MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c2b01523e8d8a1ea6d09a426ad2a8fb88ec84bb9d3d0c42743b86ab16bd54c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	7c2b01523e8d8a1ea6d09a426ad2a8fb88ec84bb9d3d0c42743b86ab16bd54c7
SHA3-384 hash:	4de7828c1af7fabfc0b5ead4423c104f75dfe2fd97fe107214e0e43cfc6d08802439f7aa2d3201b8330f9cb00436b74a
SHA1 hash:	935a560fac2399cef0e4d33dabcef38efee9c494
MD5 hash:	77e7444bee5135cbdab1d6ff87e9de99
humanhash:	cat-finch-quebec-harry
File name:	Request for Quotation - RFQ.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	742'912 bytes
First seen:	2020-06-04 07:11:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:+29FxnD/9ZiwtAnSTShi1blckMrw8CeR6S+cGyk347p8qf91SgngIm:+29PT9ZL2odM6gGepZ1e
Threatray	2'311 similar samples on MalwareBazaar
TLSH	90F48D312F9DDD3BD06FCAF8E0C26105F5A5CD9F8D87CB45D8B922E6D422BE0A801656
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: mta-64-161.tll07.zoneas.eu
Sending IP: 217.146.64.161
From: veljo@swecon.ee <veljo@swecon.ee>
Subject: REQUEST FOR QUOTATION
Attachment: Request for Quotation - RFQ.rar (contains "Request for Quotation - RFQ.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

85

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-06-04 07:22:09 UTC

AV detection:

20 of 31 (64.52%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=pqvqcur6rwfb5jwqtjbgvuvi7oeozbf3tu6qyqtuhodkwfv5ktdq._file

Verdict:

malicious

Similar samples:

1dd89cec8476c901750387a54eb0cce63addcb6037d96de9a78fd736531f9390

2bd1995c8c2b3f35906807ce4697151cf801af339579cd7b86e467df6474dafa

4170e48189174a9cc84f6c019f454a20e30a35605be0f8e2a3e26a516e2c1090

6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b

7fab1d558e165d232858902d7774749256fb81c20ded2487bbc3b7b2cd0d1507

80d185a291cf5c72cf84c63a49ade7e9d7363a3721aa2967c9d143c7d29fa03d

82d52965e0773a40b88a94a459f019220746544e4151f1e3cce6d8979abd5b14

8791d7218610249f735812d5d7f4f890e0e399c3efab189221bfe96732fc2b1e

a1d8dc3627d6274bbc44d637008958b06acf5c9bd4de3d3c8c9229552956d7c5

b6921871cfac8b6c36204546606439b67a55077cff2b4848c95ead0c06495bf4

+ 2'301 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-k54cvlg2be/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Maps connected drives based on registry

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar e7b0a0a757187dd571a4d9d89d7f1a8370e2691473b8ceddfad0170c40ff9495

exe 7c2b01523e8d8a1ea6d09a426ad2a8fb88ec84bb9d3d0c42743b86ab16bd54c7

(this sample)

Dropped by

MD5 b37c6fc0417783771acbdee054be2bd6

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 e7b0a0a757187dd571a4d9d89d7f1a8370e2691473b8ceddfad0170c40ff9495

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample