MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f9973f8abd9e5fb811ccb04db4fc7063fb01623edd3f53e9a8a20e352ffa8ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	6f9973f8abd9e5fb811ccb04db4fc7063fb01623edd3f53e9a8a20e352ffa8ba
SHA3-384 hash:	5e26887b5bed530b9478c363aad72b3817c0b510f31b3068bc22424671be61cb8b79fdf997fbd4f919833bdca3a85cc0
SHA1 hash:	28ddee1b6b033c57e8ce033db930fd7a403acdf2
MD5 hash:	f47260278fdefc14190e08fea301753b
humanhash:	bakerloo-april-freddie-juliet
File name:	Quotation.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	561'152 bytes
First seen:	2020-08-18 19:47:43 UTC
Last seen:	2020-08-18 20:48:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:PXVf+k96iZtrNKBvIt2x/TmH2EbiRSGU2Jp/xGUUoWMYHx5zjhMB:Nf+ofZ/Imk/6H2qiRSGnpZGUJWMYR92B
Threatray	2'267 similar samples on MalwareBazaar
TLSH	95C4F1363294D714C1BB133ACD99604543F9F807BA22DBAEBD98225D49217E64F237CB
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: smtp2.hiworks.co.kr
Sending IP: 121.254.168.210
From: yingyebu@iltop.net <yingyebu@iltop.net>
Reply-To: "yingyebu@iltop.net" <yingyebu@iltop.net>
Subject: RE:Request For Quotation
Attachment: SKM43555654543.img (contains "Quotation.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

102

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/48092/

Detection(s):

SecuriteInfo.com.Trojan.Inject3.51879.18979.26095.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/6f9973f8abd9e5fb811ccb04db4fc7063fb01623edd3f53e9a8a20e352ffa8ba/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-08-18 16:05:17 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=n6mxh6fl3hs7xai4zmcnwt6hay73afrd5xj7kpu2riqogux7vc5a._file

Verdict:

malicious

Label(s):

netwirerc

Similar samples:

11ed9b9e406c0dd0f8eebc68a84ed4790d73d051584206acce260627390ec049

2b9703840cea3c427f1abf8ec784be06107fe7db48e1921c427b8a8a4254bda5

30d3cf43f91eea8df889ee14337ca8067bc68521ff63184c679aac80b321bb75

3fda6f5aaefec5286f13f453ce9ca896d82c0065ffb4c9019dc12eb685609117

8a5ae789ab7a7fe7d2d2bd23a633ae2d4a06b8b3dd93d7ea716847209067a92d

a5343eacd38eeb6e79c054f2a9bdf40573293e9f7f5cff05965b26cd0aa2c308

bfb2fd4412e9cd136a794f61436d597d7d58fb4fd842509dabe7a70344e4fd97

eb5430ed81a3aa90b1d0b3c74f303dce507b1535b8b44269db7c6b56f62f84d6

ec24550a9fa2fdb2a0e7c739b9ac97387925808dbd832b11675f18e48a93bcc5

f1aa4ffcbf7f690cee6060e9167c395bffe594858bfcc2bdd772a0edf4a23721

+ 2'257 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

rat spyware trojan stealer family:formbook

Link:

https://tria.ge/reports/200818-1wc46mcmke/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads user/profile data of web browsers

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.lonxer.com/dmn/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6f9973f8abd9e5fb811ccb04db4fc7063fb01623edd3f53e9a8a20e352ffa8ba

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

img ec4bc9d88a6dd7070ebfd8fad799fccd0dd248780a051b0837fe8eddfd189eb1

exe 6f9973f8abd9e5fb811ccb04db4fc7063fb01623edd3f53e9a8a20e352ffa8ba

(this sample)

Dropped by

MD5 9ff874d015bbdc6e2fb5eb25f0e87413

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/48092/

Dropped by

SHA256 ec4bc9d88a6dd7070ebfd8fad799fccd0dd248780a051b0837fe8eddfd189eb1

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample