MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e5d88343393a5a1f98a66c8e5967023e200dcf3be81bc0a3c210396156d0fea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	5e5d88343393a5a1f98a66c8e5967023e200dcf3be81bc0a3c210396156d0fea
SHA3-384 hash:	90a57e23254316a22d97712a5515b335a6009e8c63a91ae9e0480ea25c21857103369bab23d0903989efd5010267a73e
SHA1 hash:	ddf9c7594e716165ba362c63f2c8e4e536521395
MD5 hash:	0aaf91f1ebc0c0ce4b9df008dbd0bca5
humanhash:	bulldog-yellow-fillet-beryllium
File name:	REQUEST FOR QUOTATION.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	326'656 bytes
First seen:	2020-06-02 12:58:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	31eda527c6d153109d35dd9b72c3b720 (1 x FormBook)
ssdeep	6144:Kta4aPMdlwgFK374O+f8WCBBU6GtSJPJz:EaPpgFgJUCPJ
Threatray	5'092 similar samples on MalwareBazaar
TLSH	F364D190FA40587DF866C97D45A01DA043981C817A72B3DEAFC4B5967E338938E3E36D
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: park-mx.above.com
Sending IP: 103.224.212.34
From: Heike Schwark <info@galennou.com>
Subject: Fwd: REQUEST FOR QUOTATION
Attachment: REQUEST FOR QUOTATION.rar (contains "REQUEST FOR QUOTATION.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

73

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Downloader.Aiis-6803892-0

Gathering data

Threat name:

Win32.Trojan.Formbook

Status:

Malicious

First seen:

2020-06-01 23:08:38 UTC

AV detection:

19 of 31 (61.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=lzoyqnbtsos2d6mkm3eolftqeprabxhtx2a3ycr4eebzmflnb7va._file

Verdict:

malicious

Label(s):

netwirerc

Similar samples:

3ebe7729fe5d80990333d4c0255af3b23e4ec2c1f61b9ea563eeb3e050943735

45024576e848c50c9199cbfe61462e11551ec6ce99cb7ca39ae929dc77aa348f

51ba9fa1830056b815cc4203b57ee4f46b26a5f7dd7f6a01066c94fb88bf8f01

6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b

9cd4df25010125f2ef3eeef44503b3c2b58435af758fe7213d053a60f018f3d8

9d545cae8b73e11800aaf794b2919bb8972511e4e217eaf1a51c3f38c17bb412

9e4dcaf1e587af9702c21677d6447f90eff8437573e8400a8668db31d7bc7c3e

aac570b4af97093e3d10f81c8754d3523b4d76fd894333a8e20deb33a4247ab5

e7bbeb241bd49fc993af86cd823ae51bbaa27af0cb5ac02fad387158d8f4fa30

ef14e580eca50b75acae60fa7c6642fa89fc91ee8492f5193608937f4d78781b

+ 5'082 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/201109-94eggjx6nx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of UnmapMainImage

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Deletes itself

Reads user/profile data of web browsers

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.spatren.com/ggj/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

b486a65a0ff577a9bdf7bc255b8741cc

exe 5e5d88343393a5a1f98a66c8e5967023e200dcf3be81bc0a3c210396156d0fea

(this sample)

Dropped by

MD5 b486a65a0ff577a9bdf7bc255b8741cc

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample