MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00a6ef981cfb0915c42062fc29892b2c55408f5fabbb77ac528cd85428578cc0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 5

Intelligence 5 IOCs YARA 1 File information Comments

SHA256 hash:	00a6ef981cfb0915c42062fc29892b2c55408f5fabbb77ac528cd85428578cc0
SHA3-384 hash:	a01bca79ec5dc6b10f05fd4722be5b2f1c3eb88b932508142445e82f5b951c12a4b972d405893a09e0f41569ab9d1e7b
SHA1 hash:	8197d4eacefd0e77f5599846468432961c9a0706
MD5 hash:	b800504be883e3cda511a86d7c16ee3d
humanhash:	colorado-texas-autumn-idaho
File name:	Shipment Document BL,INV and packing list.jpg.ace
Download:	download sample
Signature	Formbook Create hunting rule
File size:	339'921 bytes
First seen:	2022-02-14 15:53:11 UTC
Last seen:	Never
File type:	ace
MIME type:	application/octet-stream
ssdeep	6144:IhWLuzvLMYZeUa32WIXhDNScYyfNGNBNIq2qAhgFAV9cqrVt:IW6DoUmIRpScYyVGN41q6rV9N/
TLSH	T1E77423671A57B52A7818FEE01E397A266E6B3128F828303E67DFD731937C4448C4D6D0
Reporter	cocaman
Tags:	ace DHL FormBook

cocaman

Malicious email (T1566.001)
From: "DHL Group <dev@lists.roundcube.net>" (likely spoofed)
Received: "from lists.roundcube.net (unknown [203.159.80.182]) "
Date: "14 Feb 2022 15:21:06 +0100"
Subject: "Shipment Document BL,INV and packing list"
Attachment: "Shipment Document BL,INV and packing list.jpg.ace"

Intelligence

File Origin

# of uploads :

# of downloads :

258

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.25738.AceHeur.Exe.UNOFFICIAL

Sanesecurity.Malware.25166.AceHeur.Exe.UNOFFICIAL

SecuriteInfo.com.Suspicious-ACE-exe.UNOFFICIAL

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/620a7aeb289e2f3e4fd9e460/reports/817ea91f-4fd3-493c-9a23-9707f28b9141/overview

Result

Verdict:

UNKNOWN

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/00a6ef981cfb0915c42062fc29892b2c55408f5fabbb77ac528cd85428578cc0/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2022-02-14 15:54:12 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

17 of 27 (62.96%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=acto7ga47merlrbaml6ctcjlfrkubd27vo5xplcsrtmfikcxrtaa._file

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:f1s1 persistence rat spyware stealer suricata trojan

Link:

https://tria.ge/reports/220214-tb8c9abchp/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Suspicious use of SetThreadContext

Adds Run key to start application

Deletes itself

Formbook Payload

Formbook

suricata: ET MALWARE FormBook CnC Checkin (GET)

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/00a6ef981cfb0915c42062fc29892b2c55408f5fabbb77ac528cd85428578cc0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ACE_Containing_EXE Create hunting rule
Author:	Florian Roth - based on Nick Hoffman' rule - Morphick Inc
Description:	Looks for ACE Archives containing an exe/scr file