MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1176c3c4ab396d3bad7dd15c881fdb4e38922e9f7e539dc1035768f366edcf9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1176c3c4ab396d3bad7dd15c881fdb4e38922e9f7e539dc1035768f366edcf9
SHA3-384 hash: 99ab32e7b5bed6892823f6611303bde68a382d09fea4230cc4eea475e2b9f5740b9372e7347c7b61f674a799349f0e32
SHA1 hash: 518518629cf454305463152f15e3f9ae0a951eae
MD5 hash: 5d4343bc084ffb640028ac5575c1277e
humanhash: colorado-orange-green-october
File name:qoutationw.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:559'616 bytes
First seen:2020-08-03 06:59:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:OTyHrexwWwfNDy0rRA1ocXB18MjkiTXHCMe:OQrMWy0rC1ondN
Threatray 5'089 similar samples on MalwareBazaar
TLSH A6C4BF6C0BE00A19F96E1BBEAC360503DF35F44B582BA39F06B154B948BBB949D50F17
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: www1138.sakura.ne.jp
Sending IP: 219.94.129.178
From: Sales Dept <sales01@edas.it>
Subject: RE: EDAS ITALIA SRL (INQUIRY)/Product Catalogs and Price list request
Attachment: EDAS ITALIA SRL product specifications.iso (contains "qoutationw.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/407315
Signature
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d1176c3c4ab396d3bad7dd15c881fdb4e38922e9f7e539dc1035768f366edcf9/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-03 07:00:09 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2elwypckwolnhowx3uk4rap5wtrysixj67sttxaqgv3i6nto3t4q._file
Verdict:
malicious
Similar samples:
30d3cf43f91eea8df889ee14337ca8067bc68521ff63184c679aac80b321bb75
FormBook
567501cea05864d3014fb29cd4d74eb3e18dfdfb73f0669f5c0592fc73779afc
FormBook
5919e2d01fbc46e0aedd07630294976681fbb688e1b226dab43e60309747a877
FormBook
7eb341c011c4ea364ef927cfc57ac980111e9c49012834c3760896fec7f04d52
FormBook
887de911a26e0008429adcba8abc212d36423fae62d40aa1df57e2883db77d45
FormBook
9e31a9eedd25bd1b57d01f6f9f265cf5d13218f3e3e1866128d061ba5c77c452
FormBook
a5343eacd38eeb6e79c054f2a9bdf40573293e9f7f5cff05965b26cd0aa2c308
FormBook
b5cfea4c983458975c376cb9ff0ebd5feb4a426dc83c9db60264678a43eef6e9
FormBook
bf694824d6cbf6fba77ce087678b03ee8243a245b4b730eb55fb83e83b8dff8e
FormBook
bfb2fd4412e9cd136a794f61436d597d7d58fb4fd842509dabe7a70344e4fd97
FormBook
+ 5'079 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200803-r5al1q8w6x/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/d1176c3c4ab396d3bad7dd15c881fdb4e38922e9f7e539dc1035768f366edcf9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

iso 42542395939cf980f3c30f3a36e1125c94787b0a1d79c7ba0918f46764a22704

FormBook

Executable exe d1176c3c4ab396d3bad7dd15c881fdb4e38922e9f7e539dc1035768f366edcf9

(this sample)

  
Dropped by
MD5 2d6781f8efe426d140f1c928a712fca8
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/37399/
  
Dropped by
SHA256 42542395939cf980f3c30f3a36e1125c94787b0a1d79c7ba0918f46764a22704

Comments