MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 abdda3f05f9a29ab8ea6f45d5249f04168a17f3b64034a3596f8b0f1701db1a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: abdda3f05f9a29ab8ea6f45d5249f04168a17f3b64034a3596f8b0f1701db1a5
SHA3-384 hash: 2b9d13a56aebaa62c15497e19350b0701317f3a41ce68b86a9c2cd978e093251c2429ee98929e9128d7713254a2370bb
SHA1 hash: d668dc2a446512e15d3bca5967f7010391ed7c58
MD5 hash: 58ebb1300aa41122e258a1f4e47b1e34
humanhash: illinois-comet-muppet-green
File name:requesting quote.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:548'864 bytes
First seen:2020-07-30 07:44:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:IJNIxcJ76CD1BcRZG60IidcFfoVSxArkW/ePWnozqcK5+QI2cThdb:c0ZGJ1WVbE/SWnAQI2cThdb
Threatray 5'122 similar samples on MalwareBazaar
TLSH 6FC4C0297744EB5EC26F8E358852080097F0FD771703F78B7D923ADC1A6E669AE31291
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: server.megatroncorp.community
Sending IP: 162.241.205.158
From: Eric Schiegg <Eric.Schiegg@dvandersteenbv.nl>
Reply-To: Eric Schiegg <dvandersteenbv@europe.com>
Subject: AW: Quote!
Attachment: requesting quote.zip (contains "requesting quote.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/35393/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/403350
Signature
Benign windows process drops PE files
Detected FormBook malware
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 253910 Sample: requesting quote.exe Startdate: 30/07/2020 Architecture: WINDOWS Score: 100 50 g.msn.com 2->50 52 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->52 68 Malicious sample detected (through community Yara rule) 2->68 70 Yara detected AntiVM_3 2->70 72 Yara detected FormBook 2->72 74 5 other signatures 2->74 11 requesting quote.exe 3 2->11         started        signatures3 process4 file5 48 C:\Users\user\...\requesting quote.exe.log, ASCII 11->48 dropped 92 Injects a PE file into a foreign processes 11->92 15 requesting quote.exe 11->15         started        signatures6 process7 signatures8 94 Modifies the context of a thread in another process (thread injection) 15->94 96 Maps a DLL or memory area into another process 15->96 98 Sample uses process hollowing technique 15->98 100 Queues an APC in another process (thread injection) 15->100 18 explorer.exe 4 6 15->18 injected process9 dnsIp10 54 www.maximalneoptimalne.com 212.57.32.63, 49731, 80 WEBGLOBE-SK-ASSK Slovakia (SLOVAK Republic) 18->54 56 www.sundainty.com 18->56 58 2 other IPs or domains 18->58 42 C:\Users\user\AppData\Local\...\9reknl.exe, PE32 18->42 dropped 76 System process connects to network (likely due to code injection or exploit) 18->76 78 Benign windows process drops PE files 18->78 23 explorer.exe 1 17 18->23         started        27 9reknl.exe 3 18->27         started        29 9reknl.exe 2 18->29         started        31 4 other processes 18->31 file11 signatures12 process13 file14 44 C:\Users\user\AppData\...\85-logrv.ini, data 23->44 dropped 46 C:\Users\user\AppData\...\85-logri.ini, data 23->46 dropped 80 Detected FormBook malware 23->80 82 Tries to steal Mail credentials (via file access) 23->82 84 Tries to harvest and steal browser information (history, passwords, etc) 23->84 90 2 other signatures 23->90 33 cmd.exe 1 23->33         started        86 Injects a PE file into a foreign processes 27->86 36 9reknl.exe 27->36         started        38 9reknl.exe 29->38         started        88 Tries to detect virtualization through RDTSC time measurements 31->88 signatures15 process16 signatures17 60 Tries to detect virtualization through RDTSC time measurements 33->60 40 conhost.exe 33->40         started        62 Modifies the context of a thread in another process (thread injection) 36->62 64 Maps a DLL or memory area into another process 36->64 66 Sample uses process hollowing technique 36->66 process18
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/abdda3f05f9a29ab8ea6f45d5249f04168a17f3b64034a3596f8b0f1701db1a5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-30 07:46:11 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vpo2h4c7tiu2xdvg6rovespqifukc7z3mqbuunmw7cypc4a5wgsq._file
Verdict:
malicious
Similar samples:
00983a8176276beea115d21fef7919c49b29b96d78dbc2151cc04cc7d8c95b35
Formbook
16b59963cf5398fe9d50d18723bf7b78073a6fd4d1dfd3072b45b8852ead2d58
Formbook
3ec51daa2ad133cfcdce1ffca7081f96ee58d9b5c2d302cee732e6e2cc3d8cc6
Formbook
6830866e2d41b970c95172f9a156522c72cfd238f846c02c19827b2100fc5deb
Formbook
a9089afb7795019bd9b1a2395b387a6c9957d499f10ff2929bf8d65c9913f453
Formbook
b3b093d992d26b0d21a61a778598abd5dd87649a89f724c2798f60f9dc19de1a
Formbook
c03ae704dd35d3acd68ae4275d8007c3001a044c34c3d5dbc5299da6e1ca5a68
Formbook
d823d3c8c26635339f3de0090fb21441f5d2f4db1a0567b2028ca8e3e7f5670e
Formbook
df745e4434b953ab404e59ef73608a9f3148fa7d629a28b7401c295efdf618b6
Formbook
fda70d68d95854fd28bf29b6128d0d97b437d20798a532e6bb5c5e26d0785594
Formbook
+ 5'112 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200730-lsst17758n/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Suspicious use of SetThreadContext
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.71
Link:
https://yomi.yoroi.company/submissions/abdda3f05f9a29ab8ea6f45d5249f04168a17f3b64034a3596f8b0f1701db1a5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 27cc4bf8347a0f75e7fde7c3f1019fe0d468435e9d013a7974613666c1268536

Formbook

Executable exe abdda3f05f9a29ab8ea6f45d5249f04168a17f3b64034a3596f8b0f1701db1a5

(this sample)

  
Dropped by
MD5 d7cc577c506fcba80edd5e5f99fad631
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 27cc4bf8347a0f75e7fde7c3f1019fe0d468435e9d013a7974613666c1268536
Cape
Cape
https://www.capesandbox.com/analysis/35393/

Comments