MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb057cfb03afa92cd042a3a39914b3e79179f2e2000030d23cc3b69255a5664e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb057cfb03afa92cd042a3a39914b3e79179f2e2000030d23cc3b69255a5664e
SHA3-384 hash: 5bdb86b17cda2e702d850e741c5d0b500c43bf014c0b114948ceb630a2bc33ac710feaa583b704162df1e8b048ab7285
SHA1 hash: b52087b7f58e9ddd0b2246275f488c4d13f35dd7
MD5 hash: ab9093d9d3fe3befb0a9ccc084488615
humanhash: equal-football-bravo-alaska
File name:Quotation.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:596'992 bytes
First seen:2020-10-26 12:54:47 UTC
Last seen:2020-10-26 15:21:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:aLZKADHluUh9CE2z6fKjIAfgVKTJc6so2i6Z4Rcfjg/IJ:mDH99hM8kLoi6g0fJ
Threatray 2'774 similar samples on MalwareBazaar
TLSH E3C4E021738C9746E17D87B84021C030A7F1BC86DB22DA197EE47A9F25F2E848F65B17
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: wooleunglee.com.hk
Sending IP: 156.96.60.139
From: sales@wooleunglee.com.hk
Subject: Re:Bulk Product Inquiries
Attachment: IMG. Video Clips Of Sample Products.img (contains "Quotation.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/79059/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.424.25447.884.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the Windows subdirectories
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/511743
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 304991 Sample: Quotation.exe Startdate: 26/10/2020 Architecture: WINDOWS Score: 100 34 www.alexcavaliere.com 2->34 36 alexcavaliere.com 2->36 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Yara detected AntiVM_3 2->44 46 6 other signatures 2->46 11 Quotation.exe 4 2->11         started        signatures3 process4 signatures5 54 Tries to detect virtualization through RDTSC time measurements 11->54 56 Injects a PE file into a foreign processes 11->56 14 Quotation.exe 11->14         started        process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 17 explorer.exe 14->17 injected process8 dnsIp9 28 wilvangroup-rdc.com 185.98.131.234, 49737, 80 RMI-FITECHFR France 17->28 30 alexcavaliere.com 34.102.136.180, 49750, 49754, 80 GOOGLEUS United States 17->30 32 5 other IPs or domains 17->32 38 System process connects to network (likely due to code injection or exploit) 17->38 21 ipconfig.exe 17->21         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/eb057cfb03afa92cd042a3a39914b3e79179f2e2000030d23cc3b69255a5664e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-26 01:42:36 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5mcxz6ydv6uszuccuorzsfft46ixt4xcaaadbur4yo3jevnfmzha._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2829f8bf819c13d753f3c6b33726df8c46a533f3040b550a86ca0ab34f967e92
Formbook
3f3daa13de0dde36e87f536f9cbcabc3170a6ddc4bd261d8ad3d3cd8515f6790
Formbook
3f98571de88f8e13c4197c46d74287d2f0aef827a196ea51cb4b934c6857e04b
Formbook
583dbdbb8f6be59c138dfb514d21b93fa1cd139a1184309ee3962ecaaa0be3b8
Formbook
60831f31acc48a952e24869954c79277d27eeddb14c10d76d0a3b6e61a8e343d
Formbook
6841a00603c067163259e142990659c0217ded69e2895d187fa65f9439034c7f
Formbook
8df5752017d7f083ddad62b8423ea7109c830dbcdca3fff0ee7aee8d149fdeda
Formbook
bee8a22eb4d9075c2ad9afd608787229af9cb1d76404f7fbc30e6984b7f3f872
Formbook
c41015f034cca2ff33ce96e08ddb477a92a3fff678bd8e78a78d96bf69e613f1
Formbook
ccfefbc3469336f27478735b5cf445612a128621b492a6a9b5a6a235a3fde320
Formbook
+ 2'764 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201026-b7q3bq1wbn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.obluedotpanowdshop.com/pe3/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

img e2989d88d3c466d97f68c8fe9ab1b6776ccb9dfe22f5ddcafbd4cbc24799337d

Formbook

Executable exe eb057cfb03afa92cd042a3a39914b3e79179f2e2000030d23cc3b69255a5664e

(this sample)

  
Dropped by
MD5 4a3090fa83a972a78c14a5e7aa363e02
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 e2989d88d3c466d97f68c8fe9ab1b6776ccb9dfe22f5ddcafbd4cbc24799337d
Cape
Cape
https://www.capesandbox.com/analysis/79059/

Comments