MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 071f0a59b7025a843ee1ccd6f3b6dc2c027ec124a1a85e206fa5548881001052. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 071f0a59b7025a843ee1ccd6f3b6dc2c027ec124a1a85e206fa5548881001052
SHA3-384 hash: fe363c2abf1a052c5ed19510ed319785f3dfc73424a04d0b1f11f9154907c6f73b7556a2e0872c206a60ec44a726fb0d
SHA1 hash: 7dbc5a35430c54a6d16e97744de9525c1a2e3a69
MD5 hash: 4ee4dfdedfc82af0ff7cb5480ba3e11b
humanhash: cardinal-kentucky-video-stream
File name:PO.gz
Download: download sample
Signature Formbook
Create hunting rule
File size:758'200 bytes
First seen:2021-04-27 12:03:33 UTC
Last seen:Never
File type: gz
MIME type:application/x-rar
ssdeep 12288:BTTrhkhbc+l2LYDteHs0lEWuMaSQGU3QpNmXUlJveps1q0uDehu5TIH1dOwDKWQ7:BYbcURK2MlQG+QDPlJva1LD75g+MK5L/
TLSH 74F42321301DDE6FC57B0C45ABD3629C2E8C2BB99E59640133602989C53C76BF67DBAC
Reporter cocaman
Tags:gz


Avatar
cocaman
Malicious email (T1566.001)
From: "Julie Shi <info@uzmanlartipmerkezi.com.tr>" (likely spoofed)
Received: "from zealous-margulis.213-238-182-121.plesk.page (unknown [45.143.99.79]) "
Date: "Tue, 27 Apr 2021 20:00:17 +0800"
Subject: "RV: NI: RFQ: QNL- Revised PO"
Attachment: "PO.gz"

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Mal.DrodRar-AIC.12786.5919.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/071f0a59b7025a843ee1ccd6f3b6dc2c027ec124a1a85e206fa5548881001052/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-27 12:04:11 UTC
File Type:
Binary (Archive)
Extracted files:
39
AV detection:
8 of 47 (17.02%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a4pquwnxajniipxbztlphnw4fqbh5qjeuguf4idpuvkiraiacbja._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210427-bldtt7ygf2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.riceandginger.com/fcn/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/071f0a59b7025a843ee1ccd6f3b6dc2c027ec124a1a85e206fa5548881001052

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz 071f0a59b7025a843ee1ccd6f3b6dc2c027ec124a1a85e206fa5548881001052

(this sample)

Formbook

Executable exe 96beadd4f79febff926c6b5071aad39d09f0a1c9d9810317d38d7ed95ce1559a

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 96beadd4f79febff926c6b5071aad39d09f0a1c9d9810317d38d7ed95ce1559a

Comments