MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a492b017c3e12fe55493c562ed1304155616cb61b24f6dce0bfcd3eb7a7bdaf5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a492b017c3e12fe55493c562ed1304155616cb61b24f6dce0bfcd3eb7a7bdaf5
SHA3-384 hash: bb13c745d1b751b9c7b0c51dfcc5b80f98d9778dc65a3ba12bca6957f2922074b1b3d3e3b3ccc3af1727f8a86849ea7f
SHA1 hash: 6b42e6e05060adb9c502820de39daaec6e59b639
MD5 hash: 892800b291892b73d73e80ca270d3117
humanhash: lima-mobile-purple-triple
File name:Quotation.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:274'944 bytes
First seen:2020-07-20 07:41:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 6144:vlCIEO7pfRIyWmmIGRMe4uO0wrmtOWXZUTeME0efOZXVscZ:vkIEO9pIyWiGwuI2O8UCMheg
Threatray 2'274 similar samples on MalwareBazaar
TLSH 1F44D03863948749D2AD6735F932885483FBBB0ABE27D3992F1460E6985F7FB4410336
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: mail.itbiz.gr
Sending IP: 216.55.169.89
From: sm@qcheck-cert.gr
Subject: Quotation and Sample of Products
Attachment: Quotation.zip (contains "Quotation.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28573/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WOX.24201.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/390984
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 247619 Sample: Quotation.exe Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 85 www.naturespik.com 2->85 87 www.imedialog.com 2->87 89 HDRedirect-LB5-1afb6e2973825a56.elb.us-east-1.amazonaws.com 2->89 95 Malicious sample detected (through community Yara rule) 2->95 97 Antivirus / Scanner detection for submitted sample 2->97 99 Multi AV Scanner detection for submitted file 2->99 101 6 other signatures 2->101 12 Quotation.exe 1 2->12         started        signatures3 process4 signatures5 135 Maps a DLL or memory area into another process 12->135 15 Quotation.exe 1 12->15         started        18 RegAsm.exe 12->18         started        process6 signatures7 151 Maps a DLL or memory area into another process 15->151 20 Quotation.exe 1 15->20         started        23 RegAsm.exe 15->23         started        153 Modifies the context of a thread in another process (thread injection) 18->153 155 Sample uses process hollowing technique 18->155 157 Tries to detect virtualization through RDTSC time measurements 18->157 159 Queues an APC in another process (thread injection) 18->159 25 explorer.exe 1 6 18->25 injected process8 dnsIp9 103 Maps a DLL or memory area into another process 20->103 29 Quotation.exe 20->29         started        32 RegAsm.exe 20->32         started        105 Modifies the context of a thread in another process (thread injection) 23->105 107 Sample uses process hollowing technique 23->107 91 www.sharenoe.com 199.59.242.153, 49735, 80 BODIS-NJUS United States 25->91 93 www.americantrackservices.com 25->93 83 C:\Users\user\AppData\...\kvyl30orbx.exe, PE32 25->83 dropped 109 System process connects to network (likely due to code injection or exploit) 25->109 111 Benign windows process drops PE files 25->111 34 control.exe 1 19 25->34         started        37 wscript.exe 25->37         started        39 systray.exe 25->39         started        41 5 other processes 25->41 file10 signatures11 process12 file13 137 Maps a DLL or memory area into another process 29->137 43 Quotation.exe 29->43         started        46 RegAsm.exe 29->46         started        139 Modifies the context of a thread in another process (thread injection) 32->139 141 Sample uses process hollowing technique 32->141 77 C:\Users\user\AppData\...\JL2logrv.ini, data 34->77 dropped 79 C:\Users\user\AppData\...\JL2logri.ini, data 34->79 dropped 81 C:\Users\user\AppData\...\JL2logrf.ini, data 34->81 dropped 143 Detected FormBook malware 34->143 145 Tries to steal Mail credentials (via file access) 34->145 147 Tries to harvest and steal browser information (history, passwords, etc) 34->147 48 cmd.exe 34->48         started        51 cmd.exe 1 34->51         started        149 Tries to detect virtualization through RDTSC time measurements 37->149 53 conhost.exe 41->53         started        signatures14 process15 file16 127 Maps a DLL or memory area into another process 43->127 55 Quotation.exe 43->55         started        58 RegAsm.exe 43->58         started        60 RegAsm.exe 43->60         started        62 RegAsm.exe 43->62         started        129 Modifies the context of a thread in another process (thread injection) 46->129 131 Sample uses process hollowing technique 46->131 75 C:\Users\user\AppData\Local\Temp\DB1, SQLite 48->75 dropped 133 Tries to harvest and steal browser information (history, passwords, etc) 48->133 64 conhost.exe 48->64         started        66 conhost.exe 51->66         started        signatures17 process18 signatures19 121 Maps a DLL or memory area into another process 55->121 68 RegAsm.exe 55->68         started        71 Quotation.exe 55->71         started        73 RegAsm.exe 55->73         started        123 Modifies the context of a thread in another process (thread injection) 58->123 125 Sample uses process hollowing technique 58->125 process20 signatures21 113 Modifies the context of a thread in another process (thread injection) 68->113 115 Maps a DLL or memory area into another process 68->115 117 Sample uses process hollowing technique 68->117 119 Writes to foreign memory regions 71->119
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a492b017c3e12fe55493c562ed1304155616cb61b24f6dce0bfcd3eb7a7bdaf5/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 07:42:13 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=usjlaf6d4ex6kvetyvro2eyecvlbns3bwjhw3tql7tj6w6t33l2q._file
Verdict:
malicious
Similar samples:
26bf78c520963df1285a4d4fc240e9a9d7ce5b61f02a99416e618514c0f83b22
FormBook
2fee614c34dfea5c440c1d0b8bf14c206f82f85fe3a8db4c19dce56e48fa2172
FormBook
4334ef4236c8a8b7c1c3463875315f16b35ba1d4dfac8c67f8c0cb81f950d850
FormBook
4638cb61381b2f87e80fd39f4b6c5f661ee224c874127c868b977d86cbdd7d10
FormBook
5f657de9b0eaeb9eabf6d18a202f7b8c7daafd71d03387366069fe9ebd5f282a
FormBook
7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6
FormBook
9c1501fbd2eb669ccbe4a41e37770191e954e6f0dd3e0a954a0670a91df3917c
FormBook
a6009a6b0724811f3bb71fc6f0c6b3b1aad71448948175949c7eb8af82034e91
FormBook
ad8c070c48103dbc11875a052aa0447395f6ddda11e3f9e8aed091f0bb14050d
FormBook
e8edf009c1c82f348ad925f7f9a34b4f241d52240c6cb43ab4536c4b363d5322
FormBook
+ 2'264 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
trojan spyware stealer family:formbook persistence evasion
Link:
https://tria.ge/reports/200720-rm13dez2sn/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Gathers network information
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
Reads user/profile data of web browsers
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a492b017c3e12fe55493c562ed1304155616cb61b24f6dce0bfcd3eb7a7bdaf5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip d51206c43194a395f40499ced788aaf15c8cf2028d4cb0bdc7ab7f7199b3cc06

FormBook

Executable exe a492b017c3e12fe55493c562ed1304155616cb61b24f6dce0bfcd3eb7a7bdaf5

(this sample)

  
Dropped by
MD5 af3f31115fec70f60acb7d3ca2de53a9
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/28573/
  
Dropped by
SHA256 d51206c43194a395f40499ced788aaf15c8cf2028d4cb0bdc7ab7f7199b3cc06

Comments