MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06ee38b6f580cfff67a8d24d827e98155091a83991cd7ae941d347fd4d60d431. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06ee38b6f580cfff67a8d24d827e98155091a83991cd7ae941d347fd4d60d431
SHA3-384 hash: 2b16b968cc805642ff55a348d68c90aab5fd0452922d31bf1e62559c04668b973db0100f3ba86a2d346faecf732e2967
SHA1 hash: 2b347da280c64f674a69b655e4039976211da95c
MD5 hash: d627b1707bb0081d326d8e57ff894013
humanhash: cat-carolina-november-timing
File name:Invoice.zip
Download: download sample
Signature Formbook
Create hunting rule
File size:778'162 bytes
First seen:2021-06-03 15:51:03 UTC
Last seen:2021-06-03 19:55:17 UTC
File type: zip
MIME type:application/zip
ssdeep 12288:KLcvUY0vJ0XcUwgvgK7D6J0Lqcr+P1R+YGafmoeWc9EBcCz/A/smh:r0h0RwOgAOoqdwznoQuBcCzxk
TLSH 4CF423E5D81A5B9E5E7DB35F1E30C38D2B320612F413662D9208F64970AF5A3FA8B0D5
Reporter DFNCERT
Tags:FormBook zip

Intelligence

File Origin
# of uploads :
2
# of downloads :
247
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/06ee38b6f580cfff67a8d24d827e98155091a83991cd7ae941d347fd4d60d431
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/06ee38b6f580cfff67a8d24d827e98155091a83991cd7ae941d347fd4d60d431/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-06-03 14:02:43 UTC
File Type:
Binary (Archive)
Extracted files:
40
AV detection:
11 of 47 (23.40%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=a3xdrnxvqdh76z5i2jgye7uycvijdkbzshgxv2kb2nd72tla2qyq._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210603-8vwt6lve26/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.kalptarucentrino.com/owws/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/06ee38b6f580cfff67a8d24d827e98155091a83991cd7ae941d347fd4d60d431

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 06ee38b6f580cfff67a8d24d827e98155091a83991cd7ae941d347fd4d60d431

(this sample)

Formbook

Executable exe 67ac52a653d895f47806945a2d84d0450ddc245a9191cf7eec37297649d5b3a6

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 67ac52a653d895f47806945a2d84d0450ddc245a9191cf7eec37297649d5b3a6
  
Dropping
MD5 6d9d41b8c7b2019d513c52822c6b7a91

Comments


Avatar
DFN-CERT commented on 2021-06-03 16:01:23 UTC

contains 67ac52a653d895f47806945a2d84d0450ddc245a9191cf7eec37297649d5b3a6