MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8fb290af4d6f3cb59e034cfb61e7c6981f246c98c1929b35302bca73a05a472. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a8fb290af4d6f3cb59e034cfb61e7c6981f246c98c1929b35302bca73a05a472
SHA3-384 hash: b5a0ce380dd2b9eebda74da50bb10c8d2fd7346494f19bc0b6052c4f14ab1e81bdf14bb4ceb20010c48ecafeb7083947
SHA1 hash: 27bcfbfdfcabc05656491af1880d8606b1ff3085
MD5 hash: a9128902c74946eeebaa5a0c3172f816
humanhash: jig-zulu-whiskey-oklahoma
File name:QUOTATION.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:352'256 bytes
First seen:2020-06-17 10:10:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:exbYtPsaUiCq+jUAVmMCPxhlwH12gOeiGFzDM0POJ5jf27xxM/imVWZ0y:exbYtPCuemThu8gJimHWJpe7xxbYWZ0y
Threatray 5'396 similar samples on MalwareBazaar
TLSH 9074BF3C43A9AA13D57D47BFD1A5414C93E3C1A2ABDADB8D4A0220EB1B4A767F133147
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: vps.tiantuct.com
Sending IP: 45.95.169.92
From: PMRG LTD<info@tiantuct.com>
Reply-To: fra_white33@yahoo.com
Subject: QUOTATION
Attachment: QUOTATION.LZH (contains "QUOTATION.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/19483/
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.54526.17879.15351.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-17 10:37:19 UTC
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vd5sscxu23z4wwpagth3mht4nga7erwjrqmstm2tak6kooqfurza._file
Verdict:
malicious
Similar samples:
06d770563253e518dd207abb9bb30d0ba69b393bc4fa7f1cc9999f0ea1b661f0
FormBook
1ebe8c4369b01611d9c49ed8aadbbd36de80d306532927b21b426dd0e648f3f3
FormBook
6deceb88f30de5953a4a9de2fd70415302205f306cdf62e14c922fee23ea721e
FormBook
8c3ab3dfe110988d790808121453336342297777bdac96a10d317bab2b0de2c6
FormBook
9586c7e95bd2c4807b9e946ac4fd97e646ac9dd52b4afc781fa85af04c7a92dd
FormBook
a601e4a16b16f0eacedc679e3f367d990c0cc913470d138b4d3e6d3ba156f7b7
FormBook
b7080e861acf13e24b0f995a17697390e262fd128de58e12e99074531ab3963d
FormBook
bb87a6186306d0417e723b3ae04b70193f32d8b5fe479de840ed10f243234c4d
FormBook
c1906f759f4a2c8ae9f8823ca245eff46443a04438dfbfa82efa82247ed7421b
FormBook
fe12007b316eaa8d4ef08266bcd9aa166e3cad9d5e7ac3760adfc13a655a8e7d
FormBook
+ 5'386 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
evasion trojan persistence spyware
Link:
https://tria.ge/reports/200624-xkdcjbjpmj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run entry to start application
Checks whether UAC is enabled
Maps connected drives based on registry
Reads user/profile data of web browsers
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar e8e016a2ee1c64ca21b8e272647e9c9cda49bb6e2400cff8d4b6d16b6ba1019a

FormBook

Executable exe a8fb290af4d6f3cb59e034cfb61e7c6981f246c98c1929b35302bca73a05a472

(this sample)

  
Dropped by
MD5 6f541c525b8d39a9e5557b98450aeb6d
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 e8e016a2ee1c64ca21b8e272647e9c9cda49bb6e2400cff8d4b6d16b6ba1019a
Cape
Cape
https://www.capesandbox.com/analysis/19483/

Comments