MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 08a5b5726ce814406322ad5489cb520d6591cf77f8163cb361ef7b3b94cb89e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 08a5b5726ce814406322ad5489cb520d6591cf77f8163cb361ef7b3b94cb89e8
SHA3-384 hash: eab35aae2255e84d1e275e571c1cd36df82258c199a016c1af8e8338ab44a91e10a24208d22608064635a2cf445af948
SHA1 hash: ca433e8eed7e69e53ec6b8012623d518e05ceb2b
MD5 hash: 2d0299a23838bff86867eaa3dd055817
humanhash: robert-orange-crazy-virginia
File name:Jan-2022WIPRO GE.iso
Download: download sample
Signature Formbook
Create hunting rule
File size:1'155'072 bytes
First seen:2022-03-24 10:14:55 UTC
Last seen:Never
File type: iso
MIME type:application/x-iso9660-image
ssdeep 24576:wkr42zgrPSK33xarPSu6lQs/txOnaymMP0hjhcbBBPWMsWD:wkfsrPS4Ba+uuQs/enapjqp
TLSH T1D535F18C7650B1DFCC2BCD728A681C60A720646B571BE207B45B11EDAB4E99BCF152F3
Reporter cocaman
Tags:FormBook INVOICE iso payment


Avatar
cocaman
Malicious email (T1566.001)
From: "doru.cireasa@clubferoviar.ro" (likely spoofed)
Received: "from server.clubferoviar.ro (clubferoviar.ro [185.236.84.156]) "
Date: "Thu, 24 Mar 2022 06:13:41 +0200"
Subject: "Pending payment topmost urgent for immediate payment have you
received all invoices"
Attachment: "Jan-2022WIPRO GE.iso"

Intelligence

File Origin
# of uploads :
1
# of downloads :
257
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.W32.MSIL_Troj.CAI.genEldorado.9869.26595.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/623c44bd0cd58dbd92e5ec0b/reports/b94d3578-f2b3-4123-a994-284de9827e3f/overview
Result
Verdict:
MALICIOUS
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/08a5b5726ce814406322ad5489cb520d6591cf77f8163cb361ef7b3b94cb89e8/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-03-24 10:15:14 UTC
File Type:
Binary (Archive)
Extracted files:
12
AV detection:
10 of 42 (23.81%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bcs3k4tm5akeayzcvvkits2sbvszdt3x7aldzm3b555txfglrhua._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:n35q loader rat
Link:
https://tria.ge/reports/220324-maabhaffd4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/08a5b5726ce814406322ad5489cb520d6591cf77f8163cb361ef7b3b94cb89e8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

iso 08a5b5726ce814406322ad5489cb520d6591cf77f8163cb361ef7b3b94cb89e8

(this sample)

Formbook

Executable exe 23e8ba1d8d29ea665daabb8f4e20b677eb9bfffc202b7e6d9cd40d7682e7eaa4

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 23e8ba1d8d29ea665daabb8f4e20b677eb9bfffc202b7e6d9cd40d7682e7eaa4

Comments