MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0505d6f20405f635068b46f0adc82e65ea574da428e4b8fd256c64a9ecf237fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	0505d6f20405f635068b46f0adc82e65ea574da428e4b8fd256c64a9ecf237fe
SHA3-384 hash:	c5a3548cfe08e9697a42e4e7b6fa26068ff1863f2d9471bdb4974e2604658b89dd8034cec17c3eef4620e0fb18ce5f36
SHA1 hash:	5aca3f211f79fec81c22b729c3b489906a51bb47
MD5 hash:	07b4a4b24f0cfad258497c689a8a93fe
humanhash:	undress-beryllium-texas-georgia
File name:	outstanding invoices pdf.7z
Download:	download sample
Signature	Formbook Create hunting rule
File size:	596'847 bytes
First seen:	2021-04-26 05:13:12 UTC
Last seen:	Never
File type:	7z
MIME type:	application/x-rar
ssdeep	12288:e3LPd+3YEVQI2RuEI41LHJTZHezp3ObZiUugifpATbMqQsqRk6R11tv2AkbdiCa:EElIIqTTg3QTnHEki2AkbkCa
TLSH	23C42360EE61C168FDED7CEA3078A279FE9419E60545349E5DC778086F901A08AEDCCF
Reporter	cocaman
Tags:	7z INVOICE

cocaman

Malicious email (T1566.001)
From: "Mike Yang<Yang@acgbahamas.com>" (likely spoofed)
Received: "from acgbahamas.com (unknown [45.137.22.56]) "
Date: "25 Apr 2021 13:12:37 -0700"
Subject: "fwd: Re: outstanding invoices"
Attachment: "outstanding invoices pdf.7z"

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.27342.RarHeur.v5.HideExt.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0505d6f20405f635068b46f0adc82e65ea574da428e4b8fd256c64a9ecf237fe/

Threat name:

Win32.Trojan.Wacatac

Status:

Malicious

First seen:

2021-04-25 15:37:45 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

11 of 46 (23.91%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=auc5n4qeax3dkbuli3yk3sbomxvfotnefdslr7jfnrskt3hsg77a._file

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/210426-jf8f4f34g2/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://w��5 �@q[*��S=��m

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/0505d6f20405f635068b46f0adc82e65ea574da428e4b8fd256c64a9ecf237fe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

7z 0505d6f20405f635068b46f0adc82e65ea574da428e4b8fd256c64a9ecf237fe

(this sample)

Formbook

exe 05b6ee8ad090962be89b9f9d1c604541bfc1914e94c245bad6f469988eed019c

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 05b6ee8ad090962be89b9f9d1c604541bfc1914e94c245bad6f469988eed019c

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample