MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0aac2e9b322ee36de9cd43e311a1f729f0cab79a5704a4d849cf0ad22fd357a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	0aac2e9b322ee36de9cd43e311a1f729f0cab79a5704a4d849cf0ad22fd357a5
SHA3-384 hash:	5797cf0c9c468c872d812a6be5511bba620c148ea6c283f126afb84c4ee023ac30398224b1d840c1b8db613f72bfa951
SHA1 hash:	6e29a610837bcd1d304f558d9597fc395c87cde6
MD5 hash:	087a1a6ca1519efe7bb0e31092a148f1
humanhash:	maine-vegan-east-friend
File name:	Bank Payment Report.ace
Download:	download sample
Signature	Formbook Create hunting rule
File size:	97'811 bytes
First seen:	2022-01-20 13:35:26 UTC
Last seen:	Never
File type:	ace
MIME type:	application/octet-stream
ssdeep	1536:O35PBIER4w1x0dfTDok8Ah8x7Ozx8CZQKcT3Z+rZj9/Fnza2c0Mlsk/i0KlPSl:O3ZBIk4e2dfHb8Ah8x7ZCZNcgrL9za59
TLSH	T17FA302CEB17D86162E1F72C09FED008A027D485AD13C57561B998A2F6B32C297611DFE
Reporter	cocaman
Tags:	ace FormBook

cocaman

Malicious email (T1566.001)
From: ""Rose Allen" <info@oceankingexportltd.com>" (likely spoofed)
Received: "from mageneet.com (unknown [212.192.246.57]) "
Date: "20 Jan 2022 01:12:49 -0800"
Subject: "Return Payment Report Copy // Bank Details Reconfirmation - TOP URGENT"
Attachment: "Bank Payment Report.ace"

Intelligence

File Origin

# of uploads :

# of downloads :

112

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.25738.AceHeur.Exe.UNOFFICIAL

Sanesecurity.Malware.25166.AceHeur.Exe.UNOFFICIAL

SecuriteInfo.com.Suspicious-ACE-exe.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

fareit wacatac

Link:

https://www.filescan.io/uploads/61e96544f81da814af92b434/reports/9642e9e2-6879-4366-8f5c-f7f7545c73f5/overview

Result

Verdict:

MALICIOUS

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0aac2e9b322ee36de9cd43e311a1f729f0cab79a5704a4d849cf0ad22fd357a5/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-01-20 08:56:41 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

14 of 28 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bkwc5gzsf3rw32oniprrdipxfhymvn42k4ckjwcjz4fnel6tk6sq._file

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:geur loader persistence rat suricata

Link:

https://tria.ge/reports/220120-qv8xcaabfm/

Behaviour

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Sets service image path in registry

Xloader Payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/0aac2e9b322ee36de9cd43e311a1f729f0cab79a5704a4d849cf0ad22fd357a5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ACE_Containing_EXE Create hunting rule
Author:	Florian Roth - based on Nick Hoffman' rule - Morphick Inc
Description:	Looks for ACE Archives containing an exe/scr file