MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69f5cc9e97d6441c7fe6c4b8d7c8c332ad357d486056ccef56ad5c20a081e8dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69f5cc9e97d6441c7fe6c4b8d7c8c332ad357d486056ccef56ad5c20a081e8dc
SHA3-384 hash: 247b1e1aad580fabeb98d0ace977641608d5d9decf7b5f9e19009721ae27e267359cc3ce87f13176bad64d92dfe19eb3
SHA1 hash: 5097a88d8133846b56ba6e2bd6454c35a79a2ed6
MD5 hash: 66f3e23b7c742a52474e86d2c20833e9
humanhash: sweet-asparagus-red-montana
File name:Quotation.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:274'944 bytes
First seen:2020-05-08 07:17:33 UTC
Last seen:2020-05-08 07:39:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 6144:/m6l5BvzNXKUM+XtodzeO4V6Xrb4wZ3rYUI:+6XTMYtooSH4wZ3kV
Threatray 5'074 similar samples on MalwareBazaar
TLSH BB4412452E658A3BC1FC16FAB0971A4906F8DF53BC2DE36ED5E1A0D925C73E25810C78
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: mato.com
Sending IP: 89.36.215.74
From: reitz@rokslide.com<reitz@rokslide.com>
Subject: Urgent RFQ 17389/ MPR 696
Attachment: Company profile sheet.img (contains "Quotation.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.44685.20956.23567.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-07 21:23:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nh24zhux2zcby77gys4npsgdgkwtk7kimblmz32wvvocbieb5doa._file
Verdict:
malicious
Similar samples:
043ba161ac2f0d30c5a15799d3ce26ec63989d278f58867aeff64ce7ecb41f42
FormBook
0707523c23666b0535673287616ea82b34e810594ddf19c45a0746d1bd697070
FormBook
3f423a4bed38af85be2527d22db419c4796f4483ba87f9560dc12aa932c66209
FormBook
590fde182a154cd89b15d88546d60351b9fecb51e04fbbf4affd8d49a618bd23
FormBook
688ac9fd686d48bc6fec56f27e814c48d7849f548ef14d763dd446b61140c388
FormBook
6f95416c1006a499c7012c6cde49a27f83223c665cf9b28764030afeb04bf697
FormBook
7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6
FormBook
85774cdd3163c5e259dafdf67b113fd69fa8f4f9ebd964ee91b099bd2f58ebfd
FormBook
a91c5af7a94238bb1556b641b9f5bc7798133b3d699a9f3d5b88b8f8fc12f091
FormBook
d6e2c72145fa1473a21537eb00dfd5f038d441c4852ba54a70234e29cc189e49
FormBook
+ 5'064 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan persistence
Link:
https://tria.ge/reports/201109-r5x31cgq2a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Drops file in Program Files directory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.cervox.com/dj5/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

img a667f4b8f6efd10ca859027731a026e7301a046ba59c6af77d191f37d1f62d1d

FormBook

Executable exe 69f5cc9e97d6441c7fe6c4b8d7c8c332ad357d486056ccef56ad5c20a081e8dc

(this sample)

  
Dropped by
MD5 4322fdbe7050dc55c0175a80a0dcf906
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 a667f4b8f6efd10ca859027731a026e7301a046ba59c6af77d191f37d1f62d1d

Comments