881f76579c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 023ca25a18e7b6fe4c2346878ff4e688c011ef10900611f59689c4881f76579c
SHA3-384 hash: 046df729d45eb252121c7e223d16f663f622d8b8046f2d6dea5bf3fa9c48fe4241fe2f65572e880988a3dcd2f025d5b1
SHA1 hash: 5aac177149077b3297e55b6d4c75d4ad6a8e7b8d
MD5 hash: c19ddc20a4de176cbf02fff7a3579ddf
humanhash: kilo-robin-helium-washington
File name:QUOTE #5.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:330'240 bytes
First seen:2020-05-20 07:45:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:dfGmYIp6486WF4RPdvT2yjcEqw3+mqu3gC3/7J67ebWgL2M1SbKOt84O:dfGbIp648VAPdLHcViVVzw7zg9SjO
Threatray 5'159 similar samples on MalwareBazaar
TLSH 0464CF5573A48E0BCAED81FD8491A28043F062B35682F7EA4CC677DB36C37D78A16587
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: qualitech-solutions.cam
Sending IP: 111.90.140.145
From: Cathy Dennis <cathydennis@qualitech-solutions.cam>
Subject: RE: CONFIRM QUOTATION
Attachment: QUOTE 5.rar (contains "QUOTE #5.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-20 08:36:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
23 of 31 (74.19%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ai6kewqy463p4tbdi2dy75hgrdabd3yqsadbd5mwrhciqh3wk6oa._file
Verdict:
malicious
Similar samples:
0f9158444d5e5387bfc619b035fbc31625cc933643f3eea063eca29cc33455ef
FormBook
161ab2a24a2f0a71e1a50d1110b3ca25ec1a53c1412c2235db94a871bc3c9563
FormBook
20b27c73d6c337c95759c21e02e1e795fb7f07413e46f053e6e728c5de342dd9
FormBook
2909ff5bce8e72f2007455c778afbe46192919731b197e654e6e03f47cbe421f
FormBook
538b5708c76c86e74b0bf54772daa9bda7c7bab48b5261541a3bf128714d8e68
FormBook
65a02f6b451bb5ccf5d443b7976da84cb80812e24a909d1038423bfe5ac5e2b8
FormBook
8b9bbca00335521a8fa45d5abf271ccf0eac27d70e44140355f7af671c3dbe7e
FormBook
96ffe97ffd555e8f1329ba24b40cba5320d5bc1ef51fb0155b9dea55bf842487
FormBook
986db22a45f9c417139adb5a9fe1708dedc8b029a428e9db880b2cb7408c5d2d
FormBook
e2e86de59b03cd68c6795d391938d75dac7fa0fe0d5bf497a075402686eba01d
FormBook
+ 5'149 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan persistence
Link:
https://tria.ge/reports/201109-4dkjtn1dqx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.govaj.com/bd2/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 53bd75e6b7540d1a58ac9facb9e0bab2dd9782dfb53e0b667c5551d964da820c

FormBook

Executable exe 023ca25a18e7b6fe4c2346878ff4e688c011ef10900611f59689c4881f76579c

(this sample)

  
Dropped by
MD5 48f9e09f5b9c1336ff7425c0cba06c82
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 53bd75e6b7540d1a58ac9facb9e0bab2dd9782dfb53e0b667c5551d964da820c

Comments