MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6830866e2d41b970c95172f9a156522c72cfd238f846c02c19827b2100fc5deb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6830866e2d41b970c95172f9a156522c72cfd238f846c02c19827b2100fc5deb
SHA3-384 hash: df960ee81bd33d6aca8870b59664be99e1add87dde0132e8319b23d1859bb2dab2ff60387d550a99292abad2912385e1
SHA1 hash: 30a4f6791e540567d5887679af567d660e2e4187
MD5 hash: ccab83b670a6d84be1f7e2b5c2f93fa7
humanhash: beryllium-nevada-angel-minnesota
File name:quotes request.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'017'856 bytes
First seen:2020-08-04 16:47:56 UTC
Last seen:2020-08-04 17:57:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:18trch6tDat1Lwtv2SheIQAPUSdQ+UaaUwHOJrTGBuMq1V5p4wJ8hkdTq8:12HJ2S9P1dQVH2GBuJVJZ
Threatray 4'585 similar samples on MalwareBazaar
TLSH C5257CC2F140C951C96A4E36CD67DA9443337D66EF4797067088BA2B38E31D3AE266C7
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

From: Paccagnini Marisa <marisa.pacagnini@pompetravaini.it>
Reply-To: Paccagnini Marisa <marisa.paccagnini@qualityservice.com>
Subject: AW: Quotation Request
Attachment: quotes request.zip (contains "quotes request.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/38868/
Detection(s):
SecuriteInfo.com.Backdoor.MSIL.Bladabindi.4637.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/409826
Signature
Benign windows process drops PE files
Detected FormBook malware
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 257161 Sample: quotes request.exe Startdate: 04/08/2020 Architecture: WINDOWS Score: 100 58 Malicious sample detected (through community Yara rule) 2->58 60 Yara detected AntiVM_3 2->60 62 Yara detected FormBook 2->62 64 5 other signatures 2->64 10 quotes request.exe 3 2->10         started        process3 file4 50 C:\Users\user\...\quotes request.exe.log, ASCII 10->50 dropped 13 quotes request.exe 10->13         started        16 quotes request.exe 10->16         started        18 quotes request.exe 10->18         started        process5 signatures6 86 Modifies the context of a thread in another process (thread injection) 13->86 88 Maps a DLL or memory area into another process 13->88 90 Sample uses process hollowing technique 13->90 92 Queues an APC in another process (thread injection) 13->92 20 explorer.exe 3 6 13->20 injected process7 dnsIp8 52 www.joomlas123.com 199.192.16.98, 49742, 80 NAMECHEAP-NETUS United States 20->52 54 balancer.wixdns.net 35.246.6.109, 49756, 49759, 49760 GOOGLEUS United States 20->54 56 3 other IPs or domains 20->56 44 C:\Users\user\AppData\Local\...\h8tobtp.exe, PE32 20->44 dropped 72 System process connects to network (likely due to code injection or exploit) 20->72 74 Benign windows process drops PE files 20->74 25 wlanext.exe 20->25         started        29 h8tobtp.exe 20->29         started        31 h8tobtp.exe 20->31         started        33 cmmon32.exe 20->33         started        file9 signatures10 process11 file12 46 C:\Users\user\AppData\...\-48logrv.ini, data 25->46 dropped 48 C:\Users\user\AppData\...\-48logri.ini, data 25->48 dropped 76 Detected FormBook malware 25->76 78 Tries to steal Mail credentials (via file access) 25->78 80 Tries to harvest and steal browser information (history, passwords, etc) 25->80 84 2 other signatures 25->84 35 cmd.exe 25->35         started        37 h8tobtp.exe 29->37         started        40 h8tobtp.exe 31->40         started        82 Tries to detect virtualization through RDTSC time measurements 33->82 signatures13 process14 signatures15 42 conhost.exe 35->42         started        66 Modifies the context of a thread in another process (thread injection) 37->66 68 Maps a DLL or memory area into another process 37->68 70 Sample uses process hollowing technique 37->70 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6830866e2d41b970c95172f9a156522c72cfd238f846c02c19827b2100fc5deb/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-04 16:49:07 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nayim3rnig4xbskrol42cvssfrzm7ury7bdmalazqj5scah4lxvq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
2047ecb45a1bd7dad219077cd5446bffc34fdc7acad3d3293c576fc187b08996
Formbook
3ec51daa2ad133cfcdce1ffca7081f96ee58d9b5c2d302cee732e6e2cc3d8cc6
Formbook
5da7735fc8be010eaed89e5776cabe530402d4c6d0c6e5c5de515f12e05081f8
Formbook
5f657de9b0eaeb9eabf6d18a202f7b8c7daafd71d03387366069fe9ebd5f282a
Formbook
900a6f47b5d63eeb95728c0ec9ae469d31564cfbb1849b34549ac0f8de28fcde
Formbook
9c0d3c463792d704909de3a04cd7a6d31f8094301e8e24950af31cdc5e9f2838
Formbook
abdda3f05f9a29ab8ea6f45d5249f04168a17f3b64034a3596f8b0f1701db1a5
Formbook
c03ae704dd35d3acd68ae4275d8007c3001a044c34c3d5dbc5299da6e1ca5a68
Formbook
cf5a86737ab13ec2ea858e0d7c635c3a3c79d1deda05e79a81dd1b470dcb0942
Formbook
e8d41df74484529065bad33443225cf40b05423b7cd4b0af478043c13394750e
Formbook
+ 4'575 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat evasion trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200804-anzdk2584e/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Deletes itself
Formbook Payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/6830866e2d41b970c95172f9a156522c72cfd238f846c02c19827b2100fc5deb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip f178d34eb00544e0d03761e74f49fa6c8aa9a407076c0fe7cd2a02e9ccfaf34d

Formbook

Executable exe 6830866e2d41b970c95172f9a156522c72cfd238f846c02c19827b2100fc5deb

(this sample)

  
Dropped by
MD5 0735406726d5eae3bbbd0a4b83377682
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/38868/
  
Dropped by
SHA256 f178d34eb00544e0d03761e74f49fa6c8aa9a407076c0fe7cd2a02e9ccfaf34d

Comments