MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4dcd21a2e0b2f4432b665157a1f934e5063be6bbf7ef5f92b365bbbeca92331. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 2 File information 4 Yara 3 Comments

SHA256 hash: f4dcd21a2e0b2f4432b665157a1f934e5063be6bbf7ef5f92b365bbbeca92331
SHA3-384 hash: 86f64158d5803378f109dc32775e96741ebe8452a1a4ace8ee66121fa4c36c56ad0aea21599d4d1bc9077795001809ad
SHA1 hash: f40cd6481a66c1608a6b97580fe69f2e4904ed6d
MD5 hash: 937aa5650aa985dd443f4a03156967c9
humanhash: pennsylvania-four-comet-oxygen
File name:Scan Bill of Lading.xlsm
Download: download sample
Signature Formbook
File size:408'372 bytes
First seen:2020-06-30 06:46:59 UTC
Last seen:2020-06-30 07:45:43 UTC
File type:Excel file xlsm
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep 12288:i908By8nGThjIb7H2UauevqSjFj0xfYiY:i9pLwhGH297vPZgZY
TLSH A294236F642C7D83CE9B9C5E9A0CCCD5321D831A3307BAF575506580CDDB2AE06A5CE9
Reporter @abuse_ch
Tags:FormBook Maersk xlsm


Twitter
@abuse_ch
Malspam distributing Formbook:

HELO: slot0.winnwinnllc.ga
Sending IP: 68.183.98.32
From: "Maersk Line " <info@winnwinnllc.ga>
Subject: Scan Bill of Lading
Attachment: Scan Bill of Lading.xlsm

FormBook payload uRL:
https://kyivremont.com/vbc.exe

Intelligence


Mail intelligence
Trap location Impact
Global Medium
# of uploads 2
# of downloads 33
Origin country US US
ClamAV SecuriteInfo.com.ISB.Downloadergen48.11803.UNOFFICIAL
CERT.PL MWDB Detection:n/a
Link: https://mwdb.cert.pl/sample/f4dcd21a2e0b2f4432b665157a1f934e5063be6bbf7ef5f92b365bbbeca92331/
ReversingLabs :Status:Benign
Threat name:No data
First seen:2020-06-30 06:48:05 UTC
AV detection:2 of 48 (4.17%)
Trust factor:
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   10/10
Malware Family:n/a
Link: https://tria.ge/reports/200630-5m9l7sr2ae/
Tags:evasion spyware trojan
VirusTotal:Virustotal results 10.94%

Yara Signatures


Rule name:Formbook
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:SharedStrings
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:win_formbook_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Excel file xlsm f4dcd21a2e0b2f4432b665157a1f934e5063be6bbf7ef5f92b365bbbeca92331

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments