MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 009976024005fe51227fe775348a66081e2d958178685929678ea0453c7e137f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 4

Intelligence 4 IOCs YARA 1 File information Comments

SHA256 hash:	009976024005fe51227fe775348a66081e2d958178685929678ea0453c7e137f
SHA3-384 hash:	570334a0780028427171d300e45e535c4fda9c72388c20ee2bc831be1e0545f6a8ea223af6c2e0f6cc3cec3800de0a22
SHA1 hash:	c29cdfd7f2dcd01f54c72bfd8d716a5a5cf9cf14
MD5 hash:	def68dfa4922d2f67cb2d012e3c39f37
humanhash:	april-carbon-five-carpet
File name:	Payment Advice_pdf.ace
Download:	download sample
Signature	Formbook Create hunting rule
File size:	582'166 bytes
First seen:	2021-09-20 09:48:24 UTC
Last seen:	Never
File type:	ace
MIME type:	application/octet-stream
ssdeep	12288:LN1Vp/e+ZWDGEuPxW1ujDYL1m2cWSguwc9g01MFvDfLvWRwHK1ytLN:LNg+Z7TJJDYLR3u60edaRw2ytLN
TLSH	T138C423F7B0E5116818838AEC051D3AF6B11035D6BE4B147E61C9B5EB5CA439F8373A89
Reporter	cocaman
Tags:	ace FormBook HSBC

cocaman

Malicious email (T1566.001)
From: "HSBC Advising Service <advising.services.mail.hsbcnet.hsbc.com@ihxmkso.buzz>" (likely spoofed)
Received: "from hp0.ihxmkso.buzz (hp0.ihxmkso.buzz [159.89.134.171]) "
Date: "20 Sep 2021 02:06:29 -0700"
Subject: "Payment Advice - Advice Ref:[GLV403445242] / Priority payment / Customer Ref:[8688909287]"
Attachment: "Payment Advice_pdf.ace"

Intelligence

File Origin

# of uploads :

# of downloads :

209

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.25738.AceHeur.Exe.UNOFFICIAL

Sanesecurity.Malware.25166.AceHeur.Exe.UNOFFICIAL

SecuriteInfo.com.Suspicious-ACE-exe.UNOFFICIAL

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/009976024005fe51227fe775348a66081e2d958178685929678ea0453c7e137f/

Threat name:

ByteCode-MSIL.Infostealer.Fareit

Status:

Malicious

First seen:

2021-09-20 09:49:10 UTC

AV detection:

9 of 45 (20.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=acmxmasaax7fcit7452tjctgbapc3fmbpbufsklhr2qekpd6cn7q._file

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:u86g loader rat

Link:

https://tria.ge/reports/210920-ltdbtsdeg5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.springgrowmeanairway.net/u86g/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/009976024005fe51227fe775348a66081e2d958178685929678ea0453c7e137f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ACE_Containing_EXE Create hunting rule
Author:	Florian Roth - based on Nick Hoffman' rule - Morphick Inc
Description:	Looks for ACE Archives containing an exe/scr file