MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 583dbdbb8f6be59c138dfb514d21b93fa1cd139a1184309ee3962ecaaa0be3b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 583dbdbb8f6be59c138dfb514d21b93fa1cd139a1184309ee3962ecaaa0be3b8
SHA3-384 hash: 43ede611bcb7bc45a0396b34210f17daeb35f758180c39e107b38b8ac0f5ddf97fb3f64aac70dc08abd4e10a53aacf54
SHA1 hash: e9ed3840212331b0704e272db04d2d1c6ac609f2
MD5 hash: 8a599b6048abc1e05801054ed364e606
humanhash: zebra-thirteen-thirteen-johnny
File name:Quotation.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'206'272 bytes
First seen:2020-10-27 10:07:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 12288:I0NYTuHsfUyaltp+b+KFontB1sCzlvbjlyLvpXrvSWTlIZzBn/7lY25lyj/VX9na:In/8NfW+4ItB1suvcrpBOxsdXxa
Threatray 2'851 similar samples on MalwareBazaar
TLSH EB45B5DD326072DFC45BC972CAA81C64EB907C7B931BC213A05725ADAA2D997CF150F2
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: wooleunglee.com.hk
Sending IP: 156.96.60.139
From: sales@wooleunglee.com.hk
Subject: Re:Bulk Product Inquiries
Attachment: IMAGED RFQ agaisnt ENQ NO-E1503010.img (contains "Quotation.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/79775/
Detection(s):
SecuriteInfo.com.Trojan.Siggen10.42816.18045.27941.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/513218
Signature
.NET source code contains potential unpacker
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 305723 Sample: Quotation.exe Startdate: 27/10/2020 Architecture: WINDOWS Score: 100 30 cdn.onenote.net 2->30 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected AntiVM_3 2->42 44 6 other signatures 2->44 11 Quotation.exe 3 2->11         started        signatures3 process4 signatures5 54 Detected unpacking (changes PE section rights) 11->54 56 Detected unpacking (overwrites its own PE header) 11->56 58 Tries to detect virtualization through RDTSC time measurements 11->58 60 Injects a PE file into a foreign processes 11->60 14 Quotation.exe 11->14         started        17 Quotation.exe 11->17         started        process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 14->62 64 Maps a DLL or memory area into another process 14->64 66 Sample uses process hollowing technique 14->66 68 Queues an APC in another process (thread injection) 14->68 19 explorer.exe 14->19 injected process8 dnsIp9 32 www.vt999bet.com 112.213.89.38, 49746, 80 SUPERDATA-AS-VNSUPERDATA-VN Viet Nam 19->32 34 parkingpage.namecheap.com 198.54.117.212, 49747, 80 NAMECHEAP-NETUS United States 19->34 36 3 other IPs or domains 19->36 46 System process connects to network (likely due to code injection or exploit) 19->46 23 cscript.exe 19->23         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 23->48 50 Maps a DLL or memory area into another process 23->50 52 Tries to detect virtualization through RDTSC time measurements 23->52 26 cmd.exe 1 23->26         started        process13 process14 28 conhost.exe 26->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/583dbdbb8f6be59c138dfb514d21b93fa1cd139a1184309ee3962ecaaa0be3b8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-27 00:39:58 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=la633o4pnpszye4n7niu2inzh6q42e42cgcdbhxdsyxmvkql4o4a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0375352dd935ee474c225b1e7c35707a10f7100b0167bbabd5a497dbb34777cf
Formbook
176b6a4f321a046262569c7e6302f9cd734282399645f8b13538489f5183a617
Formbook
3f98571de88f8e13c4197c46d74287d2f0aef827a196ea51cb4b934c6857e04b
Formbook
6841a00603c067163259e142990659c0217ded69e2895d187fa65f9439034c7f
Formbook
6bb732e1c22295b2fa6970a286225d14bd7c6fabef714f9b20c3a622bb8e7645
Formbook
8df5752017d7f083ddad62b8423ea7109c830dbcdca3fff0ee7aee8d149fdeda
Formbook
911fec402f3bb42d731c4e177c322c0df8d79f680e5a18f538a3ff2e3086c2bf
Formbook
9abd8b37403ea5e7b381e0644acc6655dc01efc4be1edf69992c5a68c33eff1f
Formbook
ccfefbc3469336f27478735b5cf445612a128621b492a6a9b5a6a235a3fde320
Formbook
eb057cfb03afa92cd042a3a39914b3e79179f2e2000030d23cc3b69255a5664e
Formbook
+ 2'841 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201027-yz8x9dqhfj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.obluedotpanowdshop.com/pe3/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

img 0509a024acb7c351e997bdafda8c3361c7e9628e755eca65776502a0c57dd172

Formbook

Executable exe 583dbdbb8f6be59c138dfb514d21b93fa1cd139a1184309ee3962ecaaa0be3b8

(this sample)

  
Dropped by
MD5 28681b1f07c70b74c2bc3763830b82df
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 0509a024acb7c351e997bdafda8c3361c7e9628e755eca65776502a0c57dd172
Cape
Cape
https://www.capesandbox.com/analysis/79775/

Comments