MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e343d50670d902ec99b2a4079f088249c3b6101d9754f763a77566af82e6f59. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e343d50670d902ec99b2a4079f088249c3b6101d9754f763a77566af82e6f59
SHA3-384 hash: f134ae7a8664fb0adb523c1f674a4cf572de6b901fc62a802e7b5445d4319d2074ce15077a4ad1d0bdc909eda6b06edf
SHA1 hash: 7571f0e5ec12ebabc9077078a2e2a70055b12504
MD5 hash: 57487346f09777112a69c9ec0ad360d2
humanhash: seventeen-butter-gee-monkey
File name:Quotation.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:299'520 bytes
First seen:2020-08-18 06:26:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:/T485wB11imavjKzCuao39DfBSo/2dchi1S5Gb0Wos:/T485wLfavjYCg3VJSo/Qchn5G/f
Threatray 2'240 similar samples on MalwareBazaar
TLSH 5254DF9B62C26513C93869326122D73817F1531354A3EF39E4AF07936F43FBC6A92AC5
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: imsantv23.netvigator.com
Sending IP: 210.87.247.11
From: Charlotte Lai <kklo@laford.com.hk>
Subject: AW:AW:RE:RE:RE:AW:AW:AW: Laford Procurement (Media Files) Order Request
Attachment: RELaford Procurement Media Files Order Request.img (contains "Quotation.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/47526/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4e343d50670d902ec99b2a4079f088249c3b6101d9754f763a77566af82e6f59/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-17 20:56:12 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jy2d2udhbwic5sm3fjaht4eiesodwyib3f2u65r2o5lgv6bon5mq._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
0f73e9d58b85ae9061722f0720ab2f76f9884042b9ac260e5c102564d4572004
Formbook
1b114b7614a73e7b1b75355a4904a7314a91c39ec385a246a67624dfc11b7b8e
Formbook
353bbb86f2947091a4cd8c6e556570654b68b344cd73a3f22409c4b60106ab9c
Formbook
3d7664dcebcb7d20b25a6890a6697a2a293239ea13f00695722d1dce023c8cb6
Formbook
4077e5eeadfc447b88c36f638c37adc77ee35766a737e4a7aca64e61f2ef3d1a
Formbook
62afb1cbcacb77aa2ca99cc55c0e3536738415289f53c4a3a57d9b9cc08ee5ab
Formbook
9d9739b817d35a815e89c74d8e04d1571e5591de09ca6e8d7a634b140db45605
Formbook
b32579e01c28fc0a157f14ce8c679d02fcd1f5c03f8eef56ba6a77a627786d84
Formbook
c940837494435b53d54b6b4349031a14bf5db905a22b7601e34deb851b109715
Formbook
e86665f5f4cb843757815bce9f8311678c1bc32cdc6537ccc3aedc4502dca4a8
Formbook
+ 2'230 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200818-bsafwgjq5n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.mage-cart.info/ivd8/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

img 73f7d42dd6233f25f5a7348914c5eb14ba094527596349a35f07e4eb401d4465

Formbook

Executable exe 4e343d50670d902ec99b2a4079f088249c3b6101d9754f763a77566af82e6f59

(this sample)

  
Dropped by
MD5 5f1d0a5dd119181390fbc99037e7401c
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/47526/
  
Dropped by
SHA256 73f7d42dd6233f25f5a7348914c5eb14ba094527596349a35f07e4eb401d4465

Comments