MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36f76be816898a8ac90603edeed2ff90983d062f047f6e00c66d54964c582cc8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36f76be816898a8ac90603edeed2ff90983d062f047f6e00c66d54964c582cc8
SHA3-384 hash: 1faa10876573db9bc53062bc6efe6d759e12df18c05846db133c9f5bbb9ec2d7f6f292da8a4cc4dcf8ddb829410bec4e
SHA1 hash: 43e55e4c97dd72e3186e1849242f3cd62d991bd6
MD5 hash: 2b1b6a99d9427ced3bcaaf141dd36b34
humanhash: texas-king-network-network
File name:quotation List #039.pdf.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:332'800 bytes
First seen:2020-07-10 09:16:17 UTC
Last seen:2020-07-10 10:14:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ceee8c87246ba3c80bfb1484123b8e8b (1 x FormBook)
ssdeep 6144:LlxQTtNzEhAtABDHoNfxtaX5mmDnrhpUwJ3MeVeE3vA2QZ75GIcboortWuj4:PAiBoNxt8mYrkVewE/AVkIctZ
Threatray 4'922 similar samples on MalwareBazaar
TLSH 3064AE1CA553D10AF2B82BB197D30A2C8E1A6CC93632A0575B763F5DBFBA3E13C05644
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: dedicated.qinfotech.co.za
Sending IP: 160.119.102.217
From: Sales <shirley@sccw.co.za>
Subject: Quotation from Ramada Trading cc
Attachment: quotation List 039.pdf.IMG (contains "quotation List #039.pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/24328/
Detection(s):
SecuriteInfo.com.BScope.TrojanPSW.Coins.6368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Launching cmd.exe command interpreter
Creating a window
Setting browser functions hooks
Possible injection to a system process
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Deleting of the original file
Unauthorized injection to a browser process
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/36f76be816898a8ac90603edeed2ff90983d062f047f6e00c66d54964c582cc8/
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-10 09:18:06 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=g33wx2awrgfivsigapw65ux7scmd2brpar7w4aggnvkjmtcyftea._file
Verdict:
malicious
Similar samples:
16de0aa2d02fae6460bb173c9104df4fa758343ab226aea79a3910dce19fa58e
FormBook
2a40a9e18303875b2db452783190820001c898e8374864fec29793bf43bbe401
FormBook
7527530d28c88ea0850926a24ba050a4a77983fb8271309c749ba43e7b10c695
FormBook
75952934e5ef6bb74f29c3320ef112e219cc953dc5ed8c351d742448f61161ff
FormBook
7caa60665e3824a3571669e2f6efe2757e5521af83e28022e5079074e042d52f
FormBook
8842ac3497c777517b2f18152eabaa0994a460d249773a5e89a4e16bca2bd741
FormBook
b24a5df4c63722afbed1e3807b18fcc065008ec3431de146dbf3657dffa00893
FormBook
da84453f047b0c5e2a88e6ba46a11f390b4944f7c7f45563e19aef895c196e8e
FormBook
ebfc26187e0b0ad6924461b1f2476321c53b5a23fbfe246e3ed5a475a1ea5678
FormBook
f3a30108ab40b7f31ad7ad191bb41bd3ad148d09597705c1ec0bc0352d18c29e
FormBook
+ 4'912 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
spyware evasion trojan stealer family:formbook persistence
Link:
https://tria.ge/reports/200710-emksb34y66/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run entry to start application
Reads user/profile data of web browsers
Deletes itself
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

img 89aa5382752a090329e0f8afed48989eda5a0755eb0a6f72150b11d22dcfcdb6

FormBook

Executable exe 36f76be816898a8ac90603edeed2ff90983d062f047f6e00c66d54964c582cc8

(this sample)

  
Dropped by
MD5 4f77022e59fa25fb02d990e8127cadf6
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/24328/
  
Dropped by
SHA256 89aa5382752a090329e0f8afed48989eda5a0755eb0a6f72150b11d22dcfcdb6

Comments