MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1906f759f4a2c8ae9f8823ca245eff46443a04438dfbfa82efa82247ed7421b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	c1906f759f4a2c8ae9f8823ca245eff46443a04438dfbfa82efa82247ed7421b
SHA3-384 hash:	df6e20f96fd89c6e8b4714df742bcf385d872dc71384f4eff006dbc1e3e964e97dc06a70a6c48a9e7989b177a482c55d
SHA1 hash:	9e8403d321517031408390feb809c8911bcb6a76
MD5 hash:	24850c907d861b2c8c2737a18d596773
humanhash:	east-georgia-diet-mango
File name:	QUOTATION.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	350'720 bytes
First seen:	2020-06-17 10:46:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	6144:szb2sPBCTZnhwD8X377iFnVPWBJI9chm/upp9t5BHT0PMJMmZInqtXWq03:szb2sZCTZuD8b7iFBWjIqwuJ3J0PMjzG
Threatray	5'404 similar samples on MalwareBazaar
TLSH	4E749E3C02F8FA27CE7E43B9C056411C63E2D5650B86E789DA1264F9294F35BF66324B
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: vps.tiantuct.com
Sending IP: 45.95.169.92
From: PMRG LTD<info@tiantuct.com>
Reply-To: fra_white33@yahoo.com
Subject: QUOTATION
Attachment: QUOTATION.LZH (contains "QUOTATION.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

87

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/19514/

Gathering data

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-06-17 11:36:23 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ygig65m7jiwiv2pyqi6kerpp6rsehicehdp37kbo7kbci7wxiinq._file

Verdict:

malicious

Similar samples:

06d770563253e518dd207abb9bb30d0ba69b393bc4fa7f1cc9999f0ea1b661f0

1ebe8c4369b01611d9c49ed8aadbbd36de80d306532927b21b426dd0e648f3f3

6deceb88f30de5953a4a9de2fd70415302205f306cdf62e14c922fee23ea721e

8c3ab3dfe110988d790808121453336342297777bdac96a10d317bab2b0de2c6

9586c7e95bd2c4807b9e946ac4fd97e646ac9dd52b4afc781fa85af04c7a92dd

a601e4a16b16f0eacedc679e3f367d990c0cc913470d138b4d3e6d3ba156f7b7

a8fb290af4d6f3cb59e034cfb61e7c6981f246c98c1929b35302bca73a05a472

b7080e861acf13e24b0f995a17697390e262fd128de58e12e99074531ab3963d

bb87a6186306d0417e723b3ae04b70193f32d8b5fe479de840ed10f243234c4d

fe12007b316eaa8d4ef08266bcd9aa166e3cad9d5e7ac3760adfc13a655a8e7d

+ 5'394 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

evasion trojan

Link:

https://tria.ge/reports/200624-dss58x3ya6/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SetThreadContext

Maps connected drives based on registry

Checks whether UAC is enabled

Deletes itself

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

b1f323a6a7487bc43a241446801d6b26

exe c1906f759f4a2c8ae9f8823ca245eff46443a04438dfbfa82efa82247ed7421b

(this sample)

Dropped by

MD5 b1f323a6a7487bc43a241446801d6b26

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/19514/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample