MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2e86de59b03cd68c6795d391938d75dac7fa0fe0d5bf497a075402686eba01d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e2e86de59b03cd68c6795d391938d75dac7fa0fe0d5bf497a075402686eba01d
SHA3-384 hash: 3577c4fe2c916cf93c6cf670286b9345191a52a6b2573cc17d05ee8c2765db5e76346e87372e00872f72f87b38883664
SHA1 hash: 7b3686f122ff9852988bec23b9370e02105f1901
MD5 hash: 03db6a5b5fcddd3568895d9212b1c69c
humanhash: salami-kentucky-red-india
File name:QUOTATION_#5.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:385'024 bytes
First seen:2020-05-26 10:00:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:eTWJuTFDKqSdfgIfwAcMxEV2YRymH770H17zT/Ro0XNf+7VQM1Xt/igPcQTRgVTV:LkFD+dqMs2YRbHEV7G0XNf+7VrXdcQTT
Threatray 5'110 similar samples on MalwareBazaar
TLSH 05848C9C365075DFC81BC977D9A82C64AA61B477870BD303A41322EDAA0D6ABCF115F3
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: qualitech-solutions.cam
Sending IP: 111.90.140.145
From: Brian Richard <sales@qualitech-solutions.cam>
Subject: RE: CONFIRM QUOTATION
Attachment: QUOTATION_5.rar (contains "QUOTATION_#5.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WBA.1143.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-26 13:03:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
17 of 31 (54.84%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
023ca25a18e7b6fe4c2346878ff4e688c011ef10900611f59689c4881f76579c
FormBook
0f9158444d5e5387bfc619b035fbc31625cc933643f3eea063eca29cc33455ef
FormBook
161ab2a24a2f0a71e1a50d1110b3ca25ec1a53c1412c2235db94a871bc3c9563
FormBook
20b27c73d6c337c95759c21e02e1e795fb7f07413e46f053e6e728c5de342dd9
FormBook
2909ff5bce8e72f2007455c778afbe46192919731b197e654e6e03f47cbe421f
FormBook
538b5708c76c86e74b0bf54772daa9bda7c7bab48b5261541a3bf128714d8e68
FormBook
65a02f6b451bb5ccf5d443b7976da84cb80812e24a909d1038423bfe5ac5e2b8
FormBook
8b9bbca00335521a8fa45d5abf271ccf0eac27d70e44140355f7af671c3dbe7e
FormBook
96ffe97ffd555e8f1329ba24b40cba5320d5bc1ef51fb0155b9dea55bf842487
FormBook
986db22a45f9c417139adb5a9fe1708dedc8b029a428e9db880b2cb7408c5d2d
FormBook
+ 5'100 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan persistence
Link:
https://tria.ge/reports/201109-clb3msj8zx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.govaj.com/bd2/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 6a40bbd0ff2805a581201c180e425a2ddb924d073dccdfb635b3533844a580e2

FormBook

Executable exe e2e86de59b03cd68c6795d391938d75dac7fa0fe0d5bf497a075402686eba01d

(this sample)

  
Dropped by
MD5 ea421027261bdc9ecd17a6eb777fe13c
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 6a40bbd0ff2805a581201c180e425a2ddb924d073dccdfb635b3533844a580e2

Comments